directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Seelmann <>
Subject Re: Release fo shared
Date Sun, 13 Feb 2011 21:26:48 GMT
I hope all issues are fixed:

The shared-all module now only shades artifacts with groupId
"", 3rd-party artifacts are not included. So no
special NOTICE/LICENSE file is requried.

There is a new "distribution" module, it is only activated in
apache-release profile. It creates source and binary distributions,
including 3rd party JARs. All required attribution notices and
licenses for 3rd JARs are listed in src/main/release/licenses.

I'll prepare the release now and launch a vote afterwards.

Kind Regards,

On Sun, Feb 13, 2011 at 11:53 AM, Emmanuel Lecharny <> wrote:
> Rethinking about the problem this morning under my shower, here are some
> more thoughts, as I was probably not clear enough.
> - shared-all source and binary packages both should contain NOTICE and
> LICENSES for all the 3rd parties jars
> - individuals jars (say, shared-model.jar) should not include a NOTICE or
> LICENSES files.
> On 2/13/11 1:40 AM, Emmanuel L├ęcharny wrote:
>> Comments on line
>>> Thanks.
>>> I'm not sure when those notices should/must be added.
>> Let's try to figure out...
>>> It's clear, when distributing a binary distribution (e.g.
>>> where third-party dependencies are included that the
>>> licenses and notices of those third-party dependencies have to be
>>> added.
>> +1
>>> But is the attribution also required in the JARs (both, binary or
>>> source, there in META-INF/LICENSE and META-INF/NOTICE) that are
>>> distributed via maven?
>> Depends...
>>> I see the following different cases:
>>> 1) In shared-ldap-model we use Antlr to generate Java files. So I
>>> think in the distributed shared-ldap-model-X.Y.Z.jar the Antlr
>>> attribution is required.
>> +1
>>> 2) The common case that a 3rd-party libary is used/linked in main code
>>> (e.g. dom4j or slf4j). Our distributed JAR only contains our
>>> .java/.class files. The third-party jar is not redistributed. The
>>> dom4j and slf4j licenses say that attribution is required in case the
>>> software is 'used'. Does 'use' already include the case that their
>>> classes are linked? But in that case we
>> As soon as we distribute something which makes necessary to include a
>> thrid party jar, I think we should also include the 3rd party licenses.
>> Remember that we release *sources*, not binaries. Binaries are just
>> generated for convenience. But in any case, we release in order for users to
>> be able to get our packages, and use them in their own products. Somehow, we
>> have to make them safe when doing so, that means include the mandatory
>> licenses and notice to spare the the burden to do so.
>> At least, this is how I understand the way we should do things at the
>> ASF...
>>> 3) Similar like 2, but the 3rd-party is only used as test dependency
>>> (like junit). Here the code is not distributed at all.
>> Still, we distribute sources, which means tests, and users should be able
>> to build the project by downloading our sources. That include tests. Of
>> course, we don't distribute the associated jars (I was thinking about
>> findbugs), so in this case, we are not forced to inject the associated
>> license. Tests are supposed to be run using Maven, pointing to external
>> dependencies we *don't* provide. However, I still think it's safe to add a
>> reference to the used libs in the NOTICE.
>>> 4) 3rd-party source code is included (e.g. in apacheds/jdbm or in
>>> junit-addons). Here it is clear that attribution is required.
>> +1
>> Note that this is my perception of the way we should handle those
>> license/notice thingy. I may be wrong...
>> Hope it helps...
> --
> Regards,
> Cordialement,
> Emmanuel L├ęcharny

View raw message