[
https://issues.apache.org/jira/browse/MJAVADOC-669?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17263389#comment-17263389
]
Thorsten Glaser edited comment on MJAVADOC-669 at 1/12/21, 2:57 PM:
--------------------------------------------------------------------
I cannot seem to comment in the Oracle bug database ☹ (even after logging in
with an Oracle account) so commenting here:
{quote}we are OK (minified files only)
{quote}
I’d like to ask that “minified files only” is not considered part of the
solution, as I wrote above: keeping the full files there makes it easier, well
possible at all, to check these files for backdoors etc. (the duplication I was
speaking of was that there were two identical copies of unminified jQuery).
{color:#ff0000}⚠{color} For the two GPL’d files ({{script.js}} and
{{search.js}}), minified-only would even add a GPL violation, because minified
is compiled and not the preferred form for working on.
So please do nōn-minified-only, or (if and only if you must) both.
{quote}The jquery files are fixed in JDK 16: there are now just two minified
files, which do not refer to a nearby LICENSE file.
{quote}
I don’t quite see what this is supposed to mean. {color:#ff0000}⚠{color} The
problem is not that the files refer to a nōnexisting licence file, the problem
is that the licence is missing.
was (Author: mirabilos):
I cannot seem to comment in the Oracle bug database ☹
{quote}we are OK (minified files only)
{quote}
I’d like to ask that “minified files only” is not considered part of the
solution, as I wrote above: keeping the full files there makes it easier, well
possible at all, to check these files for backdoors etc. (the duplication I was
speaking of was that there were two identical copies of unminified jQuery).
{color:#FF0000}⚠{color} For the two GPL’d files ({{script.js}} and
{{search.js}}), minified-only would even add a GPL violation, because minified
is compiled and not the preferred form for working on.
So please do nōn-minified-only, or (if and only if you must) both.
{quote}The jquery files are fixed in JDK 16: there are now just two minified
files, which do not refer to a nearby LICENSE file.
{quote}
I don’t quite see what this is supposed to mean. {color:#FF0000}⚠{color} The
problem is not that the files refer to a nōnexisting licence file, the problem
is that the licence is missing.
> Generated javadoc JARs contain jQuery and other MIT-licenced works without
> reproducing a copy of the MIT licence, same for GPL-licenced works
> ---------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: MJAVADOC-669
> URL: https://issues.apache.org/jira/browse/MJAVADOC-669
> Project: Maven Javadoc Plugin
> Issue Type: Bug
> Components: javadoc
> Affects Versions: 3.2.0
> Reporter: Thorsten Glaser
> Priority: Blocker
> Labels: legal, licensing
>
> A javadoc JAR generated by the Maven Javadoc Plugin 3.2.0 contains multiple
> components under the MIT licence:
> * jQuery 3.5.1
> ** {{jquery/external/jquery/jquery.js}}
> ** {{jquery/jquery-3.5.1.js}} (duplicate of the above, blowing up the PKZIP
> archive size of the JAR, why is it included like this?)
> * JSZip 3.2.1
> ** {{jquery/jszip/dist/jszip.js}}
> ** {{jquery/jszip-utils/dist/jszip-utils-ie.js}}
> ** {{jquery/jszip-utils/dist/jszip-utils.js}}
> * jQuery UI 1.12.1
> ** {{jquery/jquery-ui.css}}
> ** {{jquery/jquery-ui.js}}
> ** {{jquery/jquery-ui.structure.css}}
> * and their respective minified versions
> It also contains {{script.js}} and {{search.js}} which are
> GPLv2-with-Classpath-exception-licenced and refer to “as provided by Oracle
> in the LICENSE file that accompanied this code” but no such file accompanies
> said code.
> There are also multiple static {{resources}} and {{jquery/images}} whose
> licence is not documented.
> The MIT licence specifically *requires* that “The […] copyright notice and
> this permission notice [the licence body] shall be included in all copies or
> substantial portions of the Software.” The distribution PKZIP archives (JAR
> files) created by the Maven Javadoc Plugin violate this licence, making them
> not redistributable.
> Similarily, the GPLv2 used by the Oracle-provided files *requires* that
> redistributors “give any other recipients of the Program a copy of this
> License along with the Program.” The “if not, write to the Free Software
> Foundation” comment is specifically *not sufficient* for this and only
> provided as fallback should distributors violate this clause, as Maven
> Javadoc Plugin-generated PKZIP archives do. To be effective, the Classpath
> exception must also be provided.
> h2. Suggested fix
> Include the following new files:
> * {{jquery/LICENCE}} containing the MIT licence and all respective copyright
> notices for the various jQuery-related projects (including those _they_
> include, i.e. Sizzle, widget.js, position.js, keycode.js, unique-id.js,
> widgets/autocomplete.js, widgets/menu.js, pako, and possibly others)
> * {{js/LICENSE}} (creating a new subdirectory) containing the Classpath
> exception as provided by Oracle
> * {{COPYING}} or {{js/COPYING}} (this being the customary name for this
> file) containing the verbatim text of the GNU GPL version 2
> * Ideally, add a top-level {{LICENCE}} file pointing out those three and
> briefly documenting the licence of all other non-generated files and state
> all other files are generated from the original project and share its licence
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
