incubator-flex-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Carol Frampton <cfram...@adobe.com>
Subject Re: [Mentor] review NOTICE and LICENSE files
Date Fri, 25 May 2012 19:28:26 GMT


On 5/24/12 8 :09AM, "Bertrand Delacretaz" <bdelacretaz@apache.org> wrote:

>Hi,
>
>On Fri, May 18, 2012 at 9:41 PM, Carol Frampton <cframpto@adobe.com>
>wrote:
>...
>>  1.  If we incorporate code into our project that is from another
>>Apache project covered by an Apache v2 license do we still call out that
>>we've taken the code or does the Apache license at the top of the
>>LICENSE file cover all Apache code, not just Flex code?
>...
>>  2.  Same question, but we're incorporating code covered by an Apache
>>1.1 license.
>...
>
>By "incorporate code", do you mean forking another Apache project in Flex?
>
>If yes, Flex should IMO change package names of those project's
>classes to avoid confusion. Best is of course to contribute any
>required patches to those projects and work with them to have releases
>of that, but if that's really not possible and the forked code will be
>released by Flex, Flex must make it clear that the code is not the
>original.
>
>Best way to do that is probably to change the package names, something
>like o.a.flex.forks.batik for batik code for example.


Prior to today we were downloading the batik sources (1.6 which is old)
and applying our changes on top and building a new jar called
batik-all-flex.jar. I believe way back when the Flex group did look into
contributing these changes back but for whatever reason it was decided not
to - I think because the changes are messy.

I just checked in all the batik 1.6 source code with our changes merged in
and renamed the package as you suggested.


I was very surprised to find a lib directory in the batik source package
full of jars.  I checked the newest batik src package and they are still
there.  I am so confused. I thought binaries aren't allowed in source
packages.

Carol
























>
>>  3.  Many of the jars we use have their own LICENSE and NOTICE files.
>>Right now they are all in the lib directory right next to their jar.
>>I've seen other projects put them all in a legal, LICENSE or NOTICE
>>directory.  What is the proper way to organize these and how do you
>>refer to them in the Apache Flex LICENSE file?
>...
>
>Jar files are binary dependencies, we don't release them, so they
>don't need to be mentioned in the LICENSE or NOTICE file.
>
>OTOH, it's good to make it clear what the license of required
>dependencies are - Stanbol for example does a nice thing with a
>DEPENDENCIES-BY-LICENSE file that's generated with the
>license-maven-plugin, dunno if there's an equivalent for an ant build.
>You can see how that's setup at
>http://svn.apache.org/repos/asf/incubator/stanbol/branches/0.9.0-incubatin
>g/parent/pom.xml
>and the result in the Stanbol release at
>http://apache.org/dist/incubator/stanbol/
>
>>  ...4.  If we include a jar that includes other stuff and has NOTICES
>>and LICENSES from its dependencies to we pull them all up into our
>>LICENSE?  I've seen lots of questions about this and I still don't
>>understand what the right way to do this is.
>...
>
>We don't include jars - an Apache release consists of source code only.
>
>If Flex wants to provide a convenience package of binary dependencies,
>that's possible but does not have much to do with the actual release
>process.
>
>From the release point of view, what's required is that:
>
>-The LICENSE and NOTICE files match the source code that's being released
>
>-All required dependencies have compatible licenses as per
>http://apache.org/legal/resolved.html
>
>-Users can easily find out what those compatible licenses are
>
>The idea with not including binaries is that you can't realistically
>trust a binary that you didn't build yourself. It's not common in the
>Java world to build all your dependencies from trusted source, but
>that's really what people should do if they want to be sure what
>they're running.
>
>> ...If you know of any projects that you think are good examples I would
>>be happy to take a look.  Last time I tried to look
>> for examples I didn't find a consistent way of doing things so I
>>couldn't tell what was the preferred way.
>
>The best example is probably
>http://svn.apache.org/repos/asf/httpd/httpd/trunk
>
>-Bertrand


Mime
View raw message