Jars in LICENCE?
Locked
 
Administrator
|
Hi,
I wondered at "Upgrade Tomcat to 8.5.3 (or 8.0.36)" - https://issues.apache.org/jira/browse/OFBIZ-7348 if we should continue or not to put the externals libs we use but will no longer deliver with our source releases. Just a bit of explanation about "source releases". There are 2 sorts of release: source or binary. Source releases are mandatory, when binary (which include external libs) are just released as convenient for users. So I had a look at 2 things 1. The Rat report on Buildbot https://ci.apache.org/projects/ofbiz/rat-output.html (big stuff) Obviously Rat is aware we use archives (as it call jars), no surprises because this is done after Gradle download them to build OFBiz 2. How other projects handle it. There is much diversity. Roughly: Maven documented in binary release Geronimo documented in binary release Jackrabbit nothing in source release sur slf4j (SLF4J.ORG) used in S3Backend class () Ant nothing in binary release Tomcat nothing on ecj jar (Eclipse.org) even in binary release JMeter nothing on slf4j class (SLF4J.ORG) even in binary release From that it seems to me it's better to ask on legal discuss ML. What do you think? If we agree about doing so, I'd though appreciate if other persons could do their own researches to confirm my finding, thanks! Jacques |
|
Hi Jacques,
please see my comment below: On Tue, Aug 23, 2016 at 9:31 AM, Jacques Le Roux < [hidden email]> wrote: > ... 2. How other projects handle it. There is much diversity. Roughly: > ... Tomcat nothing on ecj jar (Eclipse.org) even in binary release > Just to check one of your findings I have downloaded the source release of Tomcat 8.5.4 and in its license file all the dependencies are clearly listed included the one on ecj jar (that is actually the first in the list). May I suggest that you perform a more accurate review before contacting the legal team or others? Kind regards, Jacopo |
|
Administrator
|
Jacopo,
I must say my sentence "Tomcat nothing on ecj jar (Eclipse.org) even in binary release" was ambiguous because for Tomcat and jMeter I only looked in the binary releases. So it should have been "Tomcat nothing on ecj jar (Eclipse.org) in binary release" same for JMeter For my defense: I had them downloaded locally, so I did not download the source releases, my bad. I confirm jars are referenced in the source release and it's interesting to see how jMeter organises things in their source release with a lib folder with sub-folders empty but with READMEs I'll continue the investigation and would appreciate some help Jacques Le 23/08/2016 à 10:04, Jacopo Cappellato a écrit : > Hi Jacques, > > please see my comment below: > > On Tue, Aug 23, 2016 at 9:31 AM, Jacques Le Roux < > [hidden email]> wrote: > >> ... > 2. How other projects handle it. There is much diversity. Roughly: >> ... > Tomcat nothing on ecj jar (Eclipse.org) even in binary release > Just to check one of your findings I have downloaded the source release of > Tomcat 8.5.4 and in its license file all the dependencies are clearly > listed included the one on ecj jar (that is actually the first in the list). > > May I suggest that you perform a more accurate review before contacting the > legal team or others? > > Kind regards, > > Jacopo > |
|
|
Jacques,
see my comments inline: On Tue, Aug 23, 2016 at 11:06 AM, Jacques Le Roux < [hidden email]> wrote: > [...] So it should have been > > "Tomcat nothing on ecj jar (Eclipse.org) in binary release" same for JMeter > > Please double check: I have checked the binary release as well and the license is there too. Regards, Jacopo |
|
|
Specifically I have checked the binary release of Tomcat 8.5.4
Jacopo On Tue, Aug 23, 2016 at 11:22 AM, Jacopo Cappellato < [hidden email]> wrote: > Jacques, > > see my comments inline: > > On Tue, Aug 23, 2016 at 11:06 AM, Jacques Le Roux < > [hidden email]> wrote: > >> [...] So it should have been >> >> "Tomcat nothing on ecj jar (Eclipse.org) in binary release" same for >> JMeter >> >> > Please double check: I have checked the binary release as well and the > license is there too. > > Regards, > > Jacopo > |
|
Administrator
|
Right, it seems those days I'm working either too late or too early. I'll double check all my assertions.
