Raised by Jarek Potiuk during the 0.42.0-incubating RC3 PPMC review. Non-blocking for the release.
Issue
The wheel ships the built React UI under burr/tracking/server/build/. That bundle (~1.7 MB total) embeds many third-party npm packages (React, react-router, lodash, the Magic UI runtime deps, etc.). Their license terms are documented in burr/tracking/server/build/static/js/main.<hash>.js.LICENSE.txt — which is webpack's auto-generated comment-banner aggregation.
That file is technically present and machine-readable, but it's not surfaced anywhere a typical license auditor would look: the wheel's top-level LICENSE-wheel does not reference it, and there's no dist-info/licenses/ entry for the bundled deps.
What's expected for ASF wheels
Apache release policy expects all bundled dependencies to be enumerated in the project's LICENSE / NOTICE in some form, even if the underlying license file is shipped separately. The current state passes RAT (we exclude *.js), but is fragile to a strict licensing review.
Suggested fix
One of:
- Have the release script copy
burr/tracking/server/build/static/js/main.*.js.LICENSE.txt into dist-info/licenses/LICENSE-bundled-js.txt during wheel build, AND add a one-line pointer in LICENSE-wheel pointing readers to that file.
- Pre-process the webpack output to extract a deduplicated, sorted, top-level
LICENSE-bundled-js.txt that's appended to LICENSE-wheel directly.
- Vendor a static
LICENSE-bundled-js.txt listing the npm deps + their licenses, and verify it stays in sync via CI.
Option 1 is the lowest-effort and survives webpack hash changes automatically.
References
Raised by Jarek Potiuk during the 0.42.0-incubating RC3 PPMC review. Non-blocking for the release.
Issue
The wheel ships the built React UI under
burr/tracking/server/build/. That bundle (~1.7 MB total) embeds many third-party npm packages (React, react-router, lodash, the Magic UI runtime deps, etc.). Their license terms are documented inburr/tracking/server/build/static/js/main.<hash>.js.LICENSE.txt— which is webpack's auto-generated comment-banner aggregation.That file is technically present and machine-readable, but it's not surfaced anywhere a typical license auditor would look: the wheel's top-level
LICENSE-wheeldoes not reference it, and there's nodist-info/licenses/entry for the bundled deps.What's expected for ASF wheels
Apache release policy expects all bundled dependencies to be enumerated in the project's LICENSE / NOTICE in some form, even if the underlying license file is shipped separately. The current state passes RAT (we exclude
*.js), but is fragile to a strict licensing review.Suggested fix
One of:
burr/tracking/server/build/static/js/main.*.js.LICENSE.txtintodist-info/licenses/LICENSE-bundled-js.txtduring wheel build, AND add a one-line pointer inLICENSE-wheelpointing readers to that file.LICENSE-bundled-js.txtthat's appended toLICENSE-wheeldirectly.LICENSE-bundled-js.txtlisting the npm deps + their licenses, and verify it stays in sync via CI.Option 1 is the lowest-effort and survives webpack hash changes automatically.
References
burr/tracking/server/build/static/js/main.<hash>.js.LICENSE.txt(present in every wheel build)