On 9/20/16, 11:50 AM, "Donald Szeto" <don...@apache.org> wrote:
>Hi all, > >I am preparing my first Apache release and am wondering if I need to check >licenses of all transitive deps if the release contains: > >- a single source tarball; >- a few binary JAR artifacts on Nexus that contain no transitive deps in >either binary or source form. An official Apache release only contains source. It cannot contained compiled binaries. Official Apache releases may be accompanied by a "convenience binary package" that contains the result of running the build contained in the source script. It could bundle third-party jars. The LICENSE file in the source package may be different from the LICENSE in the "convenience binary" if the convenience binary contains a bundled third-party jar. The LICENSE files must reflect the contents of its containing package. > >Would it be sufficient to make sure the licenses of all sources comply >with >Apache policy in this case? Do I need to check transitive deps in this >case? You must chase down transitive deps in the package. If the source package doesn't contain any non-ASF code then there isn't anything to chase for the source package. If the binary does contain third-party jars, then you have to chase transitive deps on those jars. HTH, -Alex [1] http://www.apache.org/dev/licensing-howto.html [2] http://www.apache.org/dev/release.html#what