I'm though quite happy with what I have found. Notably how jMeter organises external libs and documents it. A such thing is mandatory when you use a tool like Maven or Gradle and want to deliver binary releases. Thanks for the review! Jacques Le 23/08/2016 à 11:23, Jacopo Cappellato a écrit : > Specifically I have checked the binary release of Tomcat 8.5.4 > > Jacopo > > On Tue, Aug 23, 2016 at 11:22 AM, Jacopo Cappellato < > [hidden email]> wrote: > >> Jacques, >> >> see my comments inline: >> >> On Tue, Aug 23, 2016 at 11:06 AM, Jacques Le Roux < >> [hidden email]> wrote: >> >>> [...] So it should have been >>> >>> "Tomcat nothing on ecj jar (Eclipse.org) in binary release" same for >>> JMeter >>> >>> >> Please double check: I have checked the binary release as well and the >> license is there too. >> >> Regards, >> >> Jacopo >> |
|
Administrator
|
OK, I did my homework and here is what I found. I looked at 3 TLPs: Tomcat, Ant & JMeter last releases.
Globally they all document in their LICENSE files the external libs they use in their source releases; but don't to so in their binary LICENSE files. For instance Tomcat uses org.apache.taglibs.standard.tlv and org.apache.commons.daemon.support in its binary release (not in source) but does not document it (same LICENSE file than in source release). I guess both class are used an optional component (did not check). Same for Ant about Ivy. I though did not find any reference to the libs referenced in their lib/libraries.properties file which it is a bit like OFBiz using Gradle... JMeter gives much references, a bit the way we currently do, but without paths since the libs are of course not in its source release. Paths are given for JavaScript files or other not Java types (in their bin folder) To summarize, it seems that we still need to put jars references in our LICENSE file. But since the libs are not in OFBiz source release anymore but are downloaded by Gradle we can't use file paths. 2 things I still wonder about are: 1. Why Ant does not document the libs referenced in their lib/libraries.properties file. It could be that they are not used OOTB (ie optional) I did not check that yet 2. If we need to document all the externals libs used by OFBiz or only the one directly reference in build.gradle. HTH Jacques Le 23/08/2016 à 11:42, Jacques Le Roux a écrit : > Right, it seems those days I'm working either too late or too early. I'll double check all my assertions. > > I'm though quite happy with what I have found. Notably how jMeter organises external libs and documents it. > A such thing is mandatory when you use a tool like Maven or Gradle and want to deliver binary releases. > > Thanks for the review! > > Jacques > > > Le 23/08/2016 à 11:23, Jacopo Cappellato a écrit : >> Specifically I have checked the binary release of Tomcat 8.5.4 >> >> Jacopo >> >> On Tue, Aug 23, 2016 at 11:22 AM, Jacopo Cappellato < >> [hidden email]> wrote: >> >>> Jacques, >>> >>> see my comments inline: >>> >>> On Tue, Aug 23, 2016 at 11:06 AM, Jacques Le Roux < >>> [hidden email]> wrote: >>> >>>> [...] So it should have been >>>> >>>> "Tomcat nothing on ecj jar (Eclipse.org) in binary release" same for >>>> JMeter >>>> >>>> >>> Please double check: I have checked the binary release as well and the >>> license is there too. >>> >>> Regards, >>> >>> Jacopo >>> > > |
|
|
Also forgot to report that Ant has lib\optional folder with 3 not documented jars there.
