FYI, I've opened https://issues.apache.org/jira/browse/BEAM-4393 to track this work and marked it as a 2.5.0 release blocker.
On Wed, May 23, 2018 at 9:15 AM Andrew Pilloud <apill...@google.com> wrote: > I generated the list of jars to check using the following search: > > grep 'include(dependency(' $(find . -name 'build.gradle') > > > Andrew > > On Tue, May 22, 2018 at 7:33 PM Kenneth Knowles <k...@google.com> wrote: > >> Did you look through all our jars or is that just a sample? >> >> Kenn >> >> On Tue, May 22, 2018 at 7:22 PM Davor Bonaci <da...@apache.org> wrote: >> >>> This analysis looks correct. Great find! >>> >>> The recommended fix would be different. I'd suggest appending this >>> sentence to the end of the LICENSE file: "A part of several convenience >>> binary distributions of this software is licensed as follows", followed by >>> the full license text (including its copyright, clauses and disclaimer) -- >>> for each such case separately. Don't edit the NOTICE file. >>> >>> I'd suggest keeping things simple: no per-artifact license/notice, etc. >>> Just two project-wide files, but I'd suggest including it/attaching it >>> "everywhere". Opinions on this part may vary, but, for me, "everywhere" >>> includes every jar file. >>> >>> Standard disclaimers apply. >>> >>> Any volunteers? Thanks so much! >>> >>> On Tue, May 22, 2018 at 4:02 PM, Andrew Pilloud <apill...@google.com> >>> wrote: >>> >>>> Here is what I think might be missing: >>>> >>>> (1) what artifacts are impacted and where are they distributed >>>> >>>> >>>> http://central.maven.org/maven2/org/apache/beam/beam-sdks-java-core/2.4.0/beam-sdks-java-core-2.4.0.jar >>>> >>>> http://central.maven.org/maven2/org/apache/beam/beam-runners-direct-java/2.4.0/beam-runners-direct-java-2.4.0.jar >>>> >>>> http://central.maven.org/maven2/org/apache/beam/beam-sdks-java-harness/2.4.0/beam-sdks-java-harness-2.4.0.jar >>>> >>>> http://central.maven.org/maven2/org/apache/beam/beam-sdks-java-extensions-sql/2.4.0/beam-sdks-java-extensions-sql-2.4.0.jar >>>> >>>> (2) the external dependency being distributed >>>> >>>> beam-sdks-java-core: protobuf >>>> beam-runners-direct-java: protobuf >>>> beam-runners-direct-java: jsr-305 >>>> beam-sdks-java-extensions-sql: janino-compiler >>>> >>>> (3) license and/or term not adhered to >>>> >>>> BSD 3 Clause: Redistributions in binary form must reproduce the above >>>> copyright notice, this list of conditions and the following disclaimer in >>>> the documentation and/or other materials provided with the distribution. >>>> >>>> (4) any proposed fix >>>> >>>> NOTICE file in the jar. >>>> >>>> I am not a lawyer, this is not legal advice. >>>> >>>> On Tue, May 22, 2018 at 2:55 PM Davor Bonaci <da...@apache.org> wrote: >>>> >>>>> Thanks for the report! >>>>> >>>>> Could you please comment more as to: (1) what artifacts are impacted >>>>> and where are they distributed, (2) the external dependency being >>>>> distributed, (3) license and/or term not adhered to, and (4) any proposed >>>>> fix? >>>>> >>>>> Any such information would be helpful in triaging the problem -- >>>>> thanks so much! >>>>> >>>>> (If confirmed, this would be release blocking.) >>>>> >>>>> On Tue, May 22, 2018 at 2:37 PM, Lukasz Cwik <lc...@google.com> wrote: >>>>> >>>>>> Does it have to be part of the jar or is it good enough to be part of >>>>>> the sources jar (as 2.4.0 had it part of the >>>>>> beam-parent-2.4.0-source.zip >>>>>> <http://central.maven.org/maven2/org/apache/beam/beam-parent/2.4.0/beam-parent-2.4.0-source.zip> >>>>>> )? >>>>>> >>>>>> On Tue, May 22, 2018 at 11:16 AM Andrew Pilloud <apill...@google.com> >>>>>> wrote: >>>>>> >>>>>>> I was digging around in the SQL jar trying to debug some packaging >>>>>>> issues and noticed that we aren't including the copyright notices from >>>>>>> the >>>>>>> packages we are shading. I also looked at our previously released jars >>>>>>> and >>>>>>> they are the same (so this isn't a regression). Should we be including >>>>>>> the >>>>>>> copyright notice from packages we are redistributing? >>>>>>> >>>>>>> Andrew >>>>>>> >>>>>> >>>>> >>>