jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeremias Maerki <...@jeremias-maerki.ch>
Subject Re: List of dependencies with licenses available?
Date Fri, 30 May 2008 09:13:53 GMT
Hi Felix

On 30.05.2008 10:30:53 Felix Meschberger wrote:
> Hi Jeremias,
> 
> Am Freitag, den 30.05.2008, 10:22 +0200 schrieb Jeremias Maerki:
> > I'm looking for a list of dependencies for Jackrabbit including their
> > licenses. Can anyone give me a pointer?
> 
> The non-Apache licensed dependencies should be listed in the NOTICE file
> along with references to their respective license.

Unfortunately, that's not the case for org.textmining, for example:
http://svn.apache.org/viewvc/jackrabbit/tags/1.4/jackrabbit-text-extractors/NOTICE.txt?view=markup
http://svn.apache.org/viewvc/jackrabbit/tags/1.4/jackrabbit-text-extractors/LICENSE.txt?view=markup
http://svn.apache.org/viewvc/jackrabbit/tags/1.4/jackrabbit-text-extractors/README.txt?view=markup
http://svn.apache.org/viewvc/jackrabbit/tags/1.4/jackrabbit-text-extractors/pom.xml?view=markup

The same applies to SLF4J, as another example.

> All dependencies
> should be available from the POM file -- running the maven dependency
> report (the project-info-reports:dependencies goal might be your
> friend).

I tried "project-info-reports:dependencies" but it doesn't list the
licenses on the dependencies themselves. The top-level report just says
that there are no dependencies. Running the report for each module is
not giving me much more. I still have to track down the license manually
for each non-ASF artifact via the project URLs. In the case of the
org.textmining dependency the license prior to 1.0 (now LGPL) cannot
even be determined since the JAR doesn't contain information about the
license and the authors didn't use branch/tag for the 0.4 release. Stuff
like that makes a license audit very difficult.

In the end, I don't think Maven can be our friend at the moment to
provide the necessary information for a license audit. Even the POMs
lack the necessary entries. And what if, as in the case of
org.textmining, the license suddenly changes?

> Maybe we should add the ouput of this report to the Jackrabbit site --
> if it ain't there and my eyes are too week today ?

I haven't found it. Yes, please add such a report. Or better even: a
section in the top-level README.txt that lists all dependencies with
their licenses. Something like the following would make the job much
easier:
http://svn.apache.org/viewvc/xmlgraphics/fop/trunk/lib/README.txt?revision=638396

> Hope this helps.
> 
> Regards
> Felix



Thanks,
Jeremias Maerki


Mime
View raw message