audit third party deps and NOTICE.TXT

[kevinkluge]

We should go through all the third party dependencies that we redistribute and make sure NOTICE.TXT has all the info needed to comply with the license terms of the dependencies.

[rmuir]

I looked into it a little yesterday: currently we use com.mycila license-maven-plugin to check source code license headers.

• codehaus license-maven-plugin (http://mojo.codehaus.org/license-maven-plugin/) seems more full-featured and can report licenses of third-party-dependencies. I was able to make this work and produce an XML file, but it just reports the licenses of every dep. This seems helpful though.
• apache whisker (http://creadur.apache.org/whisker/) has the goal of maintaining NOTICE/LICENSE type documentation in mind. However, I was unable to make it work at all. In its current state (0.1-snapshot, etc) I was unable to get past all the barriers, like configuring custom .m2/settings that allows its plugin prefix and making this work with the apache snapshot repository.

[mrsolo]

We use https://github.com/elastic/elasticsearch/blob/master/pom.xml#L1753 license profile when doing license analysis which is essentially revert back to http://mojo.codehaus.org/license-maven-plugin/

'mvn site' will generate all kind of goodies, including third party dependencies

[clintongormley]

I've been trying to automate this with http://mojo.codehaus.org/license-maven-plugin/ but I have a few questions:

• If three dependencies all use the BSD 3-clause license, do we need to distribute one copy of the BSD 3 -clause license, or 3 individual copies, each one with the copyright details filled in?
• We don't redistribute the source of the dependencies, so i assume we only need to distribute the licenses in the compiled version?
• We can generate a NOTICE file for our dependencies, but it looks like we have to include the NOTICE file from each dependency as well (see http://www.apache.org/licenses/LICENSE-2.0.html#redistribution). Am I reading this correctly?

[kevinkluge]

@clintongormley

1. we need to include a copy for every different copyright holder. Just repeat the full BSD license, with only the copyright being different.
2. correct (compiled java counts as binary)
3. no. see the definition of "derivative work". We are shipping these jars unmodified so we are not distributing derivative works, and don't need to include the deps' NOTICE files as a result. (If I'm wrong and we are modifying any deps from source, those resulting jars are derivative works, and the NOTICE inclusion clause does apply, for that jar.)