belingueres commented on issue #586: URL: https://github.com/apache/maven-project-info-reports-plugin/issues/586#issuecomment-4211214807
There exists the [spdx-java-library](https://github.com/spdx/spdx-java-library) which query the spdx.org site with the given license id (ex. Apache-2.0 ==> https://spdx.org/licenses/Apache-2.0.json). It can be configured to save the file content on a local cache with an TTL to avoid download it every time, and another configuration to directly serving the license text stored inside the jar file (though don't know if files change often or not.) This at least will transfer the requests demand to spdx.org (though I don't know if they can cope with it). This may work provided: - People trust downloading license text from spdx.org. - Maven pom.xml license declaration is rather explicit regarding the URL it is expected to find the license file (`<url>` tag), so I don't know if there is a potential legal issue there. - Sensitive defaults can be configured that work for most users, AND a parameter to change behavior when needed. For example: a) forcing to download the license from the specified url in the pom.xml file. b) allow to download from spdx.org, c) force get license text from local jar file. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
