> El 15 oct 2017, a las 15:50, Emilian Bold <emilian.b...@gmail.com> escribió: > > It's part of the Apache IP clearance. We need to know our dependencies. A > binary JAR won't do, specifically because we patch stuff too. We can't just > go through classes and add small license headers when we imports lots and > lots of binaries as external dependencies. Knowing the exact (legal) status > of our dependencies is even more important than going through the codebase > imho. >
So the important thing here is to _identify_ the exact procedence of each binary dependency & its license and legal status, but not to actually compile modules against binaries, am I right? >> I'd prefer upgrading to modern versions than seeking old ones. > > This involve potential breaking changes, code refactoring and potential > bugs. Why risk all that? > > Let's just make an inventory of everything (ie. IP clearance) and build > with the JARs we have tested before! > If possible yes, of course. Trouble is when you can’t find a jar from 2009 :-) Thanks for your clarification, Emi, this helps. Un abrazo, Antonio