incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Roman Shaposhnik <>
Subject Re: Bloated NOTICE files are evil
Date Sat, 11 Oct 2014 19:08:53 GMT
On Sat, Oct 11, 2014 at 11:47 AM, Sean Owen <> wrote:
>> You are confusing different distributions.  Netty provides a source
>> distribution which does include a NOTICE file.  Netty also provides binary
>> (jar) distributions.  These do not include a NOTICE file.
> I think this is a fair question. Did the Netty project intend the
> NOTICE file to pertain only to the source distribution? from its
> contents, it pertains to the binary distro too, since the binary form
> contains the elements referenced in the NOTICE.

This one really strikes me as an academic exercise. I am not
sure second guessing a motivation of a non-ASF project would
be fruitful for our discussion.

The situation is *really* simple:
  1. it seems that for the stuff in Netty's binary distro Drill is
      doing the right thing with its binary distro
  2. it seems that for the stuff in Netty's source distro Drill is
      doing the right thing with its source distro

Is there anything else I am missing?

> I supposed I'd expect erring a bit on the side of the intent and
> spirit from the ASF in interpreting these things, but hey, let's stick
> to technicalities. Just taking the first example -- Netty contains
> among other things a modified version of Webbit, a BSD-licensed
> library. Drill is distributes this code. Where is this in LICENSE?
> It's not even in NOTICE which would be "close" and reference its own
> LICENSE, but you don't distribute the NOTICE even. This is the problem
> with trying to cut it so fine.

I find it unfair to put this burden on Drill. If you really want to help Netty
with the spirit of the law -- why don't you talk to the Netty developers
and straighten these issues with them first?

> It's such a rabbit hole to be sure, and the little downside to being
> blessed with freely accessing so many others' projects. I struggled
> for a while on Spark with this and still probably don't have it all
> right. I mean, shouldn't someone take a look at the many other
> dependencies? this is just one I ran into as a spectator. Why the
> hostility? just stick to the discussion of the license please.

I haven't notice any hostility, really (perhaps participating in some of the
more boisterous ASF communities equipped me with thicker skin).

That said, I do suggest we stay on topic and not try to boil the ocean
here. We are in charge of our own software -- we should do the
right thing with it. With projects outside of ASF we can only do
so much.

On a related note: with every legal council I ever work with, one
of the first conversations I have is around the fact that you never
ever trust somebody else's legal judgement. Which means
that regardless of what the LICENSE or NOTICE say you are
on the hook to 'trust by verify'. Hence BlackDuck and Palamida
scans. When you distribute something as a commercial vendor
it is your responsibility to make sure you are not exposing yourself.
Why am I telling you this? The reason is simple: cost. It costs
a LOT to make sure that the exposure is not there.

If you think that a project run by volunteers can achieve the 100%
of cleanless for every single dependency (direct or transitive)
you're simply kidding yourself. Once again, what we need to focus
on is what we directly control. Not more, not less.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message