directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lecharny <>
Subject Re: Release fo shared
Date Sun, 13 Feb 2011 10:53:12 GMT
Rethinking about the problem this morning under my shower, here are some 
more thoughts, as I was probably not clear enough.

- shared-all source and binary packages both should contain NOTICE and 
LICENSES for all the 3rd parties jars
- individuals jars (say, shared-model.jar) should not include a NOTICE 
or LICENSES files.

On 2/13/11 1:40 AM, Emmanuel L├ęcharny wrote:
> Comments on line
>> Thanks.
>> I'm not sure when those notices should/must be added.
> Let's try to figure out...
>> It's clear, when distributing a binary distribution (e.g.
>> where third-party dependencies are included that the
>> licenses and notices of those third-party dependencies have to be
>> added.
> +1
>> But is the attribution also required in the JARs (both, binary or
>> source, there in META-INF/LICENSE and META-INF/NOTICE) that are
>> distributed via maven?
> Depends...
>> I see the following different cases:
>> 1) In shared-ldap-model we use Antlr to generate Java files. So I
>> think in the distributed shared-ldap-model-X.Y.Z.jar the Antlr
>> attribution is required.
> +1
>> 2) The common case that a 3rd-party libary is used/linked in main code
>> (e.g. dom4j or slf4j). Our distributed JAR only contains our
>> .java/.class files. The third-party jar is not redistributed. The
>> dom4j and slf4j licenses say that attribution is required in case the
>> software is 'used'. Does 'use' already include the case that their
>> classes are linked? But in that case we
> As soon as we distribute something which makes necessary to include a 
> thrid party jar, I think we should also include the 3rd party licenses.
> Remember that we release *sources*, not binaries. Binaries are just 
> generated for convenience. But in any case, we release in order for 
> users to be able to get our packages, and use them in their own 
> products. Somehow, we have to make them safe when doing so, that means 
> include the mandatory licenses and notice to spare the the burden to 
> do so.
> At least, this is how I understand the way we should do things at the 
> ASF...
>> 3) Similar like 2, but the 3rd-party is only used as test dependency
>> (like junit). Here the code is not distributed at all.
> Still, we distribute sources, which means tests, and users should be 
> able to build the project by downloading our sources. That include 
> tests. Of course, we don't distribute the associated jars (I was 
> thinking about findbugs), so in this case, we are not forced to inject 
> the associated license. Tests are supposed to be run using Maven, 
> pointing to external dependencies we *don't* provide. However, I still 
> think it's safe to add a reference to the used libs in the NOTICE.
>> 4) 3rd-party source code is included (e.g. in apacheds/jdbm or in
>> junit-addons). Here it is clear that attribution is required.
> +1
> Note that this is my perception of the way we should handle those 
> license/notice thingy. I may be wrong...
> Hope it helps...

Emmanuel L├ęcharny

View raw message