JS dependencies here, should be all transitives too https://github.com/jw3/example-daffodil-vscode/wiki/js-dependencies
On Mon, Sep 20, 2021 at 7:42 AM Steve Lawrence <slawre...@apache.org> wrote: > These all look compatible with the Apache license and shouldn't be a > problem. The EPL 1.0 dependencies will require some extra labeling in > the distributed binary, but that's not a big deal. > > package.json also lists some dependencies, I think these are all > javascript/npm dependencies? We probably need to verify the full > transitive graph of these dependencies as well. > > On 9/19/21 4:11 PM, Adam Rosien wrote: > > From sbt, run core/dependencyLicenseInfo (see > > https://github.com/sbt/sbt-dependency-graph > > <https://github.com/sbt/sbt-dependency-graph> for instructions): > > > > --- > > No license specified > > Concurrent Technologies Corporation, Nteligen > > LLC:daffodil-debugger_2.12:0.0.15-18-g091ad23-SNAPSHOT > > commons-io:commons-io:2.8.0 > > com.google.code.gson:gson:2.7 > > com.microsoft.java:com.microsoft.java.debug.core:0.31.1 > > ch.qos.logback:logback-classic:1.2.3 > > org.apache.commons:commons-lang3:3.6 > > xml-resolver:xml-resolver:1.2 > > ch.qos.logback:logback-core:1.2.3 > > org.slf4j:slf4j-api:1.7.30 > > > > Apache 2.0 > > org.typelevel:simulacrum-scalafix-annotations_2.12:0.5.4 > > > > Apache License, Version 2.0 > > org.apache.daffodil:daffodil-core_2.12:3.1.0 > > org.apache.daffodil:daffodil-sapi_2.12:3.1.0 > > org.apache.daffodil:daffodil-runtime1-unparser_2.12:3.1.0 > > org.apache.daffodil:daffodil-runtime1_2.12:3.1.0 > > org.apache.daffodil:daffodil-io_2.12:3.1.0 > > org.apache.daffodil:daffodil-udf_2.12:3.1.0 > > org.apache.daffodil:daffodil-lib_2.12:3.1.0 > > > > Apache-2.0 > > com.typesafe:config:1.4.1 > > org.scala-lang.modules:scala-xml_2.12:1.3.0 > > org.typelevel:log4cats-slf4j_2.12:2.1.0 > > org.typelevel:log4cats-core_2.12:2.1.0 > > org.scala-lang.modules:scala-parser-combinators_2.12:1.1.2 > > org.typelevel:cats-effect_2.12:3.1.1 > > org.typelevel:cats-effect-kernel_2.12:3.1.1 > > com.monovore:decline_2.12:2.1.0 > > org.typelevel:cats-effect-std_2.12:3.1.1 > > com.monovore:decline-effect_2.12:2.1.0 > > com.comcast:ip4s-core_2.12:3.0.3 > > org.typelevel:literally_2.12:1.0.2 > > > > BSD-3-Clause > > org.scodec:scodec-bits_2.12:1.1.27 > > > > CC0 > > org.reactivestreams:reactive-streams:1.0.0 > > > > MIT > > org.typelevel:cats-core_2.12:2.6.1 > > co.fs2:fs2-io_2.12:3.0.4 > > com.lihaoyi:os-lib_2.12:0.7.6 > > com.lihaoyi:geny_2.12:0.6.9 > > org.typelevel:cats-kernel_2.12:2.6.1 > > co.fs2:fs2-core_2.12:3.0.4 > > > > Similar to Apache License but with the acknowledgment clause removed > > org.jdom:jdom2:2.0.6 > > > > The Apache License, Version 2.0 > > com.fasterxml.woodstox:woodstox-core:6.2.6 > > > > The Apache Software License, Version 2.0 > > xml-apis:xml-apis:1.4.01 > > xerces:xercesImpl:2.12.1 > > com.fasterxml.jackson.core:jackson-core:2.12.3 > > io.reactivex.rxjava2:rxjava:2.1.1 > > > > The BSD License > > org.codehaus.woodstox:stax2-api:4.2.1 > > > > Unicode/ICU License > > com.ibm.icu:icu4j:69.1 > > --- > > > > Notes: > > > > From the "No license specified", I looked at either the actual pom.xml > files or > > the source repository, and determined the actual licenses are: > > > > - APL 2.0 > > - commons-io:commons-io:2.8.0 > > - com.google.code.gson:gson:2.7 > > - org.apache.commons:commons-lang3:3.6 > > - xml-resolver:xml-resolver:1.2 > > - Eclipse Public License - v 1.0 > > - com.microsoft.java:com.microsoft.java.debug.core:0.31.1 > > - ch.qos.logback:logback-classic:1.2.3 > > - ch.qos.logback:logback-core:1.2.3 > > - MIT > > - org.slf4j:slf4j-api:1.7.30 > > > > On Fri, Sep 17, 2021 at 4:45 PM Adam Rosien <a...@rosien.net > > <mailto:a...@rosien.net>> wrote: > > > > I said I'd do it, but completely forgot! I'll get this out this > weekend. > > > > .. Adam > > > > On Fri, Sep 17, 2021 at 3:24 PM Beckerle, Mike > > <mbecke...@owlcyberdefense.com <mailto: > mbecke...@owlcyberdefense.com>> wrote: > > > > I recall someone verifying the licenses on dependencies. I > can't find > > that message now. > > > > However, this must be a transitive verification, so there's > quite a few. > > > > The build.sbt has only: > > > > "ch.qos.logback" % "logback-classic" % "1.2.3", > > "com.microsoft.java" % "com.microsoft.java.debug.core" % > "0.31.1", > > "co.fs2" %% "fs2-io" % "3.0.4", > > "com.monovore" %% "decline-effect" % "2.1.0", > > "org.typelevel" %% "log4cats-slf4j" % "2.1.0", > > > > for the typescript code, I see a bunch in package.json. > > > > Action Required: Can someone please verify the licenses of all > the > > dependencies transitively and send me the list? > > > > This is specifically what the IP Clearance checklist asks: > > > > Check and make sure that all items depended > upon by the > > project is covered by one or more of the > following > > approved > > licenses: Apache, BSD, Artistic, MIT/X, > MIT/W3C, MPL > > 1.1, or > > something with essentially the same terms. > > > > I'd like the list of what we checked to include it in the IP > Clearance > > checklist document. > > > > Note: there used to be a sbt plugin that pulled all the license > files > > recursively for sbt dependency chains. I recall we used, or > attempted to > > use, it for daffodil at one time. > > > > > > > >
