Thanks for the feedback. It is very helpful. It sounds like you think we should make four modifications:
1. Do an audit of non classifed RAT files and verify that we aren't including other licenses. 2. Examine whether we are including unecessary license notices in the files (e.g. JUnit) 3. Exclude class B binary artifacts or require active user consent to include them 4. Maintain separate directories for class B licenses when included. I think that you have good points in 1 & 2. I will open JIRAs to solve these. For points 3 & 4, I think you have a very conservative interpretation of Apache requirements which goes beyond the guidelines as well as what other projects do. For class B licenses [1]: "[class B licenses require] an explicit action by the user to get the reciprocally-licensed source". This seems to be specifically focused on source distribution, not binary artifacts. Since we don't bundle the source, we should be okay according to these guidelines. Additionally, I did a quick review of similar projects. For this review, I chose to look at the jersey-core artifact, something that falls under the CDDL license (class B). If I review the published artifacts for both Hadoop (2.5.0) and HBase (94.21), both include the binary artifact for this within their distribution, without special user consent and in the same directory as other binary artifacts that fall under class A licenses. Thanks again for your feedback. I think issues 1 & 2 above sink the rc1 candidate so let's correct and roll another. Jacques [1] http://www.apache.org/legal/3party.html On Mon, Sep 1, 2014 at 6:16 PM, Justin Mclean <[email protected]> wrote: > Hi, > > Looks like the source LICENSE are missing the MIT and BSD bundled software. > > Can you list out what software is bundled into the source release that is > MIT or BSD licensed? > > From a quick search I see that these have MIT licenses: > ./contrib/native/client/src/clientlib/y2038/time64.c > ./contrib/native/client/src/clientlib/y2038/time64.h > ./contrib/native/client/src/clientlib/y2038/time64_config.h > ./contrib/native/client/src/clientlib/y2038/time64_limits.h > > It's hard to check the rat report as there over 300 files that don't have > headers, while most of these a json and the like it makes it hard to review > and know what's going on. > > From rat I get 1897 standards, 1569 Apache licensed and 315 unknown (or > missing) licenses. 1897 - 1569 - 315 = 13 files that have other licences. > I've only found 4 above, so what are the other 9 files? > > Just follow the instructions at [1] and your project mentors should be > able to help with this. > > The binary LICENSE and NOTICE look better, but I think they are still > including too much, for example the LICENSE states: > > "This product bundles JUnit (junit:junit:4.11 - http://junit.org)" > > Does it actually bundle jars or source code from JUnit or does it just > contain tests that are run by JUnit? If it bundles the JUnit jar does it > really need to? > > There's also (IMO) an issue with how you've bundleding CDDL, EPL and MPL > licensed software in the binary release, see Category B licenses at [2]. > They need to be clearly marked and you need to prompt the user to accept > their license (or not include them in the binary if that's at all > possible). I would also put them in another directory separate form the > category A licensed binaries if they do need to be bundled. > > Thanks, > Justin > > 1. http://www.apache.org/dev/licensing-howto.html#permissive-deps > 2. http://www.apache.org/legal/3party.html
