Thanks for bringing this up. I believe that we had thought the entire TinkerPop repository would be downloaded with gremlin-go from the package manager, despite Go only caring about gremlin-go. I think we later realized there was a way to avoid that:
$ ls ~/go/pkg/mod/github.com/apache/tinkerpop/gremlin-go/v3@v3.6.1 build design.md docker docker-compose.yml Dockerfile driver go.mod go.sum LICENSE pom.xml README.md run.sh wait-for-server.sh But we never adjusted LICENSE/NOTICE. Since "go get" only seems to pull the gremlin-go directory I think it now makes sense to treat gremlin-go as the other language variants by giving it its own LICENSE/NOTICE files. These should be the standard Apache 2 LICENSE and standard NOTICE without any additions. On Wed, Dec 21, 2022 at 2:21 AM Cole Greer <cole.gr...@improving.com.invalid> wrote: > Hi all, > > I wanted to briefly revive this old thread as I believe it may warrant > reconsideration. I was digging through the gremlin go module as downloaded > through “go get” it does include the root LICENSE file from the tinkerpop > repo as mentioned earlier. It does not however fetch any NOTICE file from > the root tinkerpop repo. As far as I understand there are no legal issues > with this setup as gremlin go doesn’t actually bundle any of it’s > dependencies in any distribution, so no notice or updated license would be > required. However I’m not sure that this is the optimal setup either. The > root level LICENSE file in Tinkerpop has the following appended to it due > to source files which are included for the tinkerpop site: > > ======================================================================== > > MIT Licenses > > ======================================================================== > > > The Apache TinkerPop project bundles the following components under the > MIT License: > > > bootstrap 5.0.0 (http://getbootstrap.com/) - for details, see > license/bootstrap > > jquery 1.11.0 (https://jquery.com/) - for details, see license/jquery > > normalize.css 2.1.2 (http://necolas.github.io/normalize.css/) - for > details, see licenses/normalize > prism.css/js 1.27.0 (http://prismjs.com) - for details, see licenses/prism > > This suffix is also being included in the LICENSE file in gremlin go which > seems unnecessary or incorrect. Also while a NOTICE file does not seem > required, all of the other GLVs do include a NOTICE such that Tinkerpop > will be included in the notice of any works which utilize it. For > consistency I believe that gremlin go should also include such a NOTICE > file. > > Example NOTICE: > Apache TinkerPop > Copyright 2015-2021 The Apache Software Foundation. > > This product includes software developed at > The Apache Software Foundation (http://www.apache.org/). > > If there is no further discussion on this thread I will assume a lazy > consensus favoring the status quo and no changes will be made. > > Regards, > > Cole Greer > > On 2022/03/18 18:28:44 Lyndon Bauto wrote: > > Thanks for looking into this, Stephen. I am going to follow this thread > for > > a little bit and remove it if there are no comments against removing it. > > > > On Fri, Mar 18, 2022 at 6:15 AM Stephen Mallette <sp...@gmail.com > <mailto:sp...@gmail.com>> > > wrote: > > > > > Note sure where to start with this, but we do need to make sure we've > > > gotten our LICENSE/NOTICE straight for gremlin-go if we are to make a > > > release of any sort. My understanding is that the tagging of the repo > with > > > the pattern `v3.5.3` (or the like) will allow go users to make use of > that > > > version. I further believe that in referencing that version, it will > > > trigger the download of the entire TinkerPop repository - i.e. the > source > > > code for all of TinkerPop, despite only really needing the gremlin-go > part > > > of it. > > > > > > I looked at Apache Arrow which has a golang package and I'm not > completely > > > sure that their pattern is the one to follow (a dangerous game to > assume > > > the other Apache project did it right), but it did help me think > through > > > our particular situation. > > > > > > The LICENSE/NOTICE should only be modified to address bundled bits. and > > > gremlin-go does not have any source code that is from a third party > (please > > > correct me if I'm wrong). The only third-party code is that which is > > > unrelated to gremlin-go and is already listed in the root NOTICE. We > cover > > > the licenses for those items already in our root LICENSE and /licenses > > > directory. > > > > > > Since the user gets the whole repo downloaded to include those files, I > > > would think those root files are enough to satisfy ASF concerns. > > > > > > The NOTICE file currently proposed for gremlin-go in particular, > doesn't > > > seem necessary as none of the items in there are "bundled bits". They > are > > > additional dependencies that come separate to what we say are in our > > > package. I think that file can be removed. > > > > > > > > > -- > > *Lyndon Bauto* > > Team Lead > > Bit Quill Technologies Inc. > > lynd...@bitquilltech.com<mailto:lynd...@bitquilltech.com> > > https://www.bitquilltech.com > > >
