Geir Magnusson Jr <geir <at> pobox.com> writes: > That was a mistake, the BCL stuff.
Yeah, I believe everyone agrees on that. > That is being taken care of. Does that mean tomcat 4[1] will it be pulled completely from Apache.org, or will there be a new release? It would be easy to write a script that unpacks all the tarballs on dist, finds all jars, zipinfo's them and greps for "sun" to spot problematic projects and 'quarantene' them, so that we don't distribute bits that may impose additional hardships on unassuming users of Apache software, as we currently unfortunately still seem to do[2]. cheers, dalibor topic [1] And for some odd reason tomcat 4.1.31 binary relase tarball doesn't seem to mention BCL anywhere, despite having lots of com.sun.* classes in the various jars, which makes sanitizing it so painful: one needs to look into every single JAR to figure out if it is redistributable at all, or not. Yay non-transferable proprietary licenses. :/ So ... please let's always document where each bundled artifact came from, under which license and version it was included, for the sake of our users. If that's not an ASF policy already, it should become one, and we should start using it in harmony by documenting origins, licenses and versions of our dependencies for all to see and verify. [2] http://www.apache.org/dist/tomcat/tomcat-4/v4.1.31/bin/jakarta-tomcat-4.1.31.tar.gz