Legal files and maven automation

Mon, 10 Mar 2008 11:44:47 -0700

IIUC we've previously agreed that the only LICENSE and NOTICE files that actually need to be in svn are at the root of expected checkouts such as trunk, branches/xxx, and tags/xxx; all other LICENSE and NOTICE files in distributable artifacts can be generated by some process. Projects that use maven often want to use the maven-remote- resources-plugin to generate these files since typically many of them are identical.
Furthermore as Roy pointed out recently the NOTICE file should be really really minimal and only include information relevant to what is actually in the distribution unit such as a jar. There's been a lot of complaint about the resource bundles typically used with the maven-remote-resources-plugin since the NOTICE files include essentially a list of the transitive dependencies of the maven project. I think many people find this dependency information useful but it clearly does not belong in the NOTICE file. 


At Geronimo I've developed a resource bundle that attempts to address  
these issues.  I'd like to find out if there are any objections to it  
and if not propose it as the standard resource bundle for use at  
apache by the maven-remote-resources-plugin.  Right now its in the  
voting stage of release and can be checked out at



https://svn.apache.org/repos/asf/geronimo/genesis/tags/genesis-1.4/ 
legal-bundle

and viewed at

http://people.apache.org/~djencks/staging-repo/org/apache/geronimo/ 
genesis/legal-bundle/1.4/legal-bundle-1.4.jar



Here's what it does:

By default, the LICENSE file is the standard apache license.  The  
NOTICE file is generated from a velocity template; here's an example  
of the output (between ----- lines which are not included)

------------------------------------------------------
Geronimo :: Directory Plugin
Copyright 2003-2008 Apache Software Foundation
This product includes software developed at
Apache Software Foundation (http://www.apache.org/).
------------------------------------------------------


In the 99% of the time when this is the correct LICENSE and NOTICE,  
that's all you do.  In the remaining 1% of the time where additional  
information is needed appended to these standard files, you put the  
additions in

src/main/appended-resources/LICENSE
and
src/main/appended-resources/NOTICE


In the remaining 0.1% of the time where the standard files are not  
correct you can arrange by other means to insert custom LICENSE and  
NOTICE files.



In addition, there is a generated DEPENDENCIES file that lists the  
transitive dependencies of the project, determined from the poms,  
organized by organization, with the known license info.  Here's an  
example of such a DEPENDENCIES file:


// ------------------------------------------------------------------
// Transitive dependencies of this project determined from the
// maven pom organized by organization.
// ------------------------------------------------------------------

Genesis Plugins :: Tools
From: 'an unknown organization'
  - Unnamed - ant:ant:jar:1.6.5  ant:ant:jar:1.6.5

  - Unnamed - junit:junit:jar:3.8.1  junit:junit:jar:3.8.1


From: 'Apache Software Foundation' (http://www.apache.org/)

  - Maven Artifact (http://maven.apache.org/maven-artifact)  
org.apache.maven:maven-artifact:jar:2.0.4
    License: The Apache Software License, Version 2.0  (http:// 
www.apache.org/licenses/LICENSE-2.0.txt)
  - Maven Artifact Manager (http://maven.apache.org/maven-artifact- 
manager) org.apache.maven:maven-artifact-manager:jar:2.0.4
    License: The Apache Software License, Version 2.0  (http:// 
www.apache.org/licenses/LICENSE-2.0.txt)
  - Maven Model (http://maven.apache.org/maven-model)  
org.apache.maven:maven-model:jar:2.0.4
    License: The Apache Software License, Version 2.0  (http:// 
www.apache.org/licenses/LICENSE-2.0.txt)
  - Maven Plugin API (http://maven.apache.org/maven-plugin-api)  
org.apache.maven:maven-plugin-api:jar:2.0.4
    License: The Apache Software License, Version 2.0  (http:// 
www.apache.org/licenses/LICENSE-2.0.txt)
  - Maven Profile Model (http://maven.apache.org/maven-profile)  
org.apache.maven:maven-profile:jar:2.0.4
    License: The Apache Software License, Version 2.0  (http:// 
www.apache.org/licenses/LICENSE-2.0.txt)
  - Maven Project Builder (http://maven.apache.org/maven-project)  
org.apache.maven:maven-project:jar:2.0.4
    License: The Apache Software License, Version 2.0  (http:// 
www.apache.org/licenses/LICENSE-2.0.txt)
  - Maven Repository Metadata Model (http://maven.apache.org/maven- 
repository-metadata) org.apache.maven:maven-repository-metadata:jar: 
2.0.4
    License: The Apache Software License, Version 2.0  (http:// 
www.apache.org/licenses/LICENSE-2.0.txt)
  - Maven Local Settings Model (http://maven.apache.org/maven- 
settings) org.apache.maven:maven-settings:jar:2.0.4
    License: The Apache Software License, Version 2.0  (http:// 
www.apache.org/licenses/LICENSE-2.0.txt)
  - Maven Wagon API  org.apache.maven.wagon:wagon-provider-api:jar: 
1.0-alpha-6
    License: The Apache Software License, Version 2.0  (http:// 
www.apache.org/licenses/LICENSE-2.0.txt)


From: 'Codehaus' (http://codehaus.org)

  - Plugin Support (http://mojo.codehaus.org/plugin-support)  
org.codehaus.mojo:plugin-support:jar:1.0-alpha-1



From: 'Codehaus' (http://www.codehaus.org/)

  - Default Plexus Container  org.codehaus.plexus:plexus-container- 
default:jar:1.0-alpha-9


  - Plexus Common Utilities  org.codehaus.plexus:plexus-utils:jar:1.2


From: 'The Apache Software Foundation' (http://jakarta.apache.org)

  - Commons JEXL (http://jakarta.apache.org/commons/jexl/) commons- 
jexl:commons-jexl:jar:1.1

    License: The Apache Software License, Version 2.0  (/LICENSE.txt)

  - Lang (http://jakarta.apache.org/commons/lang/) commons- 
lang:commons-lang:jar:2.3

    License: The Apache Software License, Version 2.0  (/LICENSE.txt)

  - Logging (http://jakarta.apache.org/commons/logging/) commons- 
logging:commons-logging:jar:1.0.4

    License: The Apache Software License, Version 2.0  (/LICENSE.txt)

From: 'The Codehaus' (http://codehaus.org/)

  - classworlds (http://classworlds.codehaus.org/)  
classworlds:classworlds:jar:1.1-alpha-2



------------------------------------------------------------------


As with any resource bundle for the m-r-r-p, you can supply missing  
information such as organization and license in a src/main/remote- 
resources/supplemental-models.xml file.


------------------------------------------------------------------
Note on javaee5 artifacts:

Some javaee5 artifacts such as wars and ears when built by maven  
usually physically include all or some of the dependencies of the  
maven project.  While it might be nice to have the m-r-r-p roll up  
the LICENSE and NOTICE files from the contents and come up with  
something, that is out of scope of this proposal.  I expect anyone  
building such an assembly will examine the contents and construct by  
hand suitable files to append to the standard LICENSE and NOTICE files.


------------------------------------------------------------------
Objections? Comments?

many thanks
david jencks
























					Reply via email to