Jars in LICENCE?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

Jars in LICENCE?

Jacques Le Roux
Administrator
Hi,

I wondered at "Upgrade Tomcat to 8.5.3 (or 8.0.36)" - https://issues.apache.org/jira/browse/OFBIZ-7348 if we should continue or not to put the
externals libs we use but will no longer deliver with our source releases.

Just a bit of explanation about "source releases". There are 2 sorts of release: source or binary. Source releases are mandatory, when binary (which
include external libs) are just released as convenient for users.

So I had a look at 2 things

 1. The Rat report on Buildbot https://ci.apache.org/projects/ofbiz/rat-output.html (big stuff) Obviously Rat is aware we use archives (as it call
    jars), no surprises because this is done after Gradle download them to build OFBiz
 2. How other projects handle it. There is much diversity. Roughly:
    Maven documented in binary release
    Geronimo documented in binary release
    Jackrabbit nothing in source release sur slf4j (SLF4J.ORG)  used in S3Backend class ()
    Ant nothing in binary release
    Tomcat nothing on ecj jar (Eclipse.org)  even in binary release
    JMeter nothing on slf4j class (SLF4J.ORG)  even in binary release

 From that it seems to me it's better to ask on legal discuss ML. What do you think?

If we agree about doing so, I'd though appreciate if other persons could do their own researches to confirm my finding, thanks!

Jacques

Reply | Threaded
Open this post in threaded view
|

Re: Jars in LICENCE?

Jacopo Cappellato-5
Hi Jacques,

please see my comment below:

On Tue, Aug 23, 2016 at 9:31 AM, Jacques Le Roux <
[hidden email]> wrote:

> ...

2. How other projects handle it. There is much diversity. Roughly:
> ...

  Tomcat nothing on ecj jar (Eclipse.org)  even in binary release
>

Just to check one of your findings I have downloaded the source release of
Tomcat 8.5.4 and in its license file all the dependencies are clearly
listed included the one on ecj jar (that is actually the first in the list).

May I suggest that you perform a more accurate review before contacting the
legal team or others?

Kind regards,

Jacopo
Reply | Threaded
Open this post in threaded view
|

Re: Jars in LICENCE?

Jacques Le Roux
Administrator
Jacopo,

I must say my sentence

"Tomcat nothing on ecj jar (Eclipse.org)  even in binary release"

was ambiguous because for Tomcat and jMeter I only looked in the binary releases. So it should have been

"Tomcat nothing on ecj jar (Eclipse.org) in binary release" same for JMeter

For my defense: I had them downloaded locally, so I did not download the source releases, my bad.

I confirm jars are referenced in the source release and it's interesting to see how jMeter organises things in their source release with a lib folder with sub-folders empty but with READMEs

I'll continue the investigation and would appreciate some help

Jacques


Le 23/08/2016 à 10:04, Jacopo Cappellato a écrit :

> Hi Jacques,
>
> please see my comment below:
>
> On Tue, Aug 23, 2016 at 9:31 AM, Jacques Le Roux <
> [hidden email]> wrote:
>
>> ...
> 2. How other projects handle it. There is much diversity. Roughly:
>> ...
>    Tomcat nothing on ecj jar (Eclipse.org)  even in binary release
> Just to check one of your findings I have downloaded the source release of
> Tomcat 8.5.4 and in its license file all the dependencies are clearly
> listed included the one on ecj jar (that is actually the first in the list).
>
> May I suggest that you perform a more accurate review before contacting the
> legal team or others?
>
> Kind regards,
>
> Jacopo
>

Reply | Threaded
Open this post in threaded view
|

Re: Jars in LICENCE?

Jacopo Cappellato-5
Jacques,

see my comments inline:

On Tue, Aug 23, 2016 at 11:06 AM, Jacques Le Roux <
[hidden email]> wrote:

> [...] So it should have been
>
> "Tomcat nothing on ecj jar (Eclipse.org) in binary release" same for JMeter
>
>
Please double check: I have checked the binary release as well and the
license is there too.

