Here the method I used to find the licenses for dependencies, and below is
reprint of the results with better wrapping:
I used the license-maven-plugin[1]
It does not require changes to the pom.xml. I just ran this command in the
root.
mvn license:aggregate-add-third-party
It generated a file for each module in the 'target/' folder[2]. The root
target folder contains the aggregated list. I researched most of the ones
tagged as '(Unknown license)'.
We could possibly add something to the pom.xml to do an automatic file
generation in our build to update the files. It's described in the plugin
docs[1] .
[1] http://www.mojohaus.org/license-maven-plugin/usage.html
[2] ./target/generated-sources/license/THIRD-PARTY.txt
This issue is a release blocker:
RYA-177 Review License on Rya Dependencies
I was able to create a 3rd party dependency license report for Rya from the
license maven plugin.
- Good: I can send the full list if you like. Mostly ASL and clearly
permitted.
- Okay: A number of CDDL and CPL licenses -- permitted if no source code is
included.
- Needs Improvement: The following are not clearly permitted licenses:
(LGPL) (OGC copyright) Open GIS Interfaces
(org.geotools:gt-opengis:14.1 - no url defined)
(LGPL) API interfaces
(org.geotools:gt-api:14.3 - no url defined)
(LGPL) DataStore Support
(org.geotools:gt-data:14.1 - no url defined)
(LGPL) Feature Based Graphs and Networks
(org.geotools:gt-graph:14.3 - no url defined)
(LGPL) Feature transforming feature source wrapper
(org.geotools:gt-transform:14.1 - no url defined)
(LGPL) GML2 XML Support
(org.geotools.xsd:gt-xsd-gml2:14.3 - no url defined)
(LGPL) GML3 XML Support
(org.geotools.xsd:gt-xsd-gml3:14.3 - no url defined)
(LGPL) Grid Coverage module
(org.geotools:gt-coverage:14.3 - no url defined)
(LGPL) Image I/O-Extensions - Custom Streams
(org.geosolutions.imageio-ext:imageio-ext-streams:1.1.13
- no url defined)
(LGPL) Image I/O-Extensions - GeoCore
(org.geosolutions.imageio-ext:imageio-ext-geocore:1.1.13
- no url defined)
(LGPL) Image I/O-Extensions - utilities classes and methods
(org.geosolutions.imageio-ext:imageio-ext-utilities:1.1.13
- no url defined)
(LGPL) Improved TIFF Plugin
(org.geosolutions.imageio-ext:imageio-ext-tiff:1.1.13
- no url defined)
(LGPL) JCalendar (com.toedter:jcalendar:1.1.4
- http://www.toedter.com/en/jcalendar/)
(LGPL) JTS Topology Suite (com.vividsolutions:jts:1.13
- http://sourceforge.net/projects/jts-topo-suite)
(LGPL) Main module
(org.geotools:gt-main:14.1 - no url defined)
(LGPL) Metadata
(org.geotools:gt-metadata:14.1 - no url defined)
(LGPL) OGC CQL to Filter parser
(org.geotools:gt-cql:14.1 - no url defined)
(LGPL) Process
(org.geotools:gt-process:14.1 - no url defined)
(LGPL) Process Feature
(org.geotools:gt-process-feature:14.1 - no url defined)
(LGPL) Referencing services
(org.geotools:gt-referencing:14.3 - no url defined)
(LGPL) Remote Tea Runtime
(org.acplt:oncrpc:1.0.7 - http://remotetea.sourceforge.net/)
(LGPL) Render
(org.geotools:gt-render:14.1 - no url defined)
(LGPL) Shapefile module
(org.geotools:gt-shapefile:14.1 - no url defined)
(LGPL) Vector grids
(org.geotools:gt-grid:14.1 - no url defined)
(LGPL) XML Parsing
(org.geotools.xsd:gt-xsd-core:14.3 - no url defined)
(Unknown license) Antlr 3.4 Runtime
(org.antlr:antlr-runtime:3.4 - http://www.antlr.org)
(Unknown license) Jettison
(org.codehaus.jettison:jettison:1.1 - no url defined)
(Unknown license) jai_codec (javax.media:jai_codec:1.1.3 - no url defined)
(Unknown license) jai_core (javax.media:jai_core:1.1.3 - no url defined)
(Unknown license) jai_imageio (javax.media:jai_imageio:1.1 - no url defined)
(Unknown license) jgridshift (jgridshift:jgridshift:1.0 - no url defined)
(MIT license for package cern.colt.* only) colt
(colt:colt:1.2.0 - no url defined)
-- this is a mistake, should be using:
-- java.util.Arrays, not cern.colt.Arrays
-- creating an issue to eliminate dependency.
david.
