This page mentions LICENSE and NOTICE files for binary distributions:
https://infra.apache.org/licensing-howto.html#binary
If they are distributed in the convenience binary, no matter how many
levels of transitive dependencies, the LICENSE/NOTICE information needs
to be included.
That said, considering these all Apache licenses with standard notices,
I'm okay keeping my vote a +1, as long as we ensure they are added in
the next release.
On 3/21/22 12:47 PM, Interrante, John A (GE Research, US) wrote:
I downloaded the helper binaries for each new dependency (except xmlresolver on which I'd
already done due diligence as a direct dependency of Saxon-HE - the rest of those
dependencies are dependencies of xmlresolver itself so I'd missed them) and checked
LICENSE/NOTICE files. What is the rule we follow for incorporating such doubly indirect
transitive dependencies' NOTICE files into our NOTICE file? Is the rule "If you
find a NOTICE file, you must include it in its entirety into your NOTICE file"? If
that is the rule, do people think we need to cancel the vote and generate a second
release candidate with these NOTICE files added to our NOTICE file, or do it as a bug fix
after releasing 3.3.0?
I also noticed that xmlresolver is not using the latest versions of each and
every dependency (oh well).
Here's commons-codec-1.11/NOTICE.txt (the most recent version is 1.15):
---
Apache Commons Codec
Copyright 2002-2017 The Apache Software Foundation
This product includes software developed at
The Apache Software Foundation (http://www.apache.org/).
src/test/org/apache/commons/codec/language/DoubleMetaphoneTest.java
contains test data from http://aspell.net/test/orig/batch0.tab.
Copyright (C) 2002 Kevin Atkinson ([email protected])
===============================================================================
The content of package org.apache.commons.codec.language.bm has been translated
from the original php source code available at
http://stevemorse.org/phoneticinfo.htm
with permission from the original authors.
Original source copyright:
Copyright (c) 2008 Alexander Beider & Stephen P. Morse.
---
Here's commons-logging-1.2/NOTICE.txt:
---
Apache Commons Logging
Copyright 2003-2014 The Apache Software Foundation
This product includes software developed at
The Apache Software Foundation (http://www.apache.org/).
---
Here is httpcomponents-client-4.5.13/NOTICE.txt (the most recent version is
5.1.3):
---
Apache HttpComponents Client
Copyright 1999-2020 The Apache Software Foundation
This product includes software developed at
The Apache Software Foundation (http://www.apache.org/).
---
Here is httpcomponents-core-4.4.15/NOTICE.txt (the most recent version is
5.1.3):
---
Apache HttpComponents Core
Copyright 2005-2020 The Apache Software Foundation
This product includes software developed at
The Apache Software Foundation (http://www.apache.org/).
---
All LICENSES are Apache 2.0.
John
-----Original Message-----
From: Steve Lawrence <[email protected]>
Sent: Monday, March 21, 2022 9:06 AM
To: [email protected]
Subject: EXT: Re: [VOTE] Release Apache Daffodil 3.3.0-rc1
WARNING: This email originated from outside of GE. Please validate the sender's
email address before clicking on links or attachments as they may not be safe.
Hmm, I missed those new dependencies. Do we need to update our LICENSE/NOTICE
files in daffodil-cli?
Looks like we already have xmlresolver mentioned, but we have nothing for the
other dependencies?
On 3/21/22 12:00 PM, Interrante, John A (GE Research, US) wrote:
+1
FYI, apache-daffodil-3.3.0-bin/lib has 6 new jars in it. Those new
jars are new transitive dependencies added by the bump of Saxon-HE
from 10.6 to 11.2. Their names are:
commons-codec.commons-codec-1.11.jar
commons-logging.commons-logging-1.2.jar
org.apache.httpcomponents.httpclient-4.5.13.jar
org.apache.httpcomponents.httpcore-4.4.13.jar
org.xmlresolver.xmlresolver-4.2.0-data.jar
org.xmlresolver.xmlresolver-4.2.0.jar
Otherwise, the helper binaries look normal.
I checked the following:
[OK] verified signature of git tag
[OK] verified signatures of source and helper binaries
[OK] verified signatures use key in KEYS with apache email address
[OK] verified source has no unexpected binary files
[OK] verified source and git tag are same minus KEYS file
[OK] verified source and helper binaries include LICENSE/NOTICE/README
[OK] verified LICENSE/NOTICE/README look correct
[OK] verified online JavaDoc and ScalaDoc docs look correct
[OK] compiled source and ran all tests & ratCheck
[OK] verified jars built from source have same content as helper binary jars
John
-----Original Message-----
From: Interrante, John A (GE Research, US) <[email protected]>
Sent: Friday, March 18, 2022 9:07 AM
To: [email protected]
Subject: EXT: [VOTE] Release Apache Daffodil 3.3.0-rc1
Hi PMC members,
I'd like to call a vote to release Apache Daffodil 3.3.0-rc1.
All distribution packages, including signatures, digests, etc. can be found at:
https://dist.apache.org/repos/dist/dev/daffodil/3.3.0-rc1/
Staging artifacts can be found at:
https://repository.apache.org/content/repositories/orgapachedaffodil-1029/
This release has been signed with PGP key 04A735FC1A36AE84, corresponding to [email protected], which is included in the KEYS file here:
https://downloads.apache.org/daffodil/KEYS
The release candidate has been tagged in git with v3.3.0-rc1.
For reference, here is a list of all closed JIRAs tagged with 3.3.0:
https://s.apache.org/daffodil-issues-3.3.0
For a summary of the changes in this release, see:
https://daffodil.apache.org/releases/3.3.0/
Please review and vote. The vote will be open for at least 72 hours (Monday, March 21 2022, 12 Noon EST).
[ ] +1 approve
[ ] +0 no opinion
[ ] -1 disapprove (and reason why)
Thanks,
John
