geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Sisson <jrsis...@gmail.com>
Subject Re: Does each module really need LICENSE.txt and NOTICE.txt?
Date Wed, 19 Jul 2006 23:14:14 GMT
Matt Hogstrom wrote:
> I am referring to the modules.  What I meant was if we have 25 modules 
> and everyone has its own license and notices file I'm pretty confident 
> they'll get out of sync.  It would be nice to have a central place to 
> pull the content from which should be modules/scripts/resources/*
>
> What I meant by the notices being an issue is that a single notices 
> file identifies what additional licenses are in a module.  So, it may 
> or may not make sense for the Kernel module to have a Bouncycastle 
> NOTICE.
>
It looks like the majority of licenses use terminology similar to 
"Redistribution and use in source and binary forms..".  In terms of 
redistribution, we don't redistribute third-party libraries  (we only 
redistribute them in assemblies) as part of module jars, but they may 
use a third-party library directly or indirectly via transitive 
dependencies. 

I'm not sure if the "use" terminology in the licenses applies to 
indirect use, but it might be safer to err on the side of caution and 
include all licenses that may be in use both directly in the module and 
indirectly.

> If its ok to havbe a complete NOTICES file that includes licenses that 
> are not in a module then that would be fine.  It would be nice to say, 
> "Geronimo-Kernel may include one or more of the following elements."  
> If we have to be precise on a module by module basis then I think that 
> will be a problem.
This sounds like an opportunity for maven to solve in the future (e.g. 
collating license information) but I don't think it has been thought out 
enough yet..  http://jira.codehaus.org/browse/MJAR-10?rc=1

Agree it would be a problem if for each module we had to work out what 
licenses were used via transitive dependencies.  If it is only the 
licenses for direct dependencies that we need to include then that could 
be manageable.  We would need a process in place so that if anyone 
modifies the dependencies of a module they need to review the licensing 
implications (e.g. does the new version of the dependency have a new 
license) and make the appropriate changes to the module's LICENSE.txt 
and NOTICE.txt files.

John

>
> Kevan Miller wrote:
>>
>> On Jul 17, 2006, at 1:06 PM, Matt Hogstrom wrote:
>>
>>> Well, I think adding the files to every module is potentially a 
>>> problem.  I think the release should have a central place all 
>>> modules derive their LICENSE file from.  The NOTICIES file is a 
>>> different animal.
>>
>> Matt,
>> What "modules" are you referring to? All of our generated jar files 
>> (.e.g geronimo-kernel-1.1.jar) should contain LICENSE and NOTICE 
>> files. Hrrm, I just looked at two 1.1 jars and they only contain 
>> LICENSE files.
>>
>> We also need a LICENSE and NOTICE file at the base of our 
>> distributions. These should contain all necessary license and notice 
>> information for all of the Geronimo code built and included in our 
>> distribution. The license and notice file also need to contain 
>> license and notice information for all jar files, or other artifacts, 
>> that we include in our distribution (e.g. asm jar, castor jar, etc...).
>>
>> Or, are you instead referring to "modules" as in CAR's? If so, then 
>> they are a different animal. However, I don't think we're released 
>> from any licensing requirements.
>>
>> Given the guidelines in 
>> http://www.apache.org/dev/release.html#what-must-every-release-contain 
>> (see the "Can I distribute a raw artifact?" section at the bottom), I 
>> think that any downloadable artifact (distribution, car, jar, war, 
>> ear, etc) that we "release" to ibiblio should have appropriate 
>> license and notice files (alternatively, we stop releasing the 
>> artifact).
>>
>> --kevan
>>
>>>
>>> Jason Dillon wrote:
>>>> If we want to keep these guys in the jars, then we should move them 
>>>> to their standard src/main/resources/META-INF/* locations so that 
>>>> they get picked up automatically.
>>>> --jason
>>>> On Jul 16, 2006, at 5:27 PM, John Sisson wrote:
>>>>> Jason Dillon wrote:
>>>>>> Um... when were these ever included in the module's jars before?
>>>>>>
>>>>>> --jason
>>>>>>
>>>>>>
>>>>>> On Jul 16, 2006, at 5:04 PM, John Sisson wrote:
>>>>>>
>>>>>>> Jason Dillon wrote:
>>>>>>>> Does each module really need LICENSE.txt and NOTICE.txt?
>>>>>>>>
>>>>>>>> Or can we just have this at the top-level of the project?
>>>>>>>>
>>>>>>>> I'd rather have less duplicate files to maintain...
>>>>>>>>
>>>>>>>> Any comments?
>>>>>>>>
>>>>>>>> --jason
>>>>>>>>
>>>>>>> I think they are needed as each downloadable jar (which each

>>>>>>> module has) should contain the license and notice files.  Same

>>>>>>> with source archives, which AFAIK maven can produce for each

>>>>>>> individual module for use by IDE debuggers etc.
>>>>>>>
>>>>>>> John
>>>>>>
>>>>>>
>>>>> I just checked and if you look at geronimo-activation-1.1.jar it 
>>>>> should contain META-INF\LICENSE.TXT .  It is a problem that the 
>>>>> NOTICE.txt file isn't also included.
>>>>>
>>>>> We should add a JIRA for the 1.1.1 release for that.
>>>>>
>>>>> John
>>>>>
>>>>>
>>
>>
>>
>>
>


Mime
View raw message