incubator-wookie-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Paul Sharples (Created) (JIRA)" <j...@apache.org>
Subject [jira] [Created] (WOOKIE-250) Improve license files
Date Wed, 05 Oct 2011 12:03:34 GMT
Improve license files
---------------------

                 Key: WOOKIE-250
                 URL: https://issues.apache.org/jira/browse/WOOKIE-250
             Project: Wookie
          Issue Type: Improvement
          Components: Project Administration
    Affects Versions: 0.9.1
         Environment: n/a
            Reporter: Paul Sharples
             Fix For: 0.9.1


Ate made some suggestions we might make to our license files when he reviewed the 0.9.0 release
on the wookie-dev list. Creating an issue for it here so its more visible for 0.9.1

* wookie.war has DISCLAIMER/LICENSE/NOTICE/RUNTIME_LICENSE files in root folder:
Having these files in the war root means these will be accessible as web resources... While
still pretty harmless in this case/release, its a bad practice and could actually pose a security
issue as everyone can thereby find/read which runtime artifacts (including there version)
are in use.
The expected/advised location for these files would be under /META-INF.

* NOTICE/LICENSE/RUNTIME_LICENSE files in general:
The current ASF policy is that these files only need/should attribute whatever is actually
packaged (note: this equally concerns the svn tree, which in itself can and should be regarded
as a "distribution"). Anything not "packaged" need (should) not be attributed. These files
serve a legal purpose only, and anything not needed and/or redundant will only make it more
difficult to maintain and validate and properly.
Dependencies not packaged/distributed, but for instance needed (only) for building is not
required to be attributed in these files. If there are specific (buid/runtime) requirements
users should be aware of then those should be mentioned and explained in additional README,
BUILD_NOTES, etc. files, only.

* License attribution to other ASF projects packaged sources/artifacts:
>From a legal POV, this is not needed: the basic (required) NOTICE and LICENSE attribution
that the distribution includes ASF produces software under the ASL 2.0 license already covers
all legal requirements.
While mentioning each and every other ASF project source/artifact in the LICENSE files is
not harmful in anyway, it is a lot of extra and unneeded effort not easy to maintain properly.

For example, the LICENSE file does mention the
shindig-common-1.1-BETA5-incubating.jar (which is *not* packaged in the source distribution,
more about that below), but does not mention
shindig/dist/shindig-features-1.1-BETA5-incubating.jar which *is* packaged in the source distribution.
However neither is really problematic as isn't needed
anyway
Another example is some extra jackrabbit jars which are not mentioned in either the LICENSE
or RUNTIME_LICENSE file but are packaged with the binary distributions.
And while commons-io and commons-email are mentioned in the LICENSE file (but not packaged
in the source distribution), they are not mentioned in the RUNTIME_LICENSE file while they
*are* packaged in the binary distributions.

* RUNTIME_LICENSE file:
- The RUNTIME_LICENSE file is used/intended to cover the requirements for (both) the binary
distributions, wookie war/standalone.
However, as a single file it covers both distributions while the war distribution does not
package several artifacts (and thus licenses) contained in the standalone distribution (Eclipsse,
Jetty, Servlet/JSP etc.)
>From a legal POV, this is not "wrong", but AFAIK not ideal either.
To "solve" this however would require maintaining two separate RUNTIME_LICENSE files which
isn't ideal either. I have no strong opinion on this but it might be considered to split these
files up if causing not too much of a burden to maintain.
- More/most serious is the omission of the 3rd party license attributions for many (all?)
of the packaged Widgets in the RUNTIME_LICENSE file. While these are distributed as "source",
they are (thereby) packaged in the binary distributions and as such *should* be attributed
in the RUNTIME_LICENSE file. However, as these 3rd party licenses are properly mentioned in
the LICENSE file which also is packaged in the binary distribution, legally everything probably
is still OK, even if somewhat confusing.
- My suggestion for future releases however is to consider packaging only a is single LICENSE
file within a release artifact/distribution and thus maintain separate LICENSE files for source
and binary distributions (optionally even two for the latter). And the same holds for the
NOTICE file which currently also covers everything for both source and binary distributions.


--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message