Regards,

Jacopo
Reply | Threaded
Open this post in threaded view
|

Re: Jars in LICENCE?

Jacopo Cappellato-5
Specifically I have checked the binary release of Tomcat 8.5.4

Jacopo

On Tue, Aug 23, 2016 at 11:22 AM, Jacopo Cappellato <
[hidden email]> wrote:

> Jacques,
>
> see my comments inline:
>
> On Tue, Aug 23, 2016 at 11:06 AM, Jacques Le Roux <
> [hidden email]> wrote:
>
>> [...] So it should have been
>>
>> "Tomcat nothing on ecj jar (Eclipse.org) in binary release" same for
>> JMeter
>>
>>
> Please double check: I have checked the binary release as well and the
> license is there too.
>
> Regards,
>
> Jacopo
>
Reply | Threaded
Open this post in threaded view
|

Re: Jars in LICENCE?

Jacques Le Roux
Administrator
Right, it seems those days I'm working either too late or too early. I'll double check all my assertions.

I'm though quite happy with what I have found. Notably how jMeter organises external libs and documents it.
A such thing is mandatory when you use a tool like Maven or Gradle and want to deliver binary releases.

Thanks for the review!

Jacques


Le 23/08/2016 à 11:23, Jacopo Cappellato a écrit :

> Specifically I have checked the binary release of Tomcat 8.5.4
>
> Jacopo
>
> On Tue, Aug 23, 2016 at 11:22 AM, Jacopo Cappellato <
> [hidden email]> wrote:
>
>> Jacques,
>>
>> see my comments inline:
>>
>> On Tue, Aug 23, 2016 at 11:06 AM, Jacques Le Roux <
>> [hidden email]> wrote:
>>
>>> [...] So it should have been
>>>
>>> "Tomcat nothing on ecj jar (Eclipse.org) in binary release" same for
>>> JMeter
>>>
>>>
>> Please double check: I have checked the binary release as well and the
>> license is there too.
>>
>> Regards,
>>
>> Jacopo
>>

Reply | Threaded
Open this post in threaded view
|

Re: Jars in LICENCE?

Jacques Le Roux
Administrator
OK, I did my homework and here is what I found. I looked at 3 TLPs: Tomcat, Ant & JMeter last releases.

Globally they all document in their LICENSE files the external libs they use in their source releases; but don't to so in their binary LICENSE files.

For instance Tomcat uses
     org.apache.taglibs.standard.tlv and
     org.apache.commons.daemon.support
in its binary release (not in source) but does not document it (same LICENSE file than in source release). I guess both class are used an optional
component (did not check).

Same for Ant about Ivy. I though did not find any reference to the libs referenced in their lib/libraries.properties file which it is a bit like OFBiz
using Gradle...

JMeter gives much references, a bit the way we currently do, but without paths since the libs are of course not in its source release. Paths are given
for JavaScript files or other not Java types (in their bin folder)

To summarize, it seems that we still need to put jars references in our LICENSE file. But since the libs are not in OFBiz source release anymore but
are downloaded by Gradle we can't use file paths.

2 things I still wonder about are:

 1. Why Ant does not document the libs referenced in their lib/libraries.properties file. It could be that they are not used OOTB (ie optional) I did
    not check that yet
 2. If we need to document all the externals libs used by OFBiz or only the one directly reference in build.gradle.

