incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lécharny <elecha...@gmail.com>
Subject Re: [VOTE] Apache Syncope 1.0.0-RC1-incubating / 2nd attempt
Date Thu, 17 May 2012 04:47:29 GMT
Le 5/16/12 9:45 AM, Francesco Chicchiriccò a écrit :
> Hi all,
Hi Francesco
> as far as I've understood we are quite in an impasse here: is there any
> quick way out?
Thinking twice about the third party components, I came to the 
conclusion that we should include the license of those requiring that it 
should be done, even if we have some transitive dependencies.

The reason is that if a direct 3rd party does not have a N&L containing 
transitive 3rd party, then those direct 3rd party are faulty. But 
because they are faulty does not mean we should also be (transitively) 
faulty !

That also means some of the ASF projects (including ApacheDS I'm working 
on !) have to double check their N&L files, something I'll do asap.

I'll be a bit busy the next 4 days, but I'll try to get a clear decision 
about this problem before next week, as it may impact many other projects.

Thanks !
>
> I've performed some more analysis and I've come to the following findings:
>
> 1. XPP3 is pulled in by XStream (syncope-core and syncope-console WAR files)
>
> [INFO] +- com.thoughtworks.xstream:xstream:jar:1.4.2:compile
> [INFO] |  \- xpp3:xpp3_min:jar:1.1.4c:compile
>
> and by ApacheDS (syncope-build-tools WAR file)
>
> [INFO] +- org.apache.directory.server:apacheds-all:jar:1.5.7:compile
> [INFO] |  +- org.apache.directory.shared:shared-ldif:jar:0.9.19:compile
> [INFO] |  \-
> org.apache.directory.shared:shared-dsml-parser:jar:0.9.19:compile
> [INFO] |     \- xpp3:xpp3:jar:1.1.4c:compile
>
> XStream says that other XML parsers can be used (
> http://xstream.codehaus.org/download.html#optional-deps), I don't know
> about ApacheDS - but guess Emmanuel does.
>
> 2. The following are all the transitive dependencies currently not
> mentioned in L&N files:
>
> org.livetribe:livetribe-jsr223:jar:2.0.6
> org.mybatis:mybatis:jar:3.0.6
> xmlpull:xmlpull:jar:1.1.3.1
> xpp3:xpp3_min:jar:1.1.4c / xpp3:xpp3:jar:1.1.4c
> aopalliance:aopalliance:jar:1.0
> asm:asm:jar:3.3.1
> antlr:antlr:jar:2.7.7
> dom4j:dom4j:jar:1.6.1
> joda-time:joda-time:jar:2.0
>
>
> Can we found a simple and shared way to assess what is the legal,
> correct and complete, content of Syncope L&N files?
> Is there any other ASF project distributing WAR files we can check?
>
> If not: what if just include in L&N files all the deps reported above?
> Is this harmful in any way?
>
> Please help: we'd really like to cut out first release...
>
> Best regards.
>
> On 15/05/2012 11:36, Christian Grobmeier wrote:
>>> The point is that we don't vote binaries, we vote sources. Generated
>>> binaries are just by-products of the build.
>>>
>>> That we distribute binaries is just for convenience.
>> which does not change anything imho
>>
>>> Now, I do think that we should include into the N&L files the licenses for
>>> 3rd parties we *directly* include, but not those that are transivitely
>>> included. I may be wrong though. I understand your position, too.
>>>
>>> It may be worthful to ask beside this thread what is the correct way to
>>> refer those transitive dependencies...
>> +1
>>
>> Did not know there were other positions actually.
>>
>>>> http://incubator.apache.org/guides/releasemanagement.html#best-practice-license
>>>> "All the licenses on all the files to be included within a package
>>>> should be included in the LICENSE document. "
>>> But as soon as we include the deps' licenses we include, even if they
>>> themselves include some 3rd party licenses, my understanding is that they
>>> already have done the job...
>> If they did it it. I have not opened all the files to be honest, but
>> is this something we can rely on (that they have done their job
>> proberly)?
>>
>>>> It says to me, it does not matter who depends on what, it does only
>>>> matter whats inside your war.
>>>>
>>>> Btw, I am still unsure which license XPP has. This is worse, because:
>>>> http://www.apache.org/dev/release.html#distribute-other-artifacts
>>>> "Again, these artifacts may be distributed only if they contain
>>>> LICENSE and NOTICE files"
>>> See on
>>> http://www.extreme.indiana.edu/dist/java-repository/xpp3/distributions/,
>>> unzip the
>>> http://www.extreme.indiana.edu/dist/java-repository/xpp3/distributions/xpp3-1.1.4c_src.tgz
>>> tarball and check the included license.
>> Thanks! I opened the jar from the Syncope war, there was no info included.
>>
>> Is that compatible? "Indiana University Extreme! Lab Software License"
>> I think its fine, but I am not very good with that boring stuff:
>> http://apache.org/legal/3party.html
>>
>> Btw, this phrase is interesting:
>> "Redistributions in binary form must reproduce the above copyright notice"
>>
>> This includes the provided war file. There is no copyright notice of
>> XPP and my guess is the license holders are not interested if we are
>> having it as transitive lib or not.


-- 
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com


---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message