Please ignore this email. it has been cancelled, and a new voting email has been sent. Thanks.
On Tue, Dec 19, 2017 at 9:01 AM, Jia Zhai <zhaiji...@gmail.com> wrote: > Thanks for the help. > Since bookkeeper-all package contains jars whose license are unclear, > would like to cancel this vote thread and will remove bookkeeper-all in the > new vote thread. The new thread will keep the same rc number. > > On Tue, Dec 19, 2017 at 8:25 AM, Sijie Guo <guosi...@gmail.com> wrote: > >> On Mon, Dec 18, 2017 at 3:32 PM, Ivan Kelly <iv...@apache.org> wrote: >> >> > >> The pom says ASL, but the pom points to a site where you can get the >> > >> original source. It can only be downloaded from a zip from there. The >> > >> zip, which is the only source for this that I could find, is BSD 3 >> > >> clause. >> > >> >> > > >> > > We do not bundle the source. We bundle the published jar, which is >> under >> > > ASLv2 in maven central. >> > Maven central is not a source of truth. It must be maven central >> > because findbugs wanted to use it as a dependency, so it published the >> > jar, even though in the findbugs distribution they don't have the >> > source. They do have the jar though, and they do get the license right >> > in their source distribution. They overlooked it when they put it in >> > maven central, and as such violated the 3 clause BSD license. >> > >> > The license covers binary and source form, so we should adhere to the >> > original license, which is 3 clause BSD. >> >> >> I don't think we should be in the business of checking whether it >> volatiles >> 3 clause BSD license or not. >> The dependency that we pulled in is a bundled binary, which we should use >> the LICENSE that they associated >> with the bundled jar that the author pushed to maven central. If it >> violates BSD license, the author of this jar should address. >> However I am not the lawyer. so I can't judge what is right and what is >> wrong. >> >> >> > >> > >> So where is the source? This one I assume is a ASL, but the source is >> > >> not available anywhere. >> > >> >> > > >> > > There is no public source about this. We have to use the license in >> maven >> > > as the source-of-truth. >> > By not publishing the NOTICE file from apache thrift, twitter is in >> > violation of the ASL (clause 4(d)). >> >> >> Same as above. >> >> You seem to have strong opinions about these two *problematic* >> dependencies. And these dependencies were introduced by twitter stats >> providers for bookkeeper-all packages. >> In order not to block release 4.6.0, I would suggest removing >> bookkeeper-all package from release 4.6.0. If people need bookkeeper-all >> package, they can compile from src package. >> We can resume the discussion of bookkeeper-all package when licensing >> concerns are removed. >> >> >> >> >> > >> > -Ivan >> > >> > >
