www-repository mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Kulp <daniel.k...@iona.com>
Subject Re: POM licensing
Date Mon, 01 Oct 2007 14:30:29 GMT

I think there are two issues that are being discussed on this thread:

1) The license of the POM itself
2) The license of the artifacts the pom describes (usually a jar)


The second is the easy one.   IMO, all poms for apache artifacts should 
have:
    <licenses>
        <license>
            <name>The Apache Software License, Version 2.0</name>
            <url>http://www.apache.org/licenses/LICENSE-2.0.txt</url>
            <distribution>repo</distribution>
        </license>
    </licenses>
    <organization>
        <name>The Apache Software Foundation</name>
        <url>http://www.apache.org/</url>
    </organization>
either directly in them or inherited from a parent pom.  (possibly the 
org.apache:apache:pom).   IMO, all non-apache poms should ALSO have that 
as required meta-data in it.   I'd really like it if the sync scripts 
would stop syncing stuff that didn't have those entries.   Actually, I'd 
like it even more if it also required the <url> and <name> elements.     
Plugins like the remote-resources plugin use that information and 
not-having it really sucks.   Auditing the dependencies for license 
incompatibilities would be a lot easier.   I assume the data-mining that 
Robert is trying to do is similar.  


The first one is a bit trickier.   I guess that would be the header that 
is stuck at the top of the pom.   But, as mentioned previously, there 
are cases where the release plugin strips that header.   (I know, the 
proper fix is it fix the plugin).    Also, should the pom be under the 
same license as the artifact.    If the pom has the above lines in it, 
is that good enough?    Good question.


Dan







On Sunday 30 September 2007, Robert Burrell Donkin wrote:
> On Sun, 2007-09-30 at 17:52 +0100, Steve Loughran wrote:
> > On 30/09/2007, Trustin Lee <trustin@gmail.com> wrote:
> > > Isn't it enough for all project POMs to extend
> > > org.apache:apache:pom (currently version 4)?
>
> not sure whether that's good enough from a legal perspective: i'm not
> sure that pom extension necessarily derivation, and even if it did
> then works derived from . much cleaner to have an explicit header.
>
> > -lots of the .pom files aren't in the right namespace
> > - those of us who hand write our pom files dont extend anything from
> > maven. -I've always added author metadata as a comment in pom files
> > I've supplied, primarily to remove the blame from the original team
> > when I was the author of the bad metadata.  My incompetence
> > shouldn't be the cause of support calls to other people.
>
> the repository isn't stored in version control so it's more difficult
> to demonstrate provinence postmortem. henri's repository commit's is
> useful but provinence information cannot be recorded in the commit
> message (since there isn't one).
>
> > Interestingly, most RPM .spec files that I've worked with (jpackage,
> > and stuff of my own doing) does include license info.
>
> interesting
>
> just a license (for the collective) or more detailed information?
>
> - robert



-- 
J. Daniel Kulp
Principal Engineer
IONA
P: 781-902-8727    C: 508-380-7194
daniel.kulp@iona.com
http://www.dankulp.com/blog

Mime
View raw message