commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From simon <simon.kitch...@chello.at>
Subject Re: [VOTE] Release commons-fileupload 1.2.1 (rc3)
Date Thu, 10 Jan 2008 17:47:34 GMT

On Thu, 2008-01-10 at 17:08 +0000, Niall Pemberton wrote:
> On Jan 10, 2008 3:41 PM, sebb <sebbaz@gmail.com> wrote:
> > On 10/01/2008, Jochen Wiedmann <jochen.wiedmann@gmail.com> wrote:
> > > I forgot to note: The distribution is available on
> > >
> > >    http://people.apache.org/~jochen/commons-fileupload/dist
> >
> > -1:
> > The NOTICE files in the jars are non-standard. They also refer to
> > Commons-IO which is not part of the jar. The NOTICE file is *only* for
> > items that are included in the distribution, not external
> > dependencies.
> 
> Is this true? I realize the following document has still (after 18
> months) not yet been made official ASF policy, but in the absence of
> any other then there are two sections which seem relevant:
>  - System Requirements
>  - Optional Add-ons
> http://people.apache.org/~rubys/3party.html#options-systemrequirements
> 
> If for example we have component which can use 3rd Party work that
> comes under the "excluded licenses" (from memory I think VFS did this)
> then we have an obligation to inform the users of this and the NOTICE
> file seems an appropriate place to do this. Having the dependencies
> and their licenses listed seems like a *good thing* to me for users to
> be confident of all the licensing implications of using a distro.
> Anyway if theres contention on the format of the NOTICE in this
> release then we should ask on legal-discuss to see if we can get an
> answer whether its valid or not. I will try to do this later but I'm
> going out soon - so hopefully someone else will beat me to it.

Yes, we really do need a real legal opinion on this, to clear things up
one way or the other.

However I shudder to think about the overhead if we *must* include in
the NOTICE information about every dependency. Or even if we must
double-check that the information pulled in by maven-remote-resources is
correct.

When the message is posted to legal-discuss, please clearly point out
that we are talking here about two different scenarios:
(a) what goes in a single jar, and
(b) what goes in a .tgz download bundle.
And also point out that the dependencies *are* explicitly spelled out in
the pom, and that a readable form of this is present in the maven
reports. Yay maven.

But until there is an official legal statement on this, I really do have
to vote -1 on releasing with any auto-generated NOTICE.txt file. I just
don't feel confident that the alternative is legally sensible.

Related questions:
(1) A maven module (commons-foo) includes stuff from two different
copyright holders, licensed under BSD licenses. Can the maven pom define
this information? I believe there is only one <license> field. Or is the
fallback here to use a manual NOTICE file?
(2) If commons-bar then depends on commons-foo, what should be in the
NOTICE file?

Regards,

Simon


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org


Mime
View raw message