Plugin, "analyze-report" did not work for Sentry, also it generates the dependencies but not the licenses. Filed Sentry-1029 to track automating this process of generating dependencies as well as their licenses.
Here is the list of external dependencies which I manually compiled for now: https://cwiki.apache.org/confluence/display/SENTRY/External+dependencies+and+Licenses Can some one please double check the accuracy? Looking at the list, looks like would be best to make sure the non Apache licensed dependencies are attributed and handled well? By the way, all of these seem like test dependencies. Easymock (MIT) Mockito (MIT) Slf4j (MIT) Hamcrest (BSD) Junit (Eclipse) One thing to note it Sentry makes source only releases, not sure if it changes how we handle licenses of dependencies. On Fri, Jan 22, 2016 at 5:06 PM, Lenni Kuff <[email protected]> wrote: > Thanks for the updates Sravya, looks good. > > Yes, we should document the dependencies someplace putting them on a wiki > is probably okay for now, but it will likely change fairly frequently. > Would be good to have some automation around this - the Maven dependency > plugin has support for generating a report on all dependencies: > > https://maven.apache.org/plugins/maven-dependency-plugin/analyze-report-mojo.html > > Example output: > > https://hadoop.apache.org/docs/stable/hadoop-project-dist/hadoop-common/dependency-analysis.html > > We should consider doing something similar. > > Thanks, > Lenni > > > On Fri, Jan 22, 2016 at 4:54 PM, Sravya Tirukkovalur <[email protected]> > wrote: > > > Thanks Lenni for your feedback! Added some data points (links) to the > doc. > > > > For the external dependencies, here is the list I got using "mvn clean > > dependency:list -DexcludeTransitive=true" and doing some cleaning up for > > duplicates: > > > > ant-contrib > > > > cglib > > > > com.google.guava > > > > com.jolbox > > > > commons-cli > > > > commons-lang > > > > commons-logging > > > > io.dropwizard.metrics > > > > javax.jdo > > > > joda-time > > > > junit > > > > log4j > > > > org.apache.commons > > > > org.apache.curator > > > > org.apache.derby > > > > org.apache.hadoop > > > > org.apache.hive.hcatalog > > > > org.apache.hive > > > > org.apache.pig > > > > org.apache.sentry > > > > org.apache.shiro > > > > org.apache.solr > > > > org.apache.sqoop > > > > org.apache.thrift > > > > org.apache.zookeeper > > > > org.datanucleus > > > > org.easymock > > > > org.easytesting > > > > org.eclipse.jetty > > > > org.hamcrest > > > > org.mockito > > > > org.objenesis > > org.slf4j > > > > I do not see anything except for junit in our proposal document. I think > we > > should document these dependencies and their licenses some where? > > > > Thanks! > > > > On Wed, Jan 20, 2016 at 4:41 PM, Lenni Kuff <[email protected]> wrote: > > > > > Hi Sravya, > > > Thanks for putting together this document, it's very useful. With > respect > > > to your comments: > > > > > > 1) Dependencies - Not sure if there is a better way, but you can run > > > something like: > > > *>* *mvn clean dependency:list -DexcludeTransitive=true* > > > to get a listing of all the current dependencies specified in the > > > project. > > > > > > > > > 2) Only comments in the doc are to point out links to backup your point > > > where relevant. > > > > > > Thanks, > > > Lenni > > > > > > On Wed, Jan 20, 2016 at 2:53 PM, Sravya Tirukkovalur < > > [email protected]> > > > wrote: > > > > > > > Hello all, > > > > > > > > Bumping up this thread after the holiday season. Please take a look > and > > > > provide feedback. > > > > > > > > Also I updated the doc to capture the vote for Committer == PPMC. > > > > > > > > I still have one outstanding question: > > > > - How do projects usually keep track of list of external dependencies > > for > > > > license checking? Is it just reading through the maven pom file? Or > is > > > > there a standard way? > > > > > > > > I think I figured the answer for this question - What is the source > of > > > > truth for ICLAs? How do we double check all new committers have ICLAs > > > > filed? > > > > - Members with ICLAs filed and in Sentry group should appear here: > > > > http://people.apache.org/committers-by-project.html#sentry > > > > > > > > On Fri, Nov 27, 2015 at 10:25 PM, Sravya Tirukkovalur < > > > [email protected] > > > > > > > > > wrote: > > > > > > > > > Hi folks, > > > > > > > > > > Here is the initial draft of Sentry maturity assessment: > > > > > > > > > > > > > > > https://cwiki.apache.org/confluence/display/SENTRY/Sentry+maturity+assessment > > > > > > > > > > Mentors & community members: Your feedback is valuable here. > Looking > > > > > forward to constructive criticism if any, which can help the Sentry > > > > > community and its graduation. > > > > > > > > > > Also, I had a couple quick questions while drafting this. > > > > > 1. How do projects usually keep track of list of external > > dependencies? > > > > Is > > > > > it just reading through the maven pom file? Or is there a standard > > way? > > > > > 2. What is the source of truth for ICLAs? How do we double check > all > > > new > > > > > committers have ICLAs filed apart from reading through the private > > mail > > > > > archives? > > > > > > > > > > Regards, > > > > > -- > > > > > Sravya Tirukkovalur > > > > > > > > > > > > > > > > > > > > > -- > > > > Sravya Tirukkovalur > > > > > > > > > > > > > > > -- > > Sravya Tirukkovalur > > > -- Sravya Tirukkovalur