So as long as it's optional you don't need to reference it in the LICENSE file. We use OPTIONAL_LIBRARIES for that as a convenience to users. Jacques Le 24/08/2016 à 15:04, Jacques Le Roux a écrit : > OK, I did my homework and here is what I found. I looked at 3 TLPs: Tomcat, Ant & JMeter last releases. > > Globally they all document in their LICENSE files the external libs they use in their source releases; but don't to so in their binary LICENSE files. > > For instance Tomcat uses > org.apache.taglibs.standard.tlv and > org.apache.commons.daemon.support > in its binary release (not in source) but does not document it (same LICENSE file than in source release). I guess both class are used an optional > component (did not check). > > Same for Ant about Ivy. I though did not find any reference to the libs referenced in their lib/libraries.properties file which it is a bit like > OFBiz using Gradle... > > JMeter gives much references, a bit the way we currently do, but without paths since the libs are of course not in its source release. Paths are > given for JavaScript files or other not Java types (in their bin folder) > > To summarize, it seems that we still need to put jars references in our LICENSE file. But since the libs are not in OFBiz source release anymore but > are downloaded by Gradle we can't use file paths. > > 2 things I still wonder about are: > > 1. Why Ant does not document the libs referenced in their lib/libraries.properties file. It could be that they are not used OOTB (ie optional) I did > not check that yet > 2. If we need to document all the externals libs used by OFBiz or only the one directly reference in build.gradle. > > HTH > > Jacques > > Le 23/08/2016 à 11:42, Jacques Le Roux a écrit : >> Right, it seems those days I'm working either too late or too early. I'll double check all my assertions. >> >> I'm though quite happy with what I have found. Notably how jMeter organises external libs and documents it. >> A such thing is mandatory when you use a tool like Maven or Gradle and want to deliver binary releases. >> >> Thanks for the review! >> >> Jacques >> >> >> Le 23/08/2016 à 11:23, Jacopo Cappellato a écrit : >>> Specifically I have checked the binary release of Tomcat 8.5.4 >>> >>> Jacopo >>> >>> On Tue, Aug 23, 2016 at 11:22 AM, Jacopo Cappellato < >>> [hidden email]> wrote: >>> >>>> Jacques, >>>> >>>> see my comments inline: >>>> >>>> On Tue, Aug 23, 2016 at 11:06 AM, Jacques Le Roux < >>>> [hidden email]> wrote: >>>> >>>>> [...] So it should have been >>>>> >>>>> "Tomcat nothing on ecj jar (Eclipse.org) in binary release" same for >>>>> JMeter >>>>> >>>>> >>>> Please double check: I have checked the binary release as well and the >>>> license is there too. >>>> >>>> Regards, >>>> >>>> Jacopo >>>> >> >> > > |
|
Administrator
|
At r1757579
I have removed obsolete information: LICENSE file jars have no longer paths files Ant is no longer present the Version 1.1 of the ASL can be removed NOTICE file Ant is no longer present its notice can be removed Log4J is no longer present its notice can be removed (log4j2 has not the same constraint) jpim is no longer present its notice can be removed Jacques Le 24/08/2016 à 16:23, [hidden email] a écrit : > Also forgot to report that Ant has lib\optional folder with 3 not documented jars there. > So as long as it's optional you don't need to reference it in the LICENSE file. > We use OPTIONAL_LIBRARIES for that as a convenience to users. > > Jacques > > Le 24/08/2016 à 15:04, Jacques Le Roux a écrit : >> OK, I did my homework and here is what I found. I looked at 3 TLPs: Tomcat, Ant & JMeter last releases. >> >> Globally they all document in their LICENSE files the external libs they use in their source releases; but don't to so in their binary LICENSE files. >> >> For instance Tomcat uses >> org.apache.taglibs.standard.tlv and >> org.apache.commons.daemon.support >> in its binary release (not in source) but does not document it (same LICENSE file than in source release). I guess both class are used an optional >> component (did not check). >> >> Same for Ant about Ivy. I though did not find any reference to the libs referenced in their lib/libraries.properties file which it is a bit like >> OFBiz using Gradle... >> >> JMeter gives much references, a bit the way we currently do, but without paths since the libs are of course not in its source release. Paths are >> given for JavaScript files or other not Java types (in their bin folder) >> >> To summarize, it seems that we still need to put jars references in our LICENSE file. But since the libs are not in OFBiz source release anymore >> but are downloaded by Gradle we can't use file paths. >> >> 2 things I still wonder about are: >> >> 1. Why Ant does not document the libs referenced in their lib/libraries.properties file. It