On Thu, Sep 15, 2016 at 9:34 AM, Jim Hughes <[email protected]> wrote:
> Hi David,
>
> Ayup. As I mentioned in another part of the thread, we had to exclude and
> work around category-X transitive dependencies. Eclipse and Apache both
> agree on many of the no-go licenses and only-if you must ones.
>
> Since you mentioned JAI, I'd note that there is a project called Raster
> Processing Engine which is getting started to provide a better-licensed
> alternative. There are a number of ways in which things are improving
> (both license-wise and in terms of technology).
>
> Cheers,
>
> Jim
>
>
> On 09/14/2016 03:35 PM, David Lotts wrote:
>
>> Jim, thanks for the clarity! So that is settled, we can't just wait for
>> the wind to shift directions. :-)
>>
>> BTW, I see how several of the catagory-X dependencies (of dependancies)*
>> are removed -- thanks to
>> https://github.com/locationtech/geomesa/blob/master/pom.xml :
>> <exclusion>
>> <!-- excluded due to license issues -->
>> <groupId>javax.media</groupId>
>> <artifactId>jai_codec</artifactId>
>> </exclusion>
>> There are a bunch of examples of this in the geomesa pom.
>>
>> david.
>>
>> On Wed, Sep 14, 2016 at 3:12 PM, Jim Hughes <[email protected]> wrote:
>>
>> Hi Dave,
>>>
>>> Good question. Currently, there are no plans for GeoMesa to be free of
>>> GeoTools. At the minute, GeoTools and GeoServer are two of the best
>>> projects for handling geospatial processing and serving up the results
>>> via
>>> OGC access patterns. It is inconvenient that their licenses aren't more
>>> business friendly. I'd point out that several of these projects were in
>>> existence before ASF license version 1.1.;)
>>>
>>> In terms of integrations of GeoMesa and Apache projects, in many cases
>>> (such as Storm or Kafka), I think it might make more sense for GeoMesa to
>>> depend on the Apache project or for there to be a third-party project
>>> which
>>> depends on both (for example with NiFi). Overall, I'd love to see better
>>> licensing so that dependencies can go either direction. I spend more
>>> time
>>> than I care to dealing with legal details like this...
>>>
>>> For other LocationTech projects, I'd point out that only a few use
>>> GeoTools. For instance, Spatial4J is used by Apache Lucene. Overall, the
>>> Eclipse Foundation (and LocationTech by extension) hosts projects which
>>> have business-friendly licenses.
>>>
>>> Anyhow, I hope that helps clarify things a bit.
>>>
>>> Cheers,
>>>
>>> Jim
>>>
>>>
>>> On 09/14/2016 02:29 PM, David Lotts wrote:
>>>
>>> Oops, this thread was supposed to be subject RYA-177
>>>> RYA-179 is corrections to Rya source file license headers.
>>>>
>>>> Jim, do you know when GeoMesa plans to be completely free of GeoTools ?
>>>> Clearly Geotools is an obstacle for Apache projects to use LocationTech
>>>> projects, or at least GeoMesa.
>>>> Or is there another path forward for GeoMesa?
>>>>
>>>> On Wed, Sep 14, 2016 at 1:48 PM, Aaron D. Mihalik <
>>>> [email protected]>
>>>> wrote:
>>>>
>>>> Could we revive the indexer profile again?
>>>>
>>>>> (tl;dr: Yes. Mentors: Please correct us if we're wrong)
>>>>>
>>>>> This might be a solution. I found a couple similar cases with Apache
>>>>> projects and discussions related to those cases.