HTH

Jacques

Le 23/08/2016 à 11:42, Jacques Le Roux a écrit :

> Right, it seems those days I'm working either too late or too early. I'll double check all my assertions.
>
> I'm though quite happy with what I have found. Notably how jMeter organises external libs and documents it.
> A such thing is mandatory when you use a tool like Maven or Gradle and want to deliver binary releases.
>
> Thanks for the review!
>
> Jacques
>
>
> Le 23/08/2016 à 11:23, Jacopo Cappellato a écrit :
>> Specifically I have checked the binary release of Tomcat 8.5.4
>>
>> Jacopo
>>
>> On Tue, Aug 23, 2016 at 11:22 AM, Jacopo Cappellato <
>> [hidden email]> wrote:
>>
>>> Jacques,
>>>
>>> see my comments inline:
>>>
>>> On Tue, Aug 23, 2016 at 11:06 AM, Jacques Le Roux <
>>> [hidden email]> wrote:
>>>
>>>> [...] So it should have been
>>>>
>>>> "Tomcat nothing on ecj jar (Eclipse.org) in binary release" same for
>>>> JMeter
>>>>
>>>>
>>> Please double check: I have checked the binary release as well and the
>>> license is there too.
>>>
>>> Regards,
>>>
>>> Jacopo
>>>
>
>

Reply | Threaded
Open this post in threaded view
|

Re: Jars in LICENCE?

jleroux@apache.org
Also forgot to report that Ant has lib\optional folder with 3 not documented jars there.
So as long as it's optional you don't need to reference it in the LICENSE file.
We use OPTIONAL_LIBRARIES for that as a convenience to users.

Jacques

Le 24/08/2016 à 15:04, Jacques Le Roux a écrit :

> OK, I did my homework and here is what I found. I looked at 3 TLPs: Tomcat, Ant & JMeter last releases.
>
> Globally they all document in their LICENSE files the external libs they use in their source releases; but don't to so in their binary LICENSE files.
>
> For instance Tomcat uses
>     org.apache.taglibs.standard.tlv and
>     org.apache.commons.daemon.support
> in its binary release (not in source) but does not document it (same LICENSE file than in source release). I guess both class are used an optional
> component (did not check).
>
> Same for Ant about Ivy. I though did not find any reference to the libs referenced in their lib/libraries.properties file which it is a bit like
> OFBiz using Gradle...
>
> JMeter gives much references, a bit the way we currently do, but without paths since the libs are of course not in its source release. Paths are
> given for JavaScript files or other not Java types (in their bin folder)
>
> To summarize, it seems that we still need to put jars references in our LICENSE file. But since the libs are not in OFBiz source release anymore but
> are downloaded by Gradle we can't use file paths.
>
> 2 things I still wonder about are:
>
> 1. Why Ant does not document the libs referenced in their lib/libraries.properties file. It could be that they are not used OOTB (ie optional) I did
>    not check that yet
> 2. If we need to document all the externals libs used by OFBiz or only the one directly reference in build.gradle.
>
> HTH
>
> Jacques
>
> Le 23/08/2016 à 11:42, Jacques Le Roux a écrit :
>> Right, it seems those days I'm working either too late or too early. I'll double check all my assertions.
>>
>> I'm though quite happy with what I have found. Notably how jMeter organises external libs and documents it.
>> A such thing is mandatory when you use a tool like Maven or Gradle and want to deliver binary releases.
>>
>> Thanks for the review!
>>
>> Jacques
>>
>>
>> Le 23/08/2016 à 11:23, Jacopo Cappellato a écrit :
>>> Specifically I have checked the binary release of Tomcat 8.5.4
>>>
>>> Jacopo
>>>
>>> On Tue, Aug 23, 2016 at 11:22 AM, Jacopo Cappellato <
>>> [hidden email]> wrote:
>>>
>>>> Jacques,
>>>>
>>>> see my comments inline:
>>>>
>>>> On Tue, Aug 23, 2016 at 11:06 AM, Jacques Le Roux <
>>>> [hidden email]> wrote:
>>>>
>>>>> [...] So it should have been
>>>>>
>>>>> "Tomcat nothing on ecj jar (Eclipse.org) in binary release" same for
>>>>> JMeter
>>>>>
>>>>>
>>>> Please double check: I have checked the binary release as well and the
>>>> license is there too.
>>>>
>>>> Regards,
>>>>
>>>> Jacopo
>>>>
>>
>>
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Jars in LICENCE?

