incubator-cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Nalley <da...@gnsa.us>
Subject Re: Binary dependencies
Date Wed, 08 Aug 2012 18:21:07 GMT
On Wed, Aug 8, 2012 at 2:13 PM, Chip Childers <chip.childers@sungard.com> wrote:
> David (All),
>
> I'm working through the list on the wiki [1], and have noticed some
> interesting differences between the listed license type and the
> license included in the JAR that the deps-ctrl branch pulls in.
>
> Examples:
>
> JavaMail is listed on the wiki page as being the dual GPL/CDDL license
> type.  The download [2] only lists CDDLv1 in it's embedded LICENSE
> file.
> JUnit is listed on the wiki page as being Common Public License.  The
> download [3] has BSD.  Yet the JUnit project site [4] lists it as CPL.
>
> This presents us with two interesting questions:
>
> 1 - Should we proceed with incorporating the build changes that David
> made in the deps-ctrl branch?  If not (which might be tied to the
> desire to use Maven instead of this custom Ant dependency download
> process), then how do we go about getting that done in the short term
> (for our 4.0 release)?
>

Well the deps-ctrl work is still a WIP - hopefully it will soon be
done. This is a stopgap quite honestly. I don't know anything about
maven or gradle, and while this inelegant and ugly, it works and is
relatively fast to iterate through.

> 2 - Assuming that *some* solution for dependency downloads is
> achieved, do we assume that the license contained within the download
> is authoritative?  I'm pretty sure the answer is yes, but that leads
> to a followup question: Do do we note the source download location in
> the NOTICE file and the more easily found project homepage?

So interesting problem
So my reading of this:
http://incubator.apache.org/guides/releasemanagement.html#best-practice-license

suggests to me that we don't need to add anything to the notice file
that we aren't shipping. (this likely means a separate notice file for
the convenience build) If we actually get rid of all of the jars in a
timely manner, that should make the source notice easy. But if we are
actually shipping code then the license contained by the code is
authoritative.

--David



>
> Example:
>
> This product includes JavaMail(TM) API Reference Implementation
> (http://www.oracle.com/technetwork/java/javamail/index.html), obtained
> from http://repo1.maven.org/maven2/javax/mail/mail/1.4/mail-1.4.jar
> under the COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL) Version 1.0
>
> The "obtained from" part is the non-standard portion.
>
> -chip
>
>
> [1] https://cwiki.apache.org/confluence/display/CLOUDSTACK/Moving+dependencies+to+ASF+approved+licenses
> [2] http://repo1.maven.org/maven2/javax/mail/mail/1.4/mail-1.4.jar
> [3] http://repo1.maven.org/maven2/junit/junit/4.10/junit-4.10.jar
> [4] http://www.junit.org/license

Mime
View raw message