I generated the list of jars to check using the following search: grep 'include(dependency(' $(find . -name 'build.gradle')
Andrew On Tue, May 22, 2018 at 7:33 PM Kenneth Knowles <k...@google.com> wrote: > Did you look through all our jars or is that just a sample? > > Kenn > > On Tue, May 22, 2018 at 7:22 PM Davor Bonaci <da...@apache.org> wrote: > >> This analysis looks correct. Great find! >> >> The recommended fix would be different. I'd suggest appending this >> sentence to the end of the LICENSE file: "A part of several convenience >> binary distributions of this software is licensed as follows", followed by >> the full license text (including its copyright, clauses and disclaimer) -- >> for each such case separately. Don't edit the NOTICE file. >> >> I'd suggest keeping things simple: no per-artifact license/notice, etc. >> Just two project-wide files, but I'd suggest including it/attaching it >> "everywhere". Opinions on this part may vary, but, for me, "everywhere" >> includes every jar file. >> >> Standard disclaimers apply. >> >> Any volunteers? Thanks so much! >> >> On Tue, May 22, 2018 at 4:02 PM, Andrew Pilloud <apill...@google.com> >> wrote: >> >>> Here is what I think might be missing: >>> >>> (1) what artifacts are impacted and where are they distributed >>> >>> >>> http://central.maven.org/maven2/org/apache/beam/beam-sdks-java-core/2.4.0/beam-sdks-java-core-2.4.0.jar >>> >>> http://central.maven.org/maven2/org/apache/beam/beam-runners-direct-java/2.4.0/beam-runners-direct-java-2.4.0.jar >>> >>> http://central.maven.org/maven2/org/apache/beam/beam-sdks-java-harness/2.4.0/beam-sdks-java-harness-2.4.0.jar >>> >>> http://central.maven.org/maven2/org/apache/beam/beam-sdks-java-extensions-sql/2.4.0/beam-sdks-java-extensions-sql-2.4.0.jar >>> >>> (2) the external dependency being distributed >>> >>> beam-sdks-java-core: protobuf >>> beam-runners-direct-java: protobuf >>> beam-runners-direct-java: jsr-305 >>> beam-sdks-java-extensions-sql: janino-compiler >>> >>> (3) license and/or term not adhered to >>> >>> BSD 3 Clause: Redistributions in binary form must reproduce the above >>> copyright notice, this list of conditions and the following disclaimer in >>> the documentation and/or other materials provided with the distribution. >>> >>> (4) any proposed fix >>> >>> NOTICE file in the jar. >>> >>> I am not a lawyer, this is not legal advice. >>> >>> On Tue, May 22, 2018 at 2:55 PM Davor Bonaci <da...@apache.org> wrote: >>> >>>> Thanks for the report! >>>> >>>> Could you please comment more as to: (1) what artifacts are impacted >>>> and where are they distributed, (2) the external dependency being >>>> distributed, (3) license and/or term not adhered to, and (4) any proposed >>>> fix? >>>> >>>> Any such information would be helpful in triaging the problem -- thanks >>>> so much! >>>> >>>> (If confirmed, this would be release blocking.) >>>> >>>> On Tue, May 22, 2018 at 2:37 PM, Lukasz Cwik <lc...@google.com> wrote: >>>> >>>>> Does it have to be part of the jar or is it good enough to be part of >>>>> the sources jar (as 2.4.0 had it part of the >>>>> beam-parent-2.4.0-source.zip >>>>> <http://central.maven.org/maven2/org/apache/beam/beam-parent/2.4.0/beam-parent-2.4.0-source.zip> >>>>> )? >>>>> >>>>> On Tue, May 22, 2018 at 11:16 AM Andrew Pilloud <apill...@google.com> >>>>> wrote: >>>>> >>>>>> I was digging around in the SQL jar trying to debug some packaging >>>>>> issues and noticed that we aren't including the copyright notices from >>>>>> the >>>>>> packages we are shading. I also looked at our previously released jars >>>>>> and >>>>>> they are the same (so this isn't a regression). Should we be including >>>>>> the >>>>>> copyright notice from packages we are redistributing? >>>>>> >>>>>> Andrew >>>>>> >>>>> >>>> >>