FINERACT-2572: Exclude license-incompatible libraries from distributi…

[SamaSVM]

Description

Resolves the ASF Category X license violation by excluding LGPL/GPL libraries from all Fineract distribution artifacts (binary tarball, WAR, bootJar, Docker image).

See FINERACT-2572

Checklist

Please make sure these boxes are checked before submitting your pull request - thanks!

• Write the commit message as per our guidelines
• Acknowledge that we will not review PRs that are not passing the build ("green") - it is your responsibility to get a proposed PR to pass the build, not primarily the project's maintainers.
• Create/update unit or integration tests for verifying the changes made.
• Follow our coding conventions.
• Add required Swagger annotation and update API documentation at fineract-provider/src/main/resources/static/legacy-docs/apiLive.htm with details of any API changes
• This PR must not be a "code dump". Large changes can be made in a branch, with assistance. Ask for help on the developer mailing list.

Your assigned reviewer(s) will follow our guidelines for code reviews.

[adamsaghy]

@SamaSVM, would you like to move this PR and discussion to the Fineract DEV email list? These changes have a significant impact, and we should discuss and observe their effects on the DEV email list.

[meonkeys]

Thanks for this patch and for starting the dev list discussion, Vlad! Thank you Ádám and @Aman-Mittal for your feedback.

I generated a binary release tarball artifact with the binaryDistTar task and it looked good (no category X jars included).

These instructions are now wrong. Will you update fineract-doc/src/docs/en/chapters/release/process-step09.adoc? Build a binary release artifact and Docker image locally, test those, and let me know how it goes.

Finally, will you try the generateLicenseReport task? I wonder if we want to manually exclude the jars we are no longer packaging, or if it can do that automatically. I see some are marked "Not Packaged" but I don't understand what that means.

[SamaSVM]

Thanks for this patch and for starting the dev list discussion, Vlad! Thank you Ádám and @Aman-Mittal for your feedback.

I generated a binary release tarball artifact with the binaryDistTar task and it looked good (no category X jars included).

These instructions are now wrong. Will you update fineract-doc/src/docs/en/chapters/release/process-step09.adoc? Build a binary release artifact and Docker image locally, test those, and let me know how it goes.

Finally, will you try the generateLicenseReport task? I wonder if we want to manually exclude the jars we are no longer packaging, or if it can do that automatically. I see some are marked "Not Packaged" but I don't understand what that means.

I've verified the "Build a binary release artifact and Docker image locally", and everything looks good — no Category X jars are included.

I've also updated fineract-doc/src/docs/en/chapters/release/process-step09.adoc, please check.

I have some difficulties running 'generateLicenseReport' locally, but I'll continue working it.

[SamaSVM]

Finally, will you try the generateLicenseReport task? I wonder if we want to manually exclude the jars we are no longer packaging, or if it can do that automatically. I see some are marked "Not Packaged" but I don't understand what that means

I've generated the generateLicenseReport report, which contains 349 libraries. I also noticed that some of them are marked as "Not Packaged" in the Manifest License column.

During my investigation of the implementation (specifically the printDependencyManifest method in InventoryReportRenderer.groovy), I found that the "Not Packaged" label simply indicates that the license text is not physically embedded within the JAR file.

[meonkeys]

Awesome, thanks for the updates and research. The code and docs updated LGTM, I just want to test building & running myself with these new defaults before I approve. I'll do it asap.

[meonkeys]

I wanted to refine the README a bit further. @SamaSVM, Please review commit ff8cc58 and let me know your thoughts. Feel free to add commits if you need to, but please don't squash.

I confirmed default and override dbs work as expected. I rebased on top of develop so we're up to date. Hopefully CI build still passes, we'll see.

I think we're nearly ready to merge. I mentioned it again on the dev list.

[SamaSVM]

I wanted to refine the README a bit further. @SamaSVM, Please review commit ff8cc58 and let me know your thoughts. Feel free to add commits if you need to, but please don't squash.

I confirmed default and override dbs work as expected. I rebased on top of develop so we're up to date. Hopefully CI build still passes, we'll see.

I think we're nearly ready to merge. I mentioned it again on the dev list.

@meonkeys Commit [ff8cc58] looks good to me.

[meonkeys]

Great work here, @SamaSVM !