License update 2020 #164
Merged
License update 2020 #164
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
and tidy versions and exclusions for maven/osgi consistency
* the NOTICE file only has things actually included in that bundle * a DEPENDENCIES file has source and runtime dependencies * license generation maven runs against one project, not all modules, usu the karaf/features subdir * additional licenses are added and aliases tidied
This was referenced Jun 2, 2020
|
The related PRs are:
The LICENSE/NOTICE/DEPENDENCIES changes are in separate commits so when reviewing it may be easiest to look at individual commits, to be able to skip the large auto-generated change sets. |
geomacy
approved these changes
Jun 6, 2020
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR changes what we put into LICENSE and NOTICE files, and a new DEPENDENCIES file:
Adds a non-statutory DEPENDENCIES file included alongside the source dist NOTICE files advising what binary dependencies will be included in the built artifact. This file contains what was formerly in the source dist NOTICE files. This makes it easy for users to analyse the full set of dependencies of Apache Brooklyn without conferring the undue legal burden entailed by including this information in any of the statutory NOTICE files.
Our source dist and JAR NOTICE files (in the root of projects, in JARs and in the source dist artifact) previously for convenience reported the binary dependencies pulled in. These were clearly labelled as such but nevertheless contrary to the philosophy that NOTICE files should contain only what is legally required. These NOTICES have been fixed so that they only list third-party artifacts actually included in our source. Consequently they are much, much smaller.
Our binary dist NOTICE files (in binary TGZs, RPMs, WARs and all other binary artifacts) list all runtime dependencies included in the binary dist where a custom notice, attribution, and/or license for that dependency is appropriate. Where there is doubt about any such obligation we have erred on the side of inclusion. The format of these is unchanged.
In addition the commands to generate licenses are changed slightly:
Some dependencies were overlooked in some reports where the "karaf" project did not depend on the bundles it incorporates; this is remedied, and the license/notice generation only applies to that relevant project (and license-gen running faster by only running on that project) -- thus many of the poms especially for karaf/features have been expanded to include the dependencies used by the feature.xml, so that maven dependencies are accurate
Some libraries have been updated or added recently and use the new licenses EPL v2 and EDL v1 which were not previously recognised
Some icons had been added from Apache projects and elsewhere, with no NOTICE; this is remedied
Previously there were a couple places where Category-X [2] licenses were used:
net.java.dev.jna - this is dual-licensed under LGPL and ASL; the NOTICE incorrectly stated it was being used under the former; it now correctly states it is being used under the latter
com.google.code.findbugs.annotations - Apache Brooklyn does not use nor depend on this LGPL project. It is a compile-time-only dependency of libraries we use, but not accurately reported in those libraries as compile-time-only dependencies and so was picked up as a transient dependency of apache Brooklyn. Our maven POMs now explicitly exclude this so it is no longer treated as a dependency, not included in our binary dist, and not noted in NOTICE.
com.github.fge dependencies of REST-easy used in the server-cli; these are bumped to a version which allows ASL licensing (even though we did not create a binary for this so this is not strictly required)
Note this PR will produce incomplete results unless other PRs to follow in other Brooklyn projects are merged at the same time (or before). Those PRs will be listed shortly.
With these changes I believe with all LICENSE and NOTICE files will now be current, correct, and compliant with Apache policy, and there are no longer any Category-X [2] licenses used or mentioned.
For convenience the main DEPENDENCY changes are shown in this commit:
apache/brooklyn@fa0ed65