Robert Burrell Donkin ha scritto: > On Mon, Jun 15, 2009 at 11:24 PM, Stefano Bagnara<apa...@bago.org> wrote: >> Robert Burrell Donkin ha scritto: >>> On Mon, Jun 15, 2009 at 10:59 AM, Stefano Bagnara<apa...@bago.org> wrote: >>>> David Jencks ha scritto: >>>>> On Jun 14, 2009, at 11:06 AM, Norman Maurer wrote: >>>>> >>>>>> Hi guys, >>>>>> >>>>>> here is the VOTE for release jSPF 0.9.7. Please cast your VOTE after >>>>>> review: >>>>>> >>>>>> http://people.apache.org/~norman/staging-repository/org/apache/james/jspf/apache-jspf/0.9.7/ >>>>>> >>>>> I'm confused by a few things. >>>>> >>>>> I'm really confused by the two LICENSE files and two NOTICE files. Not >>>>> being a lawyer I think I'd have to consult one before considering using >>>>> the product. I'm not sure how anyone could figure out which file >>>>> applies to the product. >>>> This is how most James releases are distributed. Maybe the >>>> LICENSE.apache file is only needed by projects using ANT, but Robert can >>>> probably give a better answer. Maybe we can remove the NOTICE.base and >>>> LICENSE.apache as long as we don't have ant support. >>> they're there because people wanted them there >>> >>> if no one wants them any more, i'm happy to remove them >>> >>>>> My understanding of apache policy is that the legal files are supposed >>>>> to describe and apply to exactly what is in the artifact that contains >>>>> them. I didn't do a complete search but suspect from the language that >>>>> the larger LICENSE and NOTICE files also include information about >>>>> dependencies such as junit that are not actually redistributed. The >>>>> notice file also has some "thanks for the inspiration" notes that don't >>>>> seem to me appropriate for the NOTICE file. Again, its only my >>>>> impression of apache policy, but I think the NOTICE file is supposed to >>>>> be as short as possible and only include the standard apache notice and >>>>> anything legally required by external code that is actually included in >>>>> the artifact. >>>> We discussed it also on legal-discuss. THe policy is to describe ikn >>>> NOTICE and LICENSE exactly what we have in each distro but most projects >>>> don't do this and doing so would be a PITA, so it is acceptable to have >>>> a NOTICE/LICENSE that include more that what is required. >>> <rant> >>> to my best knowledge, no committee votes have happened to change to >>> this much stricter policy nor to bless my descriptive non-normative >>> documentation on the apache site with policy status. some others >>> vigourously disagree with this point. so, i really don't want to get >>> into yet another useles flame war about what is and what is not apache >>> policy :-/ >>> </rant> >>> >>> i would agree with david that it's best to be precise and minimal but >>> as far as i'm concerned the james releases are within the acceptable >>> range. i'd be happy to move further towards what i think of as best >>> practice if there are no longer any objections to that. >> To my knowledge there are JIRA issues for the legal team opened since a >> year. If there is some sort of consensus they should be closed and all >> of the apache projects should be warned about the policy because, as you >> can see from a fast overview I did when I opened that issues, most of >> them simply don't follow the most basic rules. > > too many people now mistake guildance on best practice for policy
They mistake because it is not clear: is it a best practice or a policy? Is a project allowed to ship with a single LICENSE/NOTICE including the largest list of licenses or not? When I filed the issues to the LEGAL jira I lost a lot of time searching for official policies and also investigated a lot of existing releases to understand if there was a common best practice. Well, maybe it is a best practice, but for sure is not *common* at ASF: I can find hundreds of released artifacts violating this best practice. Also I had the impression that this "best practice" was pushed by few people and that there is no agreement and understanding on the issue. That why I thought we first need LEGAL response (that we didn't have yet) and then we'll be entitled to *choose* how we want to spend our time. >> In order to have a correct NOTICE/LICENSE (with no superflous stuff in >> it) for each package most time means having 1 for the binary, 1 for the >> source distro, 1 for the remaining artifacts. I don't think it is worthy >> for anyone to have to mantain such a PITA. > > maven is now quite close to automatically producing satisfactory releases now At that time maven resource bundle was creating at least a NOTICE including a reference to all the LICENSES (I wasn't able to convince them that the licenses should have been listed in LICENSE) but then they stripped everything to simply use a simple NOTICE/LICENSE with no additional data from included third party works. I stopped following the enhancement since then, but I'm interested in seeing how "quite close" is what you are describing: do you suggest that we should stop releasing until maven will do it "fully close"? Stefano --------------------------------------------------------------------- To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org For additional commands, e-mail: server-dev-h...@james.apache.org
