Re: verify licenses on dependencies for vscode debugger

[Steve Lawrence]

That's a lot of dependencies! But I guess that's how the NPM world is 
right now.

Everything from that list looks okay. Pretty much everything is MIT/ISC 
or some variant. There's a couple of oddballs like Python-2.0, Creative 
Commons which require a little extra work, and Zero Clause BSD which 
isn't explicitly mentioned as ALv2 compatible, but I'd guess shouldn't 
be a problem.

I think we're going to have to come up with some good way manage the 
LICENSE file in the convenience binary with all these dependencies, but 
we can figure that out later.

Also, daffodil-debugger is listed as "UNLICENSED" so we'll need to fix 
that (maybe that's just because it's not published to npmjs.com yet?), 
but that can also wait until after the IP clearance. We know it's ALv2.

All looks good to me.

Thanks!


On 9/20/21 7:47 AM, John Wass wrote:
JS dependencies here, should be all transitives too

https://github.com/jw3/example-daffodil-vscode/wiki/js-dependencies

On Mon, Sep 20, 2021 at 7:42 AM Steve Lawrence <slawre...@apache.org> wrote:

These all look compatible with the Apache license and shouldn't be a
problem. The EPL 1.0 dependencies will require some extra labeling in
the distributed binary, but that's not a big deal.

package.json also lists some dependencies, I think these are all
javascript/npm dependencies? We probably need to verify the full
transitive graph of these dependencies as well.

On 9/19/21 4:11 PM, Adam Rosien wrote:
   From sbt, run core/dependencyLicenseInfo (see
https://github.com/sbt/sbt-dependency-graph
<https://github.com/sbt/sbt-dependency-graph> for instructions):

---
No license specified
Concurrent Technologies Corporation, Nteligen
LLC:daffodil-debugger_2.12:0.0.15-18-g091ad23-SNAPSHOT
commons-io:commons-io:2.8.0
com.google.code.gson:gson:2.7
com.microsoft.java:com.microsoft.java.debug.core:0.31.1
ch.qos.logback:logback-classic:1.2.3
org.apache.commons:commons-lang3:3.6
xml-resolver:xml-resolver:1.2
ch.qos.logback:logback-core:1.2.3
org.slf4j:slf4j-api:1.7.30

Apache 2.0
org.typelevel:simulacrum-scalafix-annotations_2.12:0.5.4

Apache License, Version 2.0
org.apache.daffodil:daffodil-core_2.12:3.1.0
org.apache.daffodil:daffodil-sapi_2.12:3.1.0
org.apache.daffodil:daffodil-runtime1-unparser_2.12:3.1.0
org.apache.daffodil:daffodil-runtime1_2.12:3.1.0
org.apache.daffodil:daffodil-io_2.12:3.1.0
org.apache.daffodil:daffodil-udf_2.12:3.1.0
org.apache.daffodil:daffodil-lib_2.12:3.1.0

Apache-2.0
com.typesafe:config:1.4.1
org.scala-lang.modules:scala-xml_2.12:1.3.0
org.typelevel:log4cats-slf4j_2.12:2.1.0
org.typelevel:log4cats-core_2.12:2.1.0
org.scala-lang.modules:scala-parser-combinators_2.12:1.1.2
org.typelevel:cats-effect_2.12:3.1.1
org.typelevel:cats-effect-kernel_2.12:3.1.1
com.monovore:decline_2.12:2.1.0
org.typelevel:cats-effect-std_2.12:3.1.1
com.monovore:decline-effect_2.12:2.1.0
com.comcast:ip4s-core_2.12:3.0.3
org.typelevel:literally_2.12:1.0.2

BSD-3-Clause
org.scodec:scodec-bits_2.12:1.1.27

CC0
org.reactivestreams:reactive-streams:1.0.0

MIT
org.typelevel:cats-core_2.12:2.6.1
co.fs2:fs2-io_2.12:3.0.4
com.lihaoyi:os-lib_2.12:0.7.6
com.lihaoyi:geny_2.12:0.6.9
org.typelevel:cats-kernel_2.12:2.6.1
co.fs2:fs2-core_2.12:3.0.4

Similar to Apache License but with the acknowledgment clause removed
org.jdom:jdom2:2.0.6

The Apache License, Version 2.0
com.fasterxml.woodstox:woodstox-core:6.2.6

The Apache Software License, Version 2.0
xml-apis:xml-apis:1.4.01
xerces:xercesImpl:2.12.1
com.fasterxml.jackson.core:jackson-core:2.12.3
io.reactivex.rxjava2:rxjava:2.1.1

The BSD License
org.codehaus.woodstox:stax2-api:4.2.1

Unicode/ICU License
com.ibm.icu:icu4j:69.1
---

Notes:

   From the "No license specified", I looked at either the actual pom.xml
files or
the source repository, and determined the actual licenses are:

- APL 2.0
     - commons-io:commons-io:2.8.0
     - com.google.code.gson:gson:2.7
     - org.apache.commons:commons-lang3:3.6
     - xml-resolver:xml-resolver:1.2
- Eclipse Public License - v 1.0
     - com.microsoft.java:com.microsoft.java.debug.core:0.31.1
     - ch.qos.logback:logback-classic:1.2.3
     - ch.qos.logback:logback-core:1.2.3
- MIT
     - org.slf4j:slf4j-api:1.7.30

On Fri, Sep 17, 2021 at 4:45 PM Adam Rosien <a...@rosien.net
<mailto:a...@rosien.net>> wrote:

      I said I'd do it, but completely forgot! I'll get this out this
weekend.

      .. Adam

      On Fri, Sep 17, 2021 at 3:24 PM Beckerle, Mike
      <mbecke...@owlcyberdefense.com <mailto:
mbecke...@owlcyberdefense.com>> wrote:

          I recall someone verifying the licenses on dependencies. I
can't find
          that message now.

          However, this must be a transitive verification, so there's
quite a few.

          The build.sbt has only:

                 "ch.qos.logback" % "logback-classic" % "1.2.3",
                 "com.microsoft.java" % "com.microsoft.java.debug.core" %
"0.31.1",
                 "co.fs2" %% "fs2-io" % "3.0.4",
                 "com.monovore" %% "decline-effect" % "2.1.0",
                 "org.typelevel" %% "log4cats-slf4j" % "2.1.0",

          for the typescript code, I see a bunch in package.json.

          Action Required: Can someone please verify the licenses of all
the
          dependencies transitively and send me the list?

          This is specifically what the IP Clearance checklist asks:

                             Check and make sure that all items depended
upon by the
                             project is covered by one or more of the
following
          approved
                             licenses: Apache, BSD, Artistic, MIT/X,
MIT/W3C, MPL
          1.1, or
                             something with essentially the same terms.

          I'd like the list of what we checked to include it in the IP
Clearance
          checklist document.

          Note: there used to be a sbt plugin that pulled all the license
files
          recursively for sbt dependency chains. I recall we used, or
attempted to
          use, it for daffodil at one time.