Jacques Le Roux
Administrator
At r1757579

I have removed obsolete information:
LICENSE file
   jars have no longer paths files
   Ant is no longer present the Version 1.1 of the ASL can be removed
NOTICE file
   Ant is no longer present its notice can be removed
   Log4J is no longer present its notice can be removed (log4j2 has not the same constraint)
   jpim is no longer present its notice can be removed

Jacques


Le 24/08/2016 à 16:23, [hidden email] a écrit :

> Also forgot to report that Ant has lib\optional folder with 3 not documented jars there.
> So as long as it's optional you don't need to reference it in the LICENSE file.
> We use OPTIONAL_LIBRARIES for that as a convenience to users.
>
> Jacques
>
> Le 24/08/2016 à 15:04, Jacques Le Roux a écrit :
>> OK, I did my homework and here is what I found. I looked at 3 TLPs: Tomcat, Ant & JMeter last releases.
>>
>> Globally they all document in their LICENSE files the external libs they use in their source releases; but don't to so in their binary LICENSE files.
>>
>> For instance Tomcat uses
>>     org.apache.taglibs.standard.tlv and
>>     org.apache.commons.daemon.support
>> in its binary release (not in source) but does not document it (same LICENSE file than in source release). I guess both class are used an optional
>> component (did not check).
>>
>> Same for Ant about Ivy. I though did not find any reference to the libs referenced in their lib/libraries.properties file which it is a bit like
>> OFBiz using Gradle...
>>
>> JMeter gives much references, a bit the way we currently do, but without paths since the libs are of course not in its source release. Paths are
>> given for JavaScript files or other not Java types (in their bin folder)
>>
>> To summarize, it seems that we still need to put jars references in our LICENSE file. But since the libs are not in OFBiz source release anymore
>> but are downloaded by Gradle we can't use file paths.
>>
>> 2 things I still wonder about are:
>>
>> 1. Why Ant does not document the libs referenced in their lib/libraries.properties file. It could be that they are not used OOTB (ie optional) I did
>>    not check that yet
>> 2. If we need to document all the externals libs used by OFBiz or only the one directly reference in build.gradle.
>>
>> HTH
>>
>> Jacques
>>
>> Le 23/08/2016 à 11:42, Jacques Le Roux a écrit :
>>> Right, it seems those days I'm working either too late or too early. I'll double check all my assertions.
>>>
>>> I'm though quite happy with what I have found. Notably how jMeter organises external libs and documents it.
>>> A such thing is mandatory when you use a tool like Maven or Gradle and want to deliver binary releases.
>>>
>>> Thanks for the review!
>>>
>>> Jacques
>>>
>>>
>>> Le 23/08/2016 à 11:23, Jacopo Cappellato a écrit :
>>>> Specifically I have checked the binary release of Tomcat 8.5.4
>>>>
>>>> Jacopo
>>>>
>>>> On Tue, Aug 23, 2016 at 11:22 AM, Jacopo Cappellato <
>>>> [hidden email]> wrote:
>>>>
>>>>> Jacques,
>>>>>
>>>>> see my comments inline:
>>>>>
>>>>> On Tue, Aug 23, 2016 at 11:06 AM, Jacques Le Roux <
>>>>> [hidden email]> wrote:
>>>>>
>>>>>> [...] So it should have been
>>>>>>
>>>>>> "Tomcat nothing on ecj jar (Eclipse.org) in binary release" same for
>>>>>> JMeter
>>>>>>
>>>>>>
>>>>> Please double check: I have checked the binary release as well and the
>>>>> license is there too.
>>>>>
>>>>> Regards,
>>>>>
>>>>> Jacopo
>>>>>
>>>
>>>
>>
>>
>

Reply | Threaded
Open this post in threaded view
|

Re: Jars in LICENCE?

