Update Saxon-HE to 9.9.1-8

[scala-steward]

Updates net.sf.saxon:Saxon-HE from 9.9.1-7 to 9.9.1-8.

I'll automatically update this PR to resolve conflicts as long as you don't change it yourself.

If you'd like to skip this version, you can just close this PR. If you have any feedback, just mention me in the comments below.

Configure Scala Steward for your repository with a .scala-steward.conf file.

Have a fantastic day writing Scala!

Ignore future updates

Add this to your .scala-steward.conf file to ignore future updates of this dependency:

updates.ignore = [ { groupId = "net.sf.saxon", artifactId = "Saxon-HE" } ]

labels: library-update, semver-pre-release

[tuxji]

Needs a NOTICE file and perhaps a README mention.

• Do all automated continuous integration checks pass?
  Yes
• Is the update a patch, minor, or major update?
  Patch update. Still downloaded and diff'ed SaxonHE9-9-1-7J.zip, SaxonHE9-9-1-8J.zip, saxon9-9-1-7source.zip, and saxon9-9-1-8source.zip. Found only very small source changes, no pom, no transitive dependencies.
• Is the license still compatible with ASF License Policy?
  Mozilla Public License Version 2.0, which means Saxon may be included in binary form within Daffodil only if the inclusion is appropriately and prominently labeled. We have not mentioned Saxon in a README and provided a NOTICE identifying Saxon, its licensing, and an url to its homepage even though only daffodil-schematron uses Saxon.
• Have any changes been made to LICENSE/NOTICE files that need to be incorporated?
  No changes to license type. Note that we distribute the saxon jar in Daffodil's lib directory without a NOTICE file which needs to be fixed.
• Have any transitive dependencies been added or changed?
  Saxon has no transitive dependencies.

@stevedlawrence What are the minimum changes we need to make - only an addition to bin.NOTICE or a change to a README (if so, which one)?

[stevedlawrence]

Saxon provides some detailed information here: https://www.saxonica.com/documentation/#!conditions, which mentions this:

If you produce a product that includes or requires Saxon-HE, please refer to it prominently as "The Saxon XSLT and XQuery Processor from Saxonica Limited", and include the URL of the home page, which is at http://www.saxonica.com/. As a courtesy, please take reasonable steps to ensure that your users know that they are running Saxon.

So I'd say something like this included in the License section of the README is sufficient:

This product includes The Saxon XSLT and XQuery Processor from Saxonica Limited (http://www.saxonica.com/), which is licensed under the Mozilla Public License version 2.0.

We might want to consider including something like that in the bin.NOTICE file as well just to be safe. I'm not sure if it's require or not, but seems like it would be.

The above saxonica link also mentions what it calls "Category B" code, which is code Saxon includes that is not MPL but is compatible (e.g. BSD, MIT, Apache). We don't currently include the licenses of those (and I dont't think we've verified that they are compatiable with Apache, just taking Saxon's word for it). So we need track those down--Saxon mentinos a notices directory which I can't immediately find but that should have all the information we need to make sure they are all acceptable to ASF, and then we can update our bin.LICENSE/bin.NOTICE appropriately.

[tuxji]

I know how to find the notices directory. Go to Saxon 9.9's SourceForge download page, download SaxonHE9-9-1-8J.zip, put it in an empty temporary directory, unpack it, and you will get the notices directory. Five files look like MIT-type copyright notices to me and if we need to include them, then we need to include these five files from that directory into bin.NOTICE (the sixth file is Saxon's license).

If I understand you correctly, we need to modify the following files:

• README.md (mention Saxon in its License section)
• daffodil-cli/README,md (mention Saxon in its License section)
• daffodil-cli/bin.LICENSE (include Saxon's license)
• daffodil-cli/bin.NOTICE (include five files from Saxon's notices directory)

When we edit bin.NOTICE, shall we insert the five files' text indented by 2 spaces with 1 blank line between each file into bin.NOTICE between "Jackson JSON processor" and "Scala" with the following lines to set them off?

Saxon XSLT and XQuery processor (lib/Saxon-HE-<VERSION>.jar)
  Saxon HE processor
  Copyright (c) 2018 Saxonica Limited.

[stevedlawrence]

My understanding is that we don't need to include anything in the root README.md, since we don't distribute Saxon in the source, which is what that README talks about. We only distribute Saxon with the CLI, so I think we only need to update daffodil-cli/README.md.

Saxon calls those things in the notice directory "notices", but they are really just licences. My understanding is that license text never goes in the NOTICE file. So all those "notices" from Saxon need to go in the bin.LICENSE files. For that, I would probably include the Saxon license like we include other stuff, and then at the same indention level, nest in the Saxon subcomonent "notices"/licenses, so somthing like:

This product bundels Saxon ... available under MPL license:

  Copy MPL license here:

  SAXON SUBCOMPONENTS

  Saxon contains subcomponents with separate coyright noticess....

    Saxon bundles ABC, this is available under the MIT license:
      Copy MIT licnse here

    Saxon bundels XYZ, this is avialabel under the BSD license:
      Copy BSD license here

So we sort of have nested licenses so it's clear which parts come from saxon and which parts don't.

[tuxji]

+1

• Do all automated continuous integration checks pass?
  Yes
• Is the update a patch, minor, or major update?
  Patch update. Downloaded and diff'ed SaxonHE9-9-1-7J.zip, SaxonHE9-9-1-8J.zip, saxon9-9-1-7source.zip, and saxon9-9-1-8source.zip. Found only very small source changes, no pom, no transitive dependencies.
• Is the license still compatible with ASF License Policy?
  Yes (MPL 2.0 with appropriate and prominent labeling in cli/README.md and bin.LICENSE added and squashed into this pull request).
• Have any changes been made to LICENSE/NOTICE files that need to be incorporated?
  No changes.
• Have any transitive dependencies been added or changed?
  Saxon has no transitive dependencies.

[stevedlawrence]

+1 with one minor comment

[stevedlawrence]

Should we just remove this leading $ if it's considered bad practice by linters?

[tuxji]

Sure, we can just remove the leading $. According to markdownlint, the shell prompt should be there if we show a command's output, but shouldn't be there if we don't show a command's output. I didn't know what you would think about removing the dollar sign, so I simply added a comment to disable the warning although I did fix all the other warnings. I won't bother to change the README again, but I expect whoever edits the README in the future will see that comment and be reminded to fix the warning by removing the dollar sign from the three places it appears instead.