Julian>It does not need to happen before Julian>the release, but before we announce.
Cross-signing is not required at all. Julian>All files should match those in the source repo at that Julian>precise commit. Julian> Could this version of LICENSE be the committed one? Long story short: LICENSE file is a build artifact rather than an opaque blob. The license for the release artifact must include the licenses of all the bundled dependencies. That becomes extremely fragile if the license text is maintained manually. In the past there were multiple license violations in both Calcite and Calcite Avatica releases. The violations included: "missing license, copyright", "forbidden dependency bundled in the release". --- GitHub uses /LICENSE file to show the repository license in the summary line (right above the source tree), so adding extra content might confuse GitHub which would be devastating. Here's a sample project: https://github.com/embox/embox The license is BSD-2-Clause, however, GitHub is confused, and it shows "view license" rather than "BSD-2-Clause" --- It might be worth including the expected contents of the "release license" under /src/*/test/resources/EXPECTED_LICENSE It would protect from unexpected third-party dependencies bundling. As usual, PRs are welcome. Vladimir