Matt Hogstrom wrote:
I am referring to the modules. What I meant was if we have 25 modules
and everyone has its own license and notices file I'm pretty confident
they'll get out of sync. It would be nice to have a central place to
pull the content from which should be modules/scripts/resources/*
What I meant by the notices being an issue is that a single notices
file identifies what additional licenses are in a module. So, it may
or may not make sense for the Kernel module to have a Bouncycastle
NOTICE.
It looks like the majority of licenses use terminology similar to
"Redistribution and use in source and binary forms..". In terms of
redistribution, we don't redistribute third-party libraries (we only
redistribute them in assemblies) as part of module jars, but they may
use a third-party library directly or indirectly via transitive
dependencies.
I'm not sure if the "use" terminology in the licenses applies to
indirect use, but it might be safer to err on the side of caution and
include all licenses that may be in use both directly in the module and
indirectly.
If its ok to havbe a complete NOTICES file that includes licenses that
are not in a module then that would be fine. It would be nice to say,
"Geronimo-Kernel may include one or more of the following elements."
If we have to be precise on a module by module basis then I think that
will be a problem.
This sounds like an opportunity for maven to solve in the future (e.g.
collating license information) but I don't think it has been thought out
enough yet.. http://jira.codehaus.org/browse/MJAR-10?rc=1
Agree it would be a problem if for each module we had to work out what
licenses were used via transitive dependencies. If it is only the
licenses for direct dependencies that we need to include then that could
be manageable. We would need a process in place so that if anyone
modifies the dependencies of a module they need to review the licensing
implications (e.g. does the new version of the dependency have a new
license) and make the appropriate changes to the module's LICENSE.txt
and NOTICE.txt files.
John
Kevan Miller wrote:
On Jul 17, 2006, at 1:06 PM, Matt Hogstrom wrote:
Well, I think adding the files to every module is potentially a
problem. I think the release should have a central place all
modules derive their LICENSE file from. The NOTICIES file is a
different animal.
Matt,
What "modules" are you referring to? All of our generated jar files
(.e.g geronimo-kernel-1.1.jar) should contain LICENSE and NOTICE
files. Hrrm, I just looked at two 1.1 jars and they only contain
LICENSE files.
We also need a LICENSE and NOTICE file at the base of our
distributions. These should contain all necessary license and notice
information for all of the Geronimo code built and included in our
distribution. The license and notice file also need to contain
license and notice information for all jar files, or other artifacts,
that we include in our distribution (e.g. asm jar, castor jar, etc...).
Or, are you instead referring to "modules" as in CAR's? If so, then
they are a different animal. However, I don't think we're released
from any licensing requirements.
Given the guidelines in
http://www.apache.org/dev/release.html#what-must-every-release-contain
(see the "Can I distribute a raw artifact?" section at the bottom), I
think that any downloadable artifact (distribution, car, jar, war,
ear, etc) that we "release" to ibiblio should have appropriate
license and notice files (alternatively, we stop releasing the
artifact).
--kevan
Jason Dillon wrote:
If we want to keep these guys in the jars, then we should move them
to their standard src/main/resources/META-INF/* locations so that
they get picked up automatically.
--jason
On Jul 16, 2006, at 5:27 PM, John Sisson wrote:
Jason Dillon wrote:
Um... when were these ever included in the module's jars before?
--jason
On Jul 16, 2006, at 5:04 PM, John Sisson wrote:
Jason Dillon wrote:
Does each module really need LICENSE.txt and NOTICE.txt?
Or can we just have this at the top-level of the project?
I'd rather have less duplicate files to maintain...
Any comments?
--jason
I think they are needed as each downloadable jar (which each
module has) should contain the license and notice files. Same
with source archives, which AFAIK maven can produce for each
individual module for use by IDE debuggers etc.
John
I just checked and if you look at geronimo-activation-1.1.jar it
should contain META-INF\LICENSE.TXT . It is a problem that the
NOTICE.txt file isn't also included.
We should add a JIRA for the 1.1.1 release for that.
John