polygene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Merlin <p...@nosphere.org>
Subject Re: NOTICE
Date Tue, 28 Apr 2015 06:56:40 GMT
Niclas,

Thanks for your thorough answer.

Our actual distributions needs refinements. For example the Gradle
wrapper should not be included so we need to provide some 'bootstrap'
for this, see https://github.com/apache/samza/blob/master/bootstrap.gradle

If you're ok with that, I can handle that work while you put some effort
elsewhere. I'm sure there's plenty of things to do.

Moreover, I started hacking some gradle task that should enable us to
generate the NOTICE files. It won't be as simple as it should be but it
should work. I'll push it in a branch once I get something convincing.

BTW I just pushed some commits to develop with two notable things:
- add a KEYS file at the project's root with our GPG keys
- add a `rat` build task that runs Apache Rat on the codebase
 
Cheers

/Paul


Niclas Hedhman a écrit :
> Paul,
> Yes, the NOTICE requirement is actually not stipulated by ASF, but by most
> licenses requiring that you "pay respect" to any upstream work you use.
>
> ASF requires that a "RELEASE" is in source code form and can be built from
> the distributed tar ball. That is the intention of our
> qi4j-sdk-<ver>-source.tar.gz as well, so we fulfill this requirement. This
> is of course not a coincidence, after all I have been very influence by the
> ASF way of doing things. And thing about it; Open SOURCE ;-)
>
> ASF's view on binary "releases" is that of "an optional convenience
> provided to users", and it is up to each community to define this. Again,
> we provide the binary Qi4j SDK, ready to use, complete with the
> dependencies.
>
> The Maven artifacts is another way to distribute "convenience" and we might
> have an issue there (I haven't checked recently), since upload to Maven
> Central requires all dependencies to be present on Maven Central, 3rd party
> repositories are not allowed to be referenced. And we have had a couple of
> those in the past, most notably for org.restlet. We should check how that
> is now (both in terms of Maven Central requirements, as well as if our
> dependency(ies) is/are now on it), and if we can't there is a backup plan
> called BinTray by JFrog, which is larger (encompasses all Maven Central +
> other repositories) and probably can fill the role if Maven Central can't.
> In ASF, there is also a convention on putting LICENSE and NOTICE inside the
> JAR file, under the META-INF/maven/ directory, and I think the pom.xml goes
> in there as well.
>
> Now, I don't think we should bother to change the SDK content very much.
> Our current release artifacts fit the ASF expectations, and the "only"
> thing we need to do is to ensure that each dependency is mentioned in
> respective NOTICE file.
>
> I suggest; Please start with extensions/, and I will take care of
> libraries/. The rest whoever has more time available.
>
> For the build system, we might need to add META-INF/maven/ additions, and
> we should generate a top-level NOTICE file "somehow", for instance a header
> with the Qi4j component name + its NOTICE + a divider. And make it part of
> the final Source and Binary SDKs
>
> All in all, not that much work, since I have spent time on NOTICE in the
> past, but missing here and there, as well as the accuracy should be checked.
>
> Cheers
> Niclas
>
> On Mon, Apr 27, 2015 at 5:47 PM, Paul Merlin <paul@nosphere.org> wrote:
>
>> Gang,
>>
>> I started to dig into ZEST-15.
>>
>> I'm first looking into NOTICE files.
>> There are lots of other issues (headers, gradle wrapper, crypto etc...)
>> but I'm handling them one at a time.
>>
>>
>> >From what I understand at http://www.apache.org/dev/licensing-howto.html
>> :
>>
>> - Only one NOTICE file per released distribution is mandatory
>> - Only *bundled* dependencies needs to be scrutined
>>
>> So, if we don't bundle any dependencies in our release distributions,
>> NOTICE file should remain pretty simple.
>>
>> I looked at releases of other Apache TLPs like Samza, DeltaSpike and a
>> few others at http://dist.apache.org/ and most of the JVM based projects
>> only release a source distribution there.
>> Then they publish JARs to maven repositories without LICENSE/NOTICE files.
>>
>> I'd lean towards doing the very same. That is releasing a sources-only
>> distribution (with proper LICENSE/NOTICE files) and pushing artifacts to
>> repositories once the release is voted.
>>
>> WDYT?
>>
>> Cheers
>>
>> /Paul
>>
>>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message