>>>>>
>>>>> Apache Flink integrated with Amazon Kinesis [1] and [2]. Note that
>>>>> Kinesis
>>>>> is an optional profile, and it's well documented in the POM why it's
>>>>> optional.
>>>>>
>>>>> (Note that NiFi got around this by using Amazon's SDK for Java [3],
>>>>> which
>>>>> is purely Apache 2.0)
>>>>>
>>>>> Spark uses optional profiles to build artifacts based on LGPL
>>>>> dependencies. Spark has to built by the user to use netlib [4][5],
>>>>> Ganglia
>>>>> [6], or Kinesis [6].
>>>>>
>>>>> I think a profile will work, but I'd like to see it well documented
>>>>> (both
>>>>> in the POM and manual) so that we never accidentally create a release
>>>>> with
>>>>> these artifacts.
>>>>>
>>>>> I was going to open a separate ticket to implement this, but I think
>>>>> it's
>>>>> good to track all of this effort under RYA-177.
>>>>>
>>>>> --Aaron
>>>>>
>>>>> [1]
>>>>> https://github.com/apache/flink/blob/release-1.1.2/
>>>>> flink-streaming-connectors/pom.xml#L69
>>>>> [2]
>>>>> https://github.com/apache/flink/blob/release-1.1.2/
>>>>> flink-streaming-connectors/flink-connector-kinesis/pom.xml#L73
>>>>>
>>>>> [3] https://github.com/apache/nifi/blob/master/pom.xml#L1316
>>>>>
>>>>> [4] https://github.com/apache/spark/blob/v2.0.0/mllib/pom.xml#L120
>>>>> [5]
>>>>> https://github.com/apache/spark/blob/v2.0.0/docs/ml-guide.
>>>>> md#dependencies
>>>>>
>>>>> [6] https://github.com/apache/spark/blob/v2.0.0/pom.xml#L2414
>>>>>
>>>>> [7] https://issues.apache.org/jira/browse/LEGAL-198
>>>>> [8] https://www.gnu.org/licenses/lgpl-java.html
>>>>>
>>>>>
>>>>>
>>>>> On Wed, Sep 14, 2016 at 12:09 PM David Lotts <[email protected]> wrote:
>>>>>
>>>>> Great find Aaron!
>>>>>
>>>>>> The ESRI library is quite comparable!
>>>>>>
>>>>>> Rya via Geomesa are using *JTS Topology Suite (*JTS): (the javadocs at
>>>>>> vividsolutions seems to be 404 )
>>>>>>
>>>>>>
>>>>>> http://tsusiatsoftware.net/jts/javadoc/com/vividsolutions/jts/geom/
>>>>>>
>>>>>> Geometry.html
>>>>>
>>>>> Far from a drop-in replacement, but a path forward:
>>>>>> http://esri.github.io/geometry-api-java/javadoc/
>>>>>>
>>>>>> Interesting, ESRI has Shape file support, but no GML, the opposite of
>>>>>>
>>>>>> JTS!
>>>>>
>>>>> david.
>>>>>>
>>>>>>
>>>>>> On Wed, Sep 14, 2016 at 10:29 AM, Aaron D. Mihalik <
>>>>>> [email protected]>
>>>>>> wrote:
>>>>>>
>>>>>> Yeah, that sounds possible. I don't like the idea of having to
>>>>>> maintain
>>>>>>
>>>>>>> another build/ci/release process, though.
>>>>>>>
>>>>>>> More importantly, we'd also have to modify our GeoIndexer interface
>>>>>>> [1]
>>>>>>>
>>>>>>> to
>>>>>>
>>>>>> something Apache Friendly. It looks like Ersi puts out an Apache 2.0
>>>>>>> library [2].
>>>>>>>
>>>>>>> [1]
>>>>>>> https://github.com/apache/incubator-rya/blob/master/
>>>>>>> extras/indexing/src/main/java/mvm/rya/indexing/GeoIndexer.java
>>>>>>> [2] https://github.com/Esri/geometry-api-java
>>>>>>>
>>>>>>> On Tue, Sep 13, 2016 at 10:36 PM Jim Hughes <[email protected]> wrote:
>>>>>>>
>>>>>>> Hi Aaron,
>>>>>>>
>>>>>>>> Thanks, wasn't finding that list quickly...
