Comments on line
Thanks.
I'm not sure when those notices should/must be added.
Let's try to figure out...
It's clear, when distributing a binary distribution (e.g.
ldap-api.zip) where third-party dependencies are included that the
licenses and notices of those third-party dependencies have to be
added.
+1
But is the attribution also required in the JARs (both, binary or
source, there in META-INF/LICENSE and META-INF/NOTICE) that are
distributed via maven?
Depends...
I see the following different cases:
1) In shared-ldap-model we use Antlr to generate Java files. So I
think in the distributed shared-ldap-model-X.Y.Z.jar the Antlr
attribution is required.
+1
2) The common case that a 3rd-party libary is used/linked in main code
(e.g. dom4j or slf4j). Our distributed JAR only contains our
.java/.class files. The third-party jar is not redistributed. The
dom4j and slf4j licenses say that attribution is required in case the
software is 'used'. Does 'use' already include the case that their
classes are linked? But in that case we
As soon as we distribute something which makes necessary to include a
thrid party jar, I think we should also include the 3rd party licenses.
Remember that we release *sources*, not binaries. Binaries are just
generated for convenience. But in any case, we release in order for
users to be able to get our packages, and use them in their own
products. Somehow, we have to make them safe when doing so, that means
include the mandatory licenses and notice to spare the the burden to do so.
At least, this is how I understand the way we should do things at the ASF...
3) Similar like 2, but the 3rd-party is only used as test dependency
(like junit). Here the code is not distributed at all.
Still, we distribute sources, which means tests, and users should be
able to build the project by downloading our sources. That include
tests. Of course, we don't distribute the associated jars (I was
thinking about findbugs), so in this case, we are not forced to inject
the associated license. Tests are supposed to be run using Maven,
pointing to external dependencies we *don't* provide. However, I still
think it's safe to add a reference to the used libs in the NOTICE.
4) 3rd-party source code is included (e.g. in apacheds/jdbm or in
junit-addons). Here it is clear that attribution is required.
+1
Note that this is my perception of the way we should handle those
license/notice thingy. I may be wrong...
Hope it helps...
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
