> El 15 oct 2017, a las 15:50, Emilian Bold <emilian.bold@gmail.com> escribió:
>
> It's part of the Apache IP clearance. We need to know our dependencies. A
> binary JAR won't do, specifically because we patch stuff too. We can't just
> go through classes and add small license headers when we imports lots and
> lots of binaries as external dependencies. Knowing the exact (legal) status
> of our dependencies is even more important than going through the codebase
> imho.
>
So the important thing here is to _identify_ the exact procedence of each binary dependency
& its license and legal status, but not to actually compile modules against binaries,
am I right?
>> I'd prefer upgrading to modern versions than seeking old ones.
>
> This involve potential breaking changes, code refactoring and potential
> bugs. Why risk all that?
>
> Let's just make an inventory of everything (ie. IP clearance) and build
> with the JARs we have tested before!
>
If possible yes, of course. Trouble is when you can’t find a jar from 2009 :-)
Thanks for your clarification, Emi, this helps.
Un abrazo,
Antonio
|