>>>>>>>>
>>>>>>>> It sounds like the GeoMesa/GeoTools usage might fall under this Q/A:
>>>>>>>> http://www.apache.org/legal/resolved.html#optional.
>>>>>>>>
>>>>>>>> Thoughts?
>>>>>>>>
>>>>>>>> Jim
>>>>>>>>
>>>>>>>> On 9/13/2016 9:25 PM, Aaron D. Mihalik wrote:
>>>>>>>>
>>>>>>>> Jim,
>>>>>>>>>
>>>>>>>>> We've been working off of these lists:
>>>>>>>>>
>>>>>>>>> http://www.apache.org/legal/resolved.html#category-a
>>>>>>>>>
>>>>>>>>> On Tue, Sep 13, 2016 at 6:07 PM Jim Hughes <[email protected]> wrote:
>>>>>>>>>
>>>>>>>>> Hi David,
>>>>>>>>>
>>>>>>>>>> A number of the geo-dependencies are likely from the geo-indexing
>>>>>>>>>>
>>>>>>>>>> (which
>>>>>>>>>
>>>>>>>> uses GeoMesa (Apache 2.0) which uses GeoTools and JTS).
>>>>>>>>
>>>>>>>>> Are there options to make the geoindexing a profile, provide the
>>>>>>>>>>
>>>>>>>>>> source,
>>>>>>>>>
>>>>>>>> and not provide artifacts for that code at Apache?
>>>>>>>>
>>>>>>>>> Also, is there a list of approved licenses for Apache projects
>>>>>>>>>> dependencies?
>>>>>>>>>>
>>>>>>>>>> Cheers,
>>>>>>>>>>
>>>>>>>>>> Jim
>>>>>>>>>>
>>>>>>>>>> On 09/13/2016 05:46 PM, David Lotts wrote:
>>>>>>>>>>
>>>>>>>>>> This issue is a release blocker:
>>>>>>>>>>> <https://issues.apache.org/jira/browse/RYA-179>
>>>>>>>>>>>
>>>>>>>>>>> RYA-179 <https://issues.apache.org/jira/browse/RYA-179> Review
>>>>>>>>>>>
>>>>>>>>>>> License /
>>>>>>>>>>
>>>>>>>>> Copyright notices on Rya Artifacts
>>>>>>>>>
>>>>>>>>>> I was able to create a 3rd party dependency license report for
>>>>>>>>>>>
>>>>>>>>>>> Rya
>>>>>>>>>>
>>>>>>>>> from the license
>>>>>>
>>>>>>> maven plugin.
>>>>>>>>>>> <http://www.mojohaus.org/license-maven-plugin/>
>>>>>>>>>>>
>>>>>>>>>>> Good: I can send the full list if you like. Mostly ASL and
>>>>>>>>>>>
>>>>>>>>>>> clearly
>>>>>>>>>>
>>>>>>>>> permitted.
>>>>>>
>>>>>>> Okay: A number of CDDL and CPL licenses -- permitted if no source
>>>>>>>>>>>
>>>>>>>>>>> code
>>>>>>>>>>
>>>>>>>>> is
>>>>>>>>
>>>>>>>> included.
>>>>>>>>>
>>>>>>>>>> Needs Improvement: The following are not clearly permitted
>>>>>>>>>>>
>>>>>>>>>>> licenses:
>>>>>>>>>>
>>>>>>>>> (cern.colt MIT license see
>>>>>>>
>>>>>>>> https://dst.lbl.gov/ACSSoftware/colt/license.html) colt
>>>>>>>>>>>
>>>>>>>>>>> (colt:colt:1.2.0 -
>>>>>>>>>>
>>>>>>>>>> no url defined)
>>>>>>>>>>> -- this is a mistake, should be java.util.Arrays,
>>>>>>>>>>> not
>>>>>>>>>>> cern.colt.Arrays -- creating an issue to eliminate dependency.
