Generally speaking: [source] There are many source elements that go into our source release. All of those must be appropriately licensed and based on our compatible with the ASLv2 License which generally is consider as those items listed as [1].
[build process] There are package managers involved in the build process including things like Maven, NPM, Bower, and perhaps others. There are also other things used to conduct the build. Those things need to be appropriately licensed for us to use. I'm not aware of anything we're using that is problematic. [binary artifacts] There are numerous binary artifacts produced as a result of our build process. All of those artifacts need to be appropriately licensed and compatible with ASLv2 which includes those category-a items listed above and also binary artifacts which satisfy the category-b handling mentioned here [2]. So the net of this is that our source LICENSE/NOTICE [1,2] must account for all things in our source release. Our binary artifact LICENSE/NOTICE [3,4] must account for things in our binary convenience bundles/artifacts. Much more of this is described and articulated on various ASF pages. For the NiFi project itself though we have this document to help root that guidance in our processes that we have thus far [5]. [1] http://www.apache.org/legal/resolved.html#category-a [2] http://www.apache.org/legal/resolved.html#category-a [3] https://github.com/apache/nifi/blob/master/LICENSE [4] https://github.com/apache/nifi/blob/master/NOTICE [5] https://github.com/apache/nifi/blob/master/nifi-assembly/LICENSE [6] https://github.com/apache/nifi/blob/master/nifi-assembly/NOTICE [7] https://nifi.apache.org/licensing-guide.html Thanks Joe On Sat, Jul 16, 2016 at 12:58 PM, Joe Skora <[email protected]> wrote: > I'm somewhat ignorant regarding of the front-end wiring, when a NiFi > instance runs does it use NodeJS, NPM, Bower, etc. or are those only used > during the build? > > If they are only used during the build, how does that affect the Apache > licensing, do they need to have Apache compatible licenses like a Java > library does? > > On Fri, Jul 15, 2016 at 7:52 PM, Joe Witt <[email protected]> wrote: > >> Wow i reread the first paragraph I wrote and well...yowza hopefully >> you can tell what I meant to say. >> >> Also wanted to add that when I started seeing those things show up in >> the build i too did a double take and started looking into the >> licensing. So it is very right to bring these up. Taking this line >> of thought further i've also been concerned about things like >> stylesheets or fonts that are referenced against websites that get >> looked up by the client browser at runtime. Definitely tradeoffs to >> consider. >> >> Anyway, I'll take another look too but if you find specific artifacts >> that are problematic in the resulting build please do share. >> >> Thanks >> Joe >> >> On Fri, Jul 15, 2016 at 5:39 PM, Joe Witt <[email protected]> wrote: >> > Joe, >> > >> > Now is certainly the time to address any concerns like this so no >> > worries if false. >> > >> > For item #1) >> > The source release cannot have any binaries. A convenience binary >> > build generally is comprised on producing binary artifacts and linking >> > them with dependent artifacts much like happens as maven pulls in >> > dependencies. Officially apache projects only do source releases. >> > The binary convenience artifacts some projects, like ours, provide is >> > truly just a convenience. We must take care to ensure that the >> > resulting items are properly licensed and such but the official >> > 'release' is the source code only. >> > >> > For item #2) >> > The tools used to conduct the build are not necessary to call out nor >> > are dependencies like test dependencies, for example. The resulting >> > artifacts in our binary build do need to be accounted for though and >> > yes they do need to be ASLv2 compatible. The LICENSE/NOTICE within >> > nifi-assembly is where the appropriate LICENSE/NOTICE lives for such >> > things. Are there any specific artifacts being pulled in that you're >> > finding problematic? We should definitely get those identified and >> > addressed. >> > >> > Thanks >> > Joe >> > >> > On Fri, Jul 15, 2016 at 5:25 PM, Joe Skora <[email protected]> wrote: >> >> Dear devs, >> >> >> >> I've looking into the 1.0.0 build processes and I noticed a couple >> things >> >> that I don't understand. >> >> >> >> 1. During the build, nifi-web-ui (and another modules) use NodeJS. This >> >> entails the "frontend-maven-plugin" actually downloading and executing >> >> binary code. That's not something I'd normally expect in a Maven build, >> >> especially when the downloads do not come from repositories referenced >> in >> >> the NiFi build configuration. >> >> >> >> Is installing a foreign binary and executing it during a build a >> >> problem under Apache? >> >> >> >> 2. The build uses NodeJS, NPM, and Bower (maybe more) but I cannot find >> any >> >> references to those tools in the license files. Node appears to have >> it's >> >> own license, with a good bit of stuff rolled in as well. If the >> relevant >> >> licenses are not Apache compatible this could be a problem. >> >> >> >> Are there any license whisperers who can look at how these need to >> be >> >> reconciled? >> >> >> >> Sorry if I'm sounding false alarms, but this caught me off guard. I >> >> apologize if missed a prior discussion of this on the dev list. >> >> >> >> Regards, >> >> Joe >>
