Hi Justin, Thanks a lot for your review, I have some questions:
1. The source LICENSE mentions: - JSON licensed software - this is category X and can’t be dependancy even if it is not included in the source release. [1] - CDDL and EPL license software there are category B and cannot be included in a source release. [2] I reviewed this JSON license we've mentioned in license file: (The JSON License) JSON in Java (org.json:json:20140107 - https://github.com/douglascrockford/JSON-java) It is transitive dependency from org.apache.hive:hive-metastore:jar:1.2.1 (The Apache Software License, Version 2.0), we use hive metastore APIs and mentioned in pom.xml, but did not use org.json libraries directly. And it is bundled after built in runtime. - I also checked license file of hive, it announced JSON license for org.json library. ( https://github.com/apache/hive/blob/release-1.2.1/LICENSE#L308) For those CDDL and EPL licenses dependencies, we also just need them in runtime. 2. Only things that are actually bundled in the release should be mentioned in LICENSE. [3][4] To my understanding, as a source release, all the dependencies are bundled when it is built. The dependencies are not bundled in the source code, so we don't need to announce any dependencies' licenses in source release? Actually, in the Griffin-0.2.0-incubating [RC1] release vote process, we've receive an email from John D. Ament: ----- On mine I get 3 files failing Unapproved licenses: DEPENDENCIES griffin-doc/service/postman/griffin.json griffin-doc/service/postman/griffin_environment.json Doing what I assume is the same thing as Matt (mvn apache-rat:check from the source release folder) . In addition to what he's noted, the year in your NOTICE file should be updated to 2018. The resulting output files need a little bit of work: - measure's JAR shows the notice for Avro. It also packs in additional dependencies that are not apache licensed (they're all Cat B so they're fine). In the next release, please create dedicated NOTICE and LICENSE files for this JAR. - Similar issues exist in the service JAR, where the spring boot JAR includes many other dependencies, some of which carry their own NOTICE (Jackson, Tomcat) or other licenses. What's harder is that you're using Hibernate, which is an LGPL Cat-X dependency and cannot be included in the JAR. This is going to have to come out. - The resulting output from your UI build should have licenses in place for font awesome, glyphicons. I'm not sure whats in your vendor.min.js but based on your node_modules you may need to call out additional license/notice contents. Sorry, but -1. ----- In the comments, we also did not bundle any dependencies in source code, they are just bundled after built. It seems like we should announce the licenses of dependencies in built jars, even if we only released the source code package. *Now I'm confused about this, would you give me some suggestions? * Thanks, Lionel On Fri, Apr 13, 2018 at 7:49 AM, Justin Mclean <jus...@classsoftware.com> wrote: > Hi, > > -1 binding > > The source LICENSE mentions: > - JSON licensed software - this is category X and can’t be dependancy even > if it is not included in the source release. [1] > - CDDL and EPL license software there are category B and cannot be > included in a source release. [2] > > Only things that are actually bundled in the release should be mentioned > in LICENSE. [3][4] > > Thanks, > Justin > > 1. https://www.apache.org/legal/resolved.html#category-x > 2. https://www.apache.org/legal/resolved.html#category-b > 3. http://www.apache.org/dev/licensing-howto.html#guiding-principle > 4 http://www.apache.org/dev/licensing-howto.html#bundled-vs-non-bundled > --------------------------------------------------------------------- > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > For additional commands, e-mail: general-h...@incubator.apache.org > >