On Fri, Jun 17, 2016 at 3:28 PM Josh Elser <[email protected]> wrote:
> > > Mike Drob wrote: > > Thanks for taking a look, Sean. > > > > The LICENSE file in the source tarball refers to the BSD license and > > includes "for details see > > core/src/main/java/org/apache/accumulo/core/bloomfilter" and all files > > there (BloomFilter.java, DynamicBloomFilter.java, and Filter.java) > include > > the full 3-Clause BSD license in the header. Similarly, the MIT clause > has > > "for details see server/monitor/src/main/resources/web/flot" which has a > > LICENSE.txt > > I have absolutely no idea if this is "sufficient" or not. I can > understand Sean's confusion in not seeing relevant licenses in the > LICENSE file. > > According to http://www.apache.org/legal/release-policy.html#license-file, the license details must be included, but a pointer in the LICENSE file to those details elsewhere in the distribution is sufficient. > > Regarding the crypto, according towww.apache.org/dev/crypto.html#inform > it > > looks like we need to place that disclaimer in the README and not the > > NOTICE file anyway. If you prefer this reading of the policy, can you > file > > a JIRA for making these changes and set it as a blocker? Thanks. > > Yeah, NOTICE is not the right place for this, AFAIU. I wouldn't think > this is a blocker, but something we should just remove from the > src-release's NOTICE file. > > Agreed. There are other superfluous stuffs in our NOTICE files which should also be removed (notices about inclusion of other ASF projects, for example; only transitive notices should be carried forward from these dependencies; the ASF project itself is satisfied by the catch-all notice line about including software developed at ASF). I think these are wrong ( http://www.apache.org/dev/licensing-howto.html#mod-notice : "Do not add anything to NOTICE which is not legally required."), but also not a blocker. > > Mike > > > > On Fri, Jun 17, 2016 at 12:28 PM, Sean Busbey<[email protected]> > wrote: > > > >> > -1 > >> > > >> > good: > >> > > >> > * verified checksums and signatures > >> > * source artifact corresponds to referenced commit > >> > * source builds correctly with Oracle JDK 1.7.0_80 / Apache Maven > >> > 3.3.9 (including unit tests, not including ITs) > >> > > >> > bad: > >> > > >> > * LICENSE in source tarball references the "3 clause BSD" and "MIT" > >> > licenses but does not provide their text or a pointer to where the > >> > text can be found in the artifact. > >> > * NOTICE in the binary tarball doesn't include any of the encryption > >> > notice stuff that's in the source tarball NOTICE (I don't know if > this > >> > information is required in the NOTICE file, but it seems like we > >> > should be consistent for things that are equally applicable in the > >> > two). >
