In my hopefully finite-length effort to get a 4.1.2 release out I've
been looking a little bit at the LICENSE and NOTICE files in the 4.1
branch and trunk and think many of them have big problems.
Current thinking expressed on the legal-discuss is that:
A source code unit expected to be checked out from svn needs LICENSE
and NOTICE files in svn at the root of the checkout. These files
should apply exactly to the source code checked out, and not include
any language only appropriate for dependencies that may be needed to
build or run the software. These are the only LICENSE and NOTICE
files that need to be actually present in svn.
Each artifact distributed needs a LICENSE and NOTICE file. These may
be hardcoded in svn or generated. These files should accurately
describe the license(s) and required notices of what is actually in
the distribution unit (e.g. jar, war, tar.bz2) and not describe
anything not included that might be necessary to use the software.
Artifacts can also have descriptions of dependencies needed to use
the software but these descriptions should not be in the LICENSE or
NOTICE files.
so....
Looking around there are 2 problems:
- some of the LICENSE and possibly NOTICE files look like they have
generally large amounts of text appropriate for dependencies, not
what they actually apply to
- some LICENSE files are decidedly incomplete. For instance the
activemq-web-console includes all the sun jaxb jars but no CDDL
license. The trunk root LICENSE.txt file doesn't include the
licenses for the javascript in the activemq-web-console.
Possible solutions....
The root LICENSE and NOTICE files have to be fixed by hand AFAIK.
All the others can be generated using the maven-remote-resources
plugin. Thanks to Dan Kulp the latest apache resource bundle
actually generates stuff compliant with the apparent policy. What
needs to happen is that modules that have extra LICENSE or NOTICE
requirements need the extra stuff to be put into
src/main/appended-resources/META-INF/LICENSE and src/main/appended-
resources/META-INF/NOTICE
I can help with setting this up but I don't know what code might need
such extra legal goo. If I'm going to be able to help I'd need
accurate information on this.
There's also a geronimo maven plugin that can verify that legal files
are present in all the artifacts you build (jar, war, javadoc,
source, etc). I think it's a big help in release auditing to include
this plugin in the regular build to catch problems early.
thanks
david jencks
