zipkin-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From GitBox <...@apache.org>
Subject [GitHub] [incubator-zipkin] abesto commented on issue #2548: Sort out DEPENDENCIES file for zipkin-lens
Date Sun, 02 Jun 2019 12:33:04 GMT
abesto commented on issue #2548: Sort out DEPENDENCIES file for zipkin-lens
URL: https://github.com/apache/incubator-zipkin/issues/2548#issuecomment-498027063
 
 
   > NOTE: the normal maven thing doesn't check indirect dependencies, though npm-checker
does..
   
   So... I guess the lazy thing is to use `--direct` to behave the same way as Rat. OTOH as
long as all our transitive dependencies are A-OK, we can afford to be more strict.
   
   I've worked through licenses of our dependencies and compared to https://apache.org/legal/resolved.html.
Things that stand out:
   
   * `CC-BY-3.0` and `CC-BY-4.0`: ASF says "Works under the Creative Commons Attribution (CC-BY)
licenses (2.5, 3.0, and 4.0) contain terms related to "Effective Technological Measures",
which may come as a surprise to users. Thus their inclusion shall be appropriately labelled
and only in binary form."
     * Packages: `@fortawesome/fontawesome-free`, `spdx-exceptions`, `caniuse-lite`
     * My take: I'm not clear on what "appropriately labelled" means. For fontawesome, we're
good on "only in binary form". The other two packages contain stuff that doesn't _have_ a
binary form (JSON data and HTML/... components), so I guess we're alright?
   * `MPL-2.0`: ASF says "Each license in this section requires some degree of reciprocity.
This may mean that additional action is warranted in order to minimize the chance that a user
of an Apache product will create a derivative work of a differently-licensed portion of an
Apache product without being aware of the applicable requirements."
     * Packages: `mdn-data` (https://github.com/mdn/data)
     * My take: the ASF 3rd-party license policy is vague enough to be useless for me here.
No idea whether we're in the clear.
   
   Fun one I didn't know about; "Unlicense" is an actual license name , and it explicitly
assigns software to the public domain. Nice.
   
   Assuming the above licenses / uses are cleared, this command does the checking for us:
   
   ```
   license-checker --onlyAllow 'MIT;ISC;BSD-3-Cluase;Apache-2.0;BSD-2-Cluase;MIT*;BSD*;BSD;CC-BY-4.0;CC-1.0;Apache*;CC-BY-3.0;WTFPL;MPL-2.0;CC0-1.0;Unlicense'
   ```
   
   We might need to tweak it if new dependencies come in with licenses the ASF likes, but
are not in the least. It also outputs the full dump of dependencies (so we can also add `--json
| our-preprocessor` if we want, etc).
   
   Let me double down on the mentor ping. How do we handle the above licenses / uses? @reta
@michaelsembwever @WillemJiang @wu-sheng

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

Mime
View raw message