commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Niall Pemberton" <niall.pember...@gmail.com>
Subject Re: [VOTE] Release commons-fileupload 1.2.1 (rc3)
Date Fri, 11 Jan 2008 08:13:14 GMT
On Jan 10, 2008 5:47 PM, simon <simon.kitching@chello.at> wrote:
>
>
> On Thu, 2008-01-10 at 17:08 +0000, Niall Pemberton wrote:
> > On Jan 10, 2008 3:41 PM, sebb <sebbaz@gmail.com> wrote:
> > > On 10/01/2008, Jochen Wiedmann <jochen.wiedmann@gmail.com> wrote:
> > > > I forgot to note: The distribution is available on
> > > >
> > > >    http://people.apache.org/~jochen/commons-fileupload/dist
> > >
> > > -1:
> > > The NOTICE files in the jars are non-standard. They also refer to
> > > Commons-IO which is not part of the jar. The NOTICE file is *only* for
> > > items that are included in the distribution, not external
> > > dependencies.
> >
> > Is this true? I realize the following document has still (after 18
> > months) not yet been made official ASF policy, but in the absence of
> > any other then there are two sections which seem relevant:
> >  - System Requirements
> >  - Optional Add-ons
> > http://people.apache.org/~rubys/3party.html#options-systemrequirements
> >
> > If for example we have component which can use 3rd Party work that
> > comes under the "excluded licenses" (from memory I think VFS did this)
> > then we have an obligation to inform the users of this and the NOTICE
> > file seems an appropriate place to do this. Having the dependencies
> > and their licenses listed seems like a *good thing* to me for users to
> > be confident of all the licensing implications of using a distro.
> > Anyway if theres contention on the format of the NOTICE in this
> > release then we should ask on legal-discuss to see if we can get an
> > answer whether its valid or not. I will try to do this later but I'm
> > going out soon - so hopefully someone else will beat me to it.
>
> Yes, we really do need a real legal opinion on this, to clear things up
> one way or the other.

See http://apache.markmail.org/message/zsgfkulbut3bowqu

> However I shudder to think about the overhead if we *must* include in
> the NOTICE information about every dependency. Or even if we must
> double-check that the information pulled in by maven-remote-resources is
> correct.
>
> When the message is posted to legal-discuss, please clearly point out
> that we are talking here about two different scenarios:
> (a) what goes in a single jar, and
> (b) what goes in a .tgz download bundle.
> And also point out that the dependencies *are* explicitly spelled out in
> the pom, and that a readable form of this is present in the maven
> reports. Yay maven.

OK I only just re-read this after I posted on legal-discuss - but I
framed the question as I thought appropriate.

Niall

> But until there is an official legal statement on this, I really do have
> to vote -1 on releasing with any auto-generated NOTICE.txt file. I just
> don't feel confident that the alternative is legally sensible.
>
> Related questions:
> (1) A maven module (commons-foo) includes stuff from two different
> copyright holders, licensed under BSD licenses. Can the maven pom define
> this information? I believe there is only one <license> field. Or is the
> fallback here to use a manual NOTICE file?
> (2) If commons-bar then depends on commons-foo, what should be in the
> NOTICE file?
>
> Regards,
>
> Simon
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org


Mime
View raw message