>>>>>>>>>>> (GNU LESSER GENERAL PUBLIC LICENSE) JCalendar
>>>>>>>>>>> (com.toedter:jcalendar:1.1.4 -
>>>>>>>>>>>
>>>>>>>>>>> http://www.toedter.com/en/jcalendar/)
>>>>>>>>>>
>>>>>>>>> (Lesser General Public License (LGPL)) JTS Topology Suite
>>>>>>>
>>>>>>>> (com.vividsolutions:jts:1.13 -
>>>>>>>>>>> http://sourceforge.net/projects/jts-topo-suite)
>>>>>>>>>>> (Lesser General Public License (LGPL)) Image
>>>>>>>>>>>
>>>>>>>>>>> I/O-Extensions
>>>>>>>>>>
>>>>>>>>> -
>>>>>>
>>>>>> GeoCore
>>>>>>>
>>>>>>>> (it.geosolutions.imageio-ext:imageio-ext-geocore:1.1.13 - no url
>>>>>>>>>>>
>>>>>>>>>>> defined)
>>>>>>>>>>
>>>>>>>>> (Lesser General Public License (LGPL)) Image
>>>>>>>>>
>>>>>>>>>> I/O-Extensions
>>>>>>>>>>
>>>>>>>>> -
>>>>>>
>>>>>> Custom
>>>>>>>
>>>>>>>> Streams (it.geosolutions.imageio-ext:imageio-ext-streams:1.1.13
>>>>>>>>>>>
>>>>>>>>>>> -
>>>>>>>>>>
>>>>>>>>> no
>>>>>>
>>>>>> url
>>>>>>>
>>>>>>>> defined)
>>>>>>>>>
>>>>>>>>>> (Lesser General Public License (LGPL)) Improved TIFF
>>>>>>>>>>>
>>>>>>>>>>> Plugin
>>>>>>>>>>
>>>>>>>>> (it.geosolutions.imageio-ext:imageio-ext-tiff:1.1.13 - no url
>>>>>>
>>>>>>> defined)
>>>>>>>>>>
>>>>>>>>> (Lesser General Public License (LGPL)) Image
>>>>>>>>
>>>>>>>>> I/O-Extensions
>>>>>>>>>>
>>>>>>>>> -
>>>>>>
>>>>>> utilities classes and methods
>>>>>>>
>>>>>>>> (it.geosolutions.imageio-ext:imageio-ext-utilities:1.1.13 - no
>>>>>>>>>>>
>>>>>>>>>>> url
>>>>>>>>>>
>>>>>>>>> defined)
>>>>>>
>>>>>>> (Unknown license) jai_codec (javax.media:jai_codec:1.1.3 -
>>>>>>>>>>>
>>>>>>>>>>> no
>>>>>>>>>>
>>>>>>>>> url
>>>>>>>
>>>>>>>> defined)
>>>>>>>>>
>>>>>>>>>> (Unknown license) jai_core (javax.media:jai_core:1.1.3 -
>>>>>>>>>>>
>>>>>>>>>>> no
>>>>>>>>>>
>>>>>>>>> url
>>>>>>
>>>>>>> defined)
>>>>>>>>
>>>>>>>>> (Unknown license) jai_imageio
>>>>>>>>>>>
>>>>>>>>>>> (javax.media:jai_imageio:1.1 -
>>>>>>>>>>
>>>>>>>>> no
>>>>>>
>>>>>>> url
>>>>>>>>
>>>>>>>> defined)
>>>>>>>>>
>>>>>>>>>> (Unknown license) jgridshift (jgridshift:jgridshift:1.0 -
>>>>>>>>>>>
>>>>>>>>>>> no
>>>>>>>>>>
>>>>>>>>> url
>>>>>>
>>>>>>> defined)
>>>>>>>>
>>>>>>>>> (GNU Lesser General Public License) Remote Tea Runtime
>>>>>>>>>>> (org.acplt:oncrpc:1.0.7 - http://remotetea.sourceforge.net/)
>>>>>>>>>>> (Unknown license) Antlr 3.4 Runtime
>>>>>>>>>>>
>>>>>>>>>>> (org.antlr:antlr-runtime:3.4 -
>>>>>>>>>>
>>>>>>>>> http://www.antlr.org)
>>>>>>>>>
>>>>>>>>>> (Unknown license) Jettison (org.codehaus.jettison:
>>>>>>>>>>>
>>>>>>>>>>> jettison:1.1
>>>>>>>>>>
>>>>>>>>> - no
>>>>>>>>
>>>>>>>> url defined)
>>>>>>>>>
>>>>>>>>>> (Lesser General Public License (LGPL)) API interfaces
