incubator-flex-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bertrand Delacretaz <bdelacre...@apache.org>
Subject Re: [Mentor] review NOTICE and LICENSE files
Date Thu, 24 May 2012 12:09:48 GMT
Hi,

On Fri, May 18, 2012 at 9:41 PM, Carol Frampton <cframpto@adobe.com> wrote:
...
>  1.  If we incorporate code into our project that is from another Apache project covered
by an Apache v2 license do we still call out that we've taken the code or does the Apache
license at the top of the LICENSE file cover all Apache code, not just Flex code?
...
>  2.  Same question, but we're incorporating code covered by an Apache 1.1 license.
...

By "incorporate code", do you mean forking another Apache project in Flex?

If yes, Flex should IMO change package names of those project's
classes to avoid confusion. Best is of course to contribute any
required patches to those projects and work with them to have releases
of that, but if that's really not possible and the forked code will be
released by Flex, Flex must make it clear that the code is not the
original.

Best way to do that is probably to change the package names, something
like o.a.flex.forks.batik for batik code for example.

>  3.  Many of the jars we use have their own LICENSE and NOTICE files. Right now they
are all in the lib directory right next to their jar.  I've seen other projects put them
all in a legal, LICENSE or NOTICE directory.  What is the proper way to organize these and
how do you refer to them in the Apache Flex LICENSE file?
...

Jar files are binary dependencies, we don't release them, so they
don't need to be mentioned in the LICENSE or NOTICE file.

OTOH, it's good to make it clear what the license of required
dependencies are - Stanbol for example does a nice thing with a
DEPENDENCIES-BY-LICENSE file that's generated with the
license-maven-plugin, dunno if there's an equivalent for an ant build.
You can see how that's setup at
http://svn.apache.org/repos/asf/incubator/stanbol/branches/0.9.0-incubating/parent/pom.xml
and the result in the Stanbol release at
http://apache.org/dist/incubator/stanbol/

>  ...4.  If we include a jar that includes other stuff and has NOTICES and LICENSES
from its dependencies to we pull them all up into our LICENSE?  I've seen lots of questions
about this and I still don't understand what the right way to do this is.
...

We don't include jars - an Apache release consists of source code only.

If Flex wants to provide a convenience package of binary dependencies,
that's possible but does not have much to do with the actual release
process.

>From the release point of view, what's required is that:

-The LICENSE and NOTICE files match the source code that's being released

-All required dependencies have compatible licenses as per
http://apache.org/legal/resolved.html

-Users can easily find out what those compatible licenses are

The idea with not including binaries is that you can't realistically
trust a binary that you didn't build yourself. It's not common in the
Java world to build all your dependencies from trusted source, but
that's really what people should do if they want to be sure what
they're running.

> ...If you know of any projects that you think are good examples I would be happy to take
a look.  Last time I tried to look
> for examples I didn't find a consistent way of doing things so I couldn't tell what was
the preferred way.

The best example is probably http://svn.apache.org/repos/asf/httpd/httpd/trunk

-Bertrand

Mime
View raw message