hudi-bot opened a new issue, #14544: URL: https://github.com/apache/hudi/issues/14544
[https://www.apache.org/legal/resolved.html] is the comprehensive guide here. [http://www.apache.org/dev/licensing-howto.html] is the comprehensive guide here.' [http://www.apache.org/legal/src-headers.html] also Previously, we asked about some specific dependencies here https://issues.apache.org/jira/browse/LEGAL-461 ## JIRA info - Link: https://issues.apache.org/jira/browse/HUDI-662 - Type: Bug --- ## Comments 07/Mar/20 11:51;vinoth;Flink calls out the binary/bundled dependencies in NOTICE and leaves LICENSE alone. https://github.com/apache/flink/blob/master/NOTICE ;;; --- 07/Mar/20 11:58;vinoth;Druid (recently graduated) has a mix in both NOTICE and LICENSE https://github.com/apache/druid/blob/master/NOTICE https://github.com/apache/druid/blob/master/LICENSE ;;; --- 08/Mar/20 21:52;vinoth;Skywalking also has source reuses as https://github.com/apache/skywalking/blob/master/LICENSE ;;; --- 08/Mar/20 22:12;vinoth;Spark follows a similar model https://github.com/apache/spark/blob/master/LICENSE (calls out reused sources grouped by license) https://github.com/apache/spark/blob/master/LICENSE-binary (calls out licenses of bundled dependencies grouped by license) https://github.com/apache/spark/blob/master/NOTICE (seems to be more about calling our specific advisories .. ) https://github.com/apache/spark/blob/master/NOTICE-binary (seems to list homepage/license location of various bundled dependencies and if there are specific notices in those) ;;; --- 08/Mar/20 22:17;vinoth;cc [~vinoyang] [~smarthi] This seems like a model we can emulate .. NOTICE is supposed to be for transitively carrying over all the NOTICEs from the dependencies.. Pasting from ASLV2 {code} (d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. {code} is our NOTICE file complete in these respects? Previously, [~vbalaji] was trying to automate this by concatenating all the NOTICE files from dependencies (you may remember the super long NOTICE file that we kept trimming and expanding) We have a scripts/releases/generate_notice.sh which should ideally provide a concatenated NOTICE from all jars.. Not sure if its working as intended.. But this seems like a good model to try.. In short, - list all the bundled dependencies and source dependencies with licenses in LICENSE - Fix the script and generate a NOTICE based on the dependencies's NOTICE files. Is it worth raising a LEGAL JIRA to confirm that maven central distribution of these bundles do count as a binary distribution and thus we need to attribute them? ;;; --- 09/Mar/20 00:31;smarthi;+1 to this. ;;; --- 09/Mar/20 02:59;yanghua;+1 too;;; --- 10/Mar/20 05:32;vinoth;Re-reading here http://www.apache.org/dev/licensing-howto.html#bundled-vs-non-bundled , since we are only producing source distributions at the moment, don't think we need to actually deal with the bundled bits.. See this language "Do not add anything to NOTICE which is not legally required." "As far as LICENSE and NOTICE are concerned, only bundled bits matter." "When assembling binary distributions, it is common to pull in and bundle additional dependencies which are not bundled with the source distribution. These additional dependencies must be accounted for in LICENSE and NOTICE." Checking Spark again, I think that's why they have different LICENSE/NOTICE for source and binary distributions.. What they do in LICENSE/NOTICE is very similar to what we have. LICENSE has ASF V2, following by license attribution for all adapted source code.. NOTICE has legal notices etc of its own and the code adapted there in. That's all it has.. Not sure even if the following is needed. {code} ================= Apache Hadoop 2.8.5 ================= Apache Hadoop Copyright 2009-2017 The Apache Software Foundation ================= Apache Hive 2.3.1 ================= Apache Hive Copyright 2008-2017 The Apache Software Foundation ================= Apache Spark 2.4.4 ================= Apache Spark Copyright 2014 and onwards The Apache Software Foundation ================= Apache Kafka 2.0.0 ================= Apache Kafka Copyright 2020 The Apache Software Foundation. ================= Apache HBase 1.2.3 ================= Apache HBase Copyright 2007-2019 The Apache Software Foundation. ================= Apache Avro 1.8.2 ================= Apache Avro Copyright 2010-2019 The Apache Software Foundation. {code} cc [~smarthi][~vbalaji] [~yanghua] I actually suggest we proceed with the voting as long as other issues are dealt with. We can revisit this ticket, if it becomes an issue during voting.. I am concerned that citing all binary bundled dependencies now, without actually having a binary distribution will be flagged.. ;;; --- 10/Mar/20 05:40;vinoth;Apache Singa https://github.com/apache/singa follows same model, only does source releases Apache Dubbo http://dubbo.apache.org/en-us/blog/download.html also only puts out source releases Their LICENSE and NOTICE follow same principles as ours.;;; --- 10/Mar/20 05:46;vinoth;All we need to do for this source release is to ensure "Copyright notifications which have been relocated from source files (rather than removed) must be preserved in NOTICE. " - NOTICE should contain all adapted source code's NOTICE. Thats all.;;; --- 10/Mar/20 06:02;yanghua;{quote}Apache Singa [https://github.com/apache/singa] follows same model, only does source releases Apache Dubbo [http://dubbo.apache.org/en-us/blog/download.html] also only puts out source releases Their LICENSE and NOTICE follow same principles as ours. {quote} In short, we did not reference the suitable projects? We should reference those projects which only release source distribution?;;; --- 10/Mar/20 06:36;vinoth;yes. Spark/Flink all provide binary distros... we only do source;;; --- 10/Mar/20 17:01;vinoth;We can again revisit this if needed.. untagging fix version ;;; --- 17/Apr/23 00:51;bayard;Noting that [https://repo1.maven.org/maven2/org/apache/hudi/hudi-trino-bundle/0.13.0/] appears to include a openjdk.jol jol-core dependency under GPL-2.0 WITH ClasspathException-2.0. You should remove this or open a LEGAL Jira item to discuss.;;; -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