could be that they are not used OOTB (ie optional) I did >> not check that yet >> 2. If we need to document all the externals libs used by OFBiz or only the one directly reference in build.gradle. >> >> HTH >> >> Jacques >> >> Le 23/08/2016 à 11:42, Jacques Le Roux a écrit : >>> Right, it seems those days I'm working either too late or too early. I'll double check all my assertions. >>> >>> I'm though quite happy with what I have found. Notably how jMeter organises external libs and documents it. >>> A such thing is mandatory when you use a tool like Maven or Gradle and want to deliver binary releases. >>> >>> Thanks for the review! >>> >>> Jacques >>> >>> >>> Le 23/08/2016 à 11:23, Jacopo Cappellato a écrit : >>>> Specifically I have checked the binary release of Tomcat 8.5.4 >>>> >>>> Jacopo >>>> >>>> On Tue, Aug 23, 2016 at 11:22 AM, Jacopo Cappellato < >>>> [hidden email]> wrote: >>>> >>>>> Jacques, >>>>> >>>>> see my comments inline: >>>>> >>>>> On Tue, Aug 23, 2016 at 11:06 AM, Jacques Le Roux < >>>>> [hidden email]> wrote: >>>>> >>>>>> [...] So it should have been >>>>>> >>>>>> "Tomcat nothing on ecj jar (Eclipse.org) in binary release" same for >>>>>> JMeter >>>>>> >>>>>> >>>>> Please double check: I have checked the binary release as well and the >>>>> license is there too. >>>>> >>>>> Regards, >>>>> >>>>> Jacopo >>>>> >>> >>> >> >> > |
|
Administrator
|
In reply to this post by Jacques Le Roux
Le 24/08/2016 à 15:04, Jacques Le Roux a écrit :
> 2 things I still wonder about are: > > 1. Why Ant does not document the libs referenced in their lib/libraries.properties file. It could be that they are not used OOTB (ie optional) I did > not check that yet > 2. If we need to document all the externals libs used by OFBiz or only the one directly reference in build.gradle. 1. Finally I think we should not worry about what Ant does or does not 2. Better to continue with our current LICENSE file and remove/add dependencies when needed, in other words KISS way Good news, it's already done at r1757579 :) Jacques |
|
|
Thanks for the research, Jacques: your conclusions are inline with mine.
Jacopo On Thu, Aug 25, 2016 at 6:37 AM, Jacques Le Roux < [hidden email]> wrote: > Le 24/08/2016 à 15:04, Jacques Le Roux a écrit : > >> 2 things I still wonder about are: >> >> 1. Why Ant does not document the libs referenced in their >> lib/libraries.properties file. It could be that they are not used OOTB (ie >> optional) I did >> not check that yet >> 2. If we need to document all the externals libs used by OFBiz or only >> the one directly reference in build.gradle. >> > > 1. Finally I think we should not worry about what Ant does or does not > 2. Better to continue with our current LICENSE file and remove/add > dependencies when needed, in other words KISS way > > Good news, it's already done at r1757579 :) > > Jacques > |
|
|
In reply to this post by Jacques Le Roux
A reminder: we should review in a similar way the LICENSE and NOTICE files
under specialpurpose. Jacopo On Thu, Aug 25, 2016 at 6:37 AM, Jacques Le Roux < [hidden email]> wrote: > Le 24/08/2016 à 15:04, Jacques Le Roux a écrit : > >> 2 things I still wonder about are: >> >> 1. Why Ant does not document the libs referenced in their >> lib/libraries.properties file. It could be that they are not used OOTB (ie >> optional) I did >> not check that yet >> 2. If we need to document all the externals libs used by OFBiz or only >> the one directly reference in build.gradle. >> > > 1. Finally I think we should not worry about what Ant does or does not > 2. Better to continue with our current LICENSE file and remove/add > dependencies when needed, in other words KISS way > > Good news, it's already done at r1757579 :) > > Jacques > |
|
Administrator
|
Indeed, it has not been updated for a while, I'd check that
Jacques Le 25/08/2016 à 07:32, Jacopo Cappellato a écrit : > A reminder: we should review in a similar way the LICENSE and NOTICE files > under specialpurpose. > > Jacopo > > On Thu, Aug 25, 2016 at 6:37 AM, Jacques Le Roux < > [hidden email]> wrote: > >> Le 24/08/2016 à 15:04, Jacques Le Roux a écrit : >> >>> 2 things I still wonder about are: >>> >>> 1. Why Ant does not document the libs referenced in their >>> lib/libraries.properties file. It could be that they are not used OOTB (ie >>> optional) I did >>> not check that yet >>> 2. If we need to document all the externals libs used by OFBiz or only >>> the one directly reference in build.gradle. >>> >> 1. Finally I think we should not worry about what Ant does or does not >> 2. Better to continue with our current LICENSE file and remove/add >> dependencies when needed, in other words KISS way >> >> Good news, it's already done at r1757579 :) >> >> Jacques >> |
«
Return to OFBiz - Dev
|
1 view|%1 views
| Free forum by Nabble | Edit this page |