Jacques Le Roux
Administrator
In reply to this post by Jacques Le Roux
Le 24/08/2016 à 15:04, Jacques Le Roux a écrit :
> 2 things I still wonder about are:
>
> 1. Why Ant does not document the libs referenced in their lib/libraries.properties file. It could be that they are not used OOTB (ie optional) I did
>    not check that yet
> 2. If we need to document all the externals libs used by OFBiz or only the one directly reference in build.gradle.

1. Finally I think we should not worry about what Ant does or does not
2. Better to continue with our current LICENSE file and remove/add dependencies when needed, in other words KISS way

Good news, it's already done at r1757579 :)

Jacques
Reply | Threaded
Open this post in threaded view
|

Re: Jars in LICENCE?

Jacopo Cappellato-5
Thanks for the research, Jacques: your conclusions are inline with mine.

Jacopo

On Thu, Aug 25, 2016 at 6:37 AM, Jacques Le Roux <
[hidden email]> wrote:

> Le 24/08/2016 à 15:04, Jacques Le Roux a écrit :
>
>> 2 things I still wonder about are:
>>
>> 1. Why Ant does not document the libs referenced in their
>> lib/libraries.properties file. It could be that they are not used OOTB (ie
>> optional) I did
>>    not check that yet
>> 2. If we need to document all the externals libs used by OFBiz or only
>> the one directly reference in build.gradle.
>>
>
> 1. Finally I think we should not worry about what Ant does or does not
> 2. Better to continue with our current LICENSE file and remove/add
> dependencies when needed, in other words KISS way
>
> Good news, it's already done at r1757579 :)
>
> Jacques
>
Reply | Threaded
Open this post in threaded view
|

Re: Jars in LICENCE?

Jacopo Cappellato-5
In reply to this post by Jacques Le Roux
A reminder: we should review in a similar way the LICENSE and NOTICE files
under specialpurpose.

Jacopo

On Thu, Aug 25, 2016 at 6:37 AM, Jacques Le Roux <
[hidden email]> wrote:

> Le 24/08/2016 à 15:04, Jacques Le Roux a écrit :
>
>> 2 things I still wonder about are:
>>
>> 1. Why Ant does not document the libs referenced in their
>> lib/libraries.properties file. It could be that they are not used OOTB (ie
>> optional) I did
>>    not check that yet
>> 2. If we need to document all the externals libs used by OFBiz or only
>> the one directly reference in build.gradle.
>>
>
> 1. Finally I think we should not worry about what Ant does or does not
> 2. Better to continue with our current LICENSE file and remove/add
> dependencies when needed, in other words KISS way
>
> Good news, it's already done at r1757579 :)
>
> Jacques
>
Reply | Threaded
Open this post in threaded view
|

Re: Jars in LICENCE?

Jacques Le Roux
Administrator
Indeed, it has not been updated for a while, I'd check that

Jacques


Le 25/08/2016 à 07:32, Jacopo Cappellato a écrit :

> A reminder: we should review in a similar way the LICENSE and NOTICE files
> under specialpurpose.
>
> Jacopo
>
> On Thu, Aug 25, 2016 at 6:37 AM, Jacques Le Roux <
> [hidden email]> wrote:
>
>> Le 24/08/2016 à 15:04, Jacques Le Roux a écrit :
>>
>>> 2 things I still wonder about are:
>>>
>>> 1. Why Ant does not document the libs referenced in their
>>> lib/libraries.properties file. It could be that they are not used OOTB (ie
>>> optional) I did
>>>     not check that yet
>>> 2. If we need to document all the externals libs used by OFBiz or only
>>> the one directly reference in build.gradle.
>>>
>> 1. Finally I think we should not worry about what Ant does or does not
>> 2. Better to continue with our current LICENSE file and remove/add
>> dependencies when needed, in other words KISS way
>>
>> Good news, it's already done at r1757579 :)
>>
>> Jacques
>>