I'm slightly confused. Are any of MIT dependencies mentioned in LICENSE bundled with the distribution?
On Fri, May 22, 2020 at 12:45 AM Vladimir Sitnikov < sitnikov.vladi...@gmail.com> wrote: > Julian>It does not need to happen before > Julian>the release, but before we announce. > > Cross-signing is not required at all. > > Julian>All files should match those in the source repo at that > Julian>precise commit. > Julian> Could this version of LICENSE be the committed one? > > Long story short: LICENSE file is a build artifact rather than an opaque > blob. > > The license for the release artifact must include the licenses of all the > bundled dependencies. > That becomes extremely fragile if the license text is maintained manually. > > In the past there were multiple license violations in both Calcite and > Calcite Avatica releases. > The violations included: "missing license, copyright", "forbidden > dependency bundled in the release". > > --- > > GitHub uses /LICENSE file to show the repository license in the summary > line (right above the source tree), > so adding extra content might confuse GitHub which would be devastating. > > Here's a sample project: https://github.com/embox/embox > The license is BSD-2-Clause, however, GitHub is confused, and it shows > "view license" rather than "BSD-2-Clause" > > --- > > It might be worth including the expected contents of the "release license" > under /src/*/test/resources/EXPECTED_LICENSE > It would protect from unexpected third-party dependencies bundling. > As usual, PRs are welcome. > > Vladimir >