I generated the list of jars to check using the following search:
grep 'include(dependency(' $(find . -name 'build.gradle')
Andrew
On Tue, May 22, 2018 at 7:33 PM Kenneth Knowles <k...@google.com> wrote:
> Did you look through all our jars or is that just a sample?
>
> Kenn
>
> On Tue, May 22, 2018 at 7:22 PM Davor Bonaci <da...@apache.org> wrote:
>
>> This analysis looks correct. Great find!
>>
>> The recommended fix would be different. I'd suggest appending this
>> sentence to the end of the LICENSE file: "A part of several convenience
>> binary distributions of this software is licensed as follows", followed by
>> the full license text (including its copyright, clauses and disclaimer) --
>> for each such case separately. Don't edit the NOTICE file.
>>
>> I'd suggest keeping things simple: no per-artifact license/notice, etc.
>> Just two project-wide files, but I'd suggest including it/attaching it
>> "everywhere". Opinions on this part may vary, but, for me, "everywhere"
>> includes every jar file.
>>
>> Standard disclaimers apply.
>>
>> Any volunteers? Thanks so much!
>>
>> On Tue, May 22, 2018 at 4:02 PM, Andrew Pilloud <apill...@google.com>
>> wrote:
>>
>>> Here is what I think might be missing:
>>>
>>> (1) what artifacts are impacted and where are they distributed
>>>
>>>
>>> http://central.maven.org/maven2/org/apache/beam/beam-sdks-java-core/2.4.0/beam-sdks-java-core-2.4.0.jar
>>>
>>> http://central.maven.org/maven2/org/apache/beam/beam-runners-direct-java/2.4.0/beam-runners-direct-java-2.4.0.jar
>>>
>>> http://central.maven.org/maven2/org/apache/beam/beam-sdks-java-harness/2.4.0/beam-sdks-java-harness-2.4.0.jar
>>>
>>> http://central.maven.org/maven2/org/apache/beam/beam-sdks-java-extensions-sql/2.4.0/beam-sdks-java-extensions-sql-2.4.0.jar
>>>
>>> (2) the external dependency being distributed
>>>
>>> beam-sdks-java-core: protobuf
>>> beam-runners-direct-java: protobuf
>>> beam-runners-direct-java: jsr-305
>>> beam-sdks-java-extensions-sql: janino-compiler
>>>
>>> (3) license and/or term not adhered to
>>>
>>> BSD 3 Clause: Redistributions in binary form must reproduce the above
>>> copyright notice, this list of conditions and the following disclaimer in
>>> the documentation and/or other materials provided with the distribution.
>>>
>>> (4) any proposed fix
>>>
>>> NOTICE file in the jar.
>>>
>>> I am not a lawyer, this is not legal advice.
>>>
>>> On Tue, May 22, 2018 at 2:55 PM Davor Bonaci <da...@apache.org> wrote:
>>>
>>>> Thanks for the report!
>>>>
>>>> Could you please comment more as to: (1) what artifacts are impacted
>>>> and where are they distributed, (2) the external dependency being
>>>> distributed, (3) license and/or term not adhered to, and (4) any proposed
>>>> fix?
>>>>
>>>> Any such information would be helpful in triaging the problem -- thanks
>>>> so much!
>>>>
>>>> (If confirmed, this would be release blocking.)
>>>>
>>>> On Tue, May 22, 2018 at 2:37 PM, Lukasz Cwik <lc...@google.com> wrote:
>>>>
>>>>> Does it have to be part of the jar or is it good enough to be part of
>>>>> the sources jar (as 2.4.0 had it part of the
>>>>> beam-parent-2.4.0-source.zip
>>>>> <http://central.maven.org/maven2/org/apache/beam/beam-parent/2.4.0/beam-parent-2.4.0-source.zip>
>>>>> )?
>>>>>
>>>>> On Tue, May 22, 2018 at 11:16 AM Andrew Pilloud <apill...@google.com>
>>>>> wrote:
>>>>>
>>>>>> I was digging around in the SQL jar trying to debug some packaging
>>>>>> issues and noticed that we aren't including the copyright notices from
>>>>>> the
>>>>>> packages we are shading. I also looked at our previously released jars
>>>>>> and
>>>>>> they are the same (so this isn't a regression). Should we be including
>>>>>> the
>>>>>> copyright notice from packages we are redistributing?
>>>>>>
>>>>>> Andrew
>>>>>>
>>>>>
>>>>
>>
