Hi, Can’t we eliminate releasing binary bundles containing transitive deps and in doing so eliminate a huge amount of licensing/notice pain for us? But still supply what users need.
As I understand it / ASF policy, the newly generated distribution bundles lack the necessary license/notice info for transitive deps contained in the bundle. That’s what the binary-release/LICENSE and licenses/binary-release/* was all about (included in the gradle generated binary bundles). Justin indicated we needed to have full copies of license/notice text not just URLs to it (since the URL may have different text at a later date that doesn’t match that text applicable for the contained deps). I see the new distribution stuff also generates edgent-distribution-<ver>.jar. Its META-INF/DEPENDENCIES has a nice listing of all the transitive deps license info but it’s (a) just URLs to licenses, (b) lacks any notice info, and (c) isn’t included in the generated binary release bundle. Maybe I just don’t understand how this is supposed to work. Not releasing a binary bundle also eliminates validation/testing of it. My hope was that viable / better alternative is to provide an easy way for users themselves to get the Edgent jars and transitive external deps themselves from maven-central (or any maven repo). Presumably we'd just need to tell the user something like: “This command retrieves the Edgent jars and their transitive external dependencies. The external dependencies come with their own licensing terms that you should review. A summary of the transitive dependencies and their licenses can be found here <url to something like the info in the aforementioned META-INF/DEPENDENCIES and/or binary-release/LICENSING file>. Continue? <yes|no>” That’s what get-edgent-jars.sh (https://paste.apache.org/p/GI0n <https://paste.apache.org/p/GI0n>) was working towards. Is this making sense / compelling / a valid and (sufficiently) user friendly approach? To clarify for all, this tool (equivalently a binary bundle) is only needed by Edgent users that don’t use maven/maven-repo enabled app development tools or that don’t use those tools to generate a standalone “über jar” for their Edgent app to deploy to their edge device. — Dale