>>>>>>>>>>> (org.geotools:gt-api:14.3 - no url defined)
>>>>>>>>>>> (Lesser General Public License (LGPL)) Grid Coverage
>>>>>>>>>>>
>>>>>>>>>>> module
>>>>>>>>>>
>>>>>>>>> (org.geotools:gt-coverage:14.3 - no url defined)
>>>>>>
>>>>>>> (Lesser General Public License (LGPL)) OGC CQL to Filter
>>>>>>>>>>>
>>>>>>>>>>> parser
>>>>>>>>>>
>>>>>>>>> (org.geotools:gt-cql:14.1 - no url defined)
>>>>>>>>
>>>>>>>>> (Lesser General Public License (LGPL)) DataStore Support
>>>>>>>>>>> (org.geotools:gt-data:14.1 - no url defined)
>>>>>>>>>>> (Lesser General Public License (LGPL)) Feature Based
>>>>>>>>>>>
>>>>>>>>>>> Graphs
>>>>>>>>>>
>>>>>>>>> and
>>>>>>
>>>>>>> Networks (org.geotools:gt-graph:14.3 - no url defined)
>>>>>>>>
>>>>>>>>> (Lesser General Public License (LGPL)) Vector grids
>>>>>>>>>>> (org.geotools:gt-grid:14.1 - no url defined)
>>>>>>>>>>> (Lesser General Public License (LGPL)) Main module
>>>>>>>>>>> (org.geotools:gt-main:14.1 - no url defined)
>>>>>>>>>>> (Lesser General Public License (LGPL)) Metadata
>>>>>>>>>>> (org.geotools:gt-metadata:14.1 - no url defined)
>>>>>>>>>>> (Lesser General Public License (LGPL)) (OGC copyright)
>>>>>>>>>>>
>>>>>>>>>>> Open
>>>>>>>>>>
>>>>>>>>> GIS
>>>>>>
>>>>>>> Interfaces (org.geotools:gt-opengis:14.1 - no url defined)
>>>>>>>>
>>>>>>>>> (Lesser General Public License (LGPL)) Process
>>>>>>>>>>> (org.geotools:gt-process:14.1 - no url defined)
>>>>>>>>>>> (Lesser General Public License (LGPL)) Process Feature
>>>>>>>>>>> (org.geotools:gt-process-feature:14.1 - no url defined)
>>>>>>>>>>> (Lesser General Public License (LGPL)) Referencing
>>>>>>>>>>>
>>>>>>>>>>> services
>>>>>>>>>>
>>>>>>>>> (org.geotools:gt-referencing:14.3 - no url defined)
>>>>>>
>>>>>>> (Lesser General Public License (LGPL)) Render
>>>>>>>>>>> (org.geotools:gt-render:14.1 - no url defined)
>>>>>>>>>>> (Lesser General Public License (LGPL)) Shapefile module
>>>>>>>>>>> (org.geotools:gt-shapefile:14.1 - no url defined)
>>>>>>>>>>> (Lesser General Public License (LGPL)) Feature
>>>>>>>>>>>
>>>>>>>>>>> transforming
>>>>>>>>>>
>>>>>>>>> feature
>>>>>>
>>>>>>> source wrapper (org.geotools:gt-transform:14.1 - no url defined)
>>>>>>>>>
>>>>>>>>>> (Lesser General Public License (LGPL)) XML Parsing
>>>>>>>>>>> (org.geotools.xsd:gt-xsd-core:14.3 - no url defined)
>>>>>>>>>>> (Lesser General Public License (LGPL)) GML2 XML Support
>>>>>>>>>>> (org.geotools.xsd:gt-xsd-gml2:14.3 - no url defined)
>>>>>>>>>>> (Lesser General Public License (LGPL)) GML3 XML Support
>>>>>>>>>>> (org.geotools.xsd:gt-xsd-gml3:14.3 - no url defined)
>>>>>>>>>>>
>>>>>>>>>>> david.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>
