Hi, > Basically, there are two issues in the release tar bar: > 1. We are using a customized Rust's standard library and include > modified sources and other upstream code in our codebase. > 2. We also include code of OP-TEE libraries as our vendored > third-party libraries. > > These two codebases are from other parties and indeed difficult to review.
And it looks like they also contain things that are not compatible with the Apache license. Category B is OK to depend upon, but you can’t have a non optional Category X dependancy (e.g something GPL or LGPL licensed). > We are releasing in this way to make sure all dependencies are > self-contained. Of course, instead of including third-party sources, > we can just include patches and download all dependencies during the > build time. What do you think? That would certainly make it easier to review, but you would still need to solve the GPL/GPL dependancy issue. Note that these issue don't have to be sorted right away, with the correct information in LICENSE and the WIP DISCLAIMER you could make a release. They would need to be corrected before graduation. Kind Regards, Justin --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
