Adjusting some license texts.

[lahodaj]

The proposal here is to adjust some license texts (+one notice), which I hope will be relatively uncontroversial. I'll try to add comments with details inline.

Some more tweaks to license files may come in the future.

[lahodaj]

MIT is a generic template of the license, without copyright notices. This file is correct, but we should have the correct file in the nbbuild/licenses database as well.

See the source license here:
https://github.com/matthiasblaesing/netbeans-processtreekiller/blob/master/LICENSE

[lahodaj]

The source license for 1.7.36 is here:
https://raw.githubusercontent.com/qos-ch/slf4j/v_1.7.36/LICENSE.txt

[matthiasblaesing]

The file nbbuild/licenses/MIT-slf4j could be removed. Not really a problem, but cleaning up now would IMHO make sense.

[lahodaj]

Ok.

[lahodaj]

Done.

[lahodaj]

The source license for 1.7.36 is here:
https://raw.githubusercontent.com/qos-ch/slf4j/v_1.7.36/LICENSE.txt

[lahodaj]

Instead of using two license files, lets try to only use one. This is to simplify using of the notice file.

[lahodaj]

An attempt to add copyright from here:
https://github.com/timboudreau/simplevalidation/blob/master/apache-license-2x.txt

[matthiasblaesing]

I'm inclined not to honor broken licenses. The Apache license explicitly states, that the file you have to look for as a user is NOTICE. If it is not there, I would ignore it, the user obiously was not interested in it either. There is also no NOTICE in the binary jar, further strengthening the point.

[lahodaj]

Hmm, OK. I don't I like that (because the repository has a license file with the copyright), but I can probably live with this, at least for some time.

[matthiasblaesing]

If someone tells me he linceses his product under ALv2 and does not provide a NOTICE, I think the intention is obvious. If we assume that it is not ALv2, but an unnamed license derived from ALv2, then I suggest to make it "ALv2-simplevalidation" and use that, just as done with MIT.

[lahodaj]

Ok. I've dropped this from this patch. I guess that while you may be technically right, being nice also may provides some advantages.

[lahodaj]

The license for httpclient is not Apache 2.0 - it is Apache 2.0 + MPL 2.0, please see:
https://issues.apache.org/jira/browse/HTTPCLIENT-2317
https://issues.apache.org/jira/browse/MNG-8042

[neilcsmith-net]

Not sure I agree with your reading on this one. Or theirs? I would check with ASF legal on this, or if they did, because I don't see any reason that needs to be a dual licensed binary.

[lahodaj]

Note it is not a dual license. There are parts that are Apache 2.0, and parts (specifically the 'mozilla/public-suffix-list.txt' file) that are under the MPL 2.0. It is not really different from NetBeans' various 3rd party stuff.

I think this:
https://www.apache.org/legal/release-policy.html#license-file
is pretty clear.

[neilcsmith-net]

Note from MPL.

3.3. Distribution of a Larger Work

You may create and distribute a Larger Work under terms of Your choice,
provided that You also comply with the requirements of this License for
the Covered Software. If the Larger Work is a combination of Covered
Software with a work governed by one or more Secondary Licenses, and the
Covered Software is not Incompatible With Secondary Licenses, this
License permits You to additionally distribute such Covered Software
under the terms of such Secondary License(s), so that the recipient of
the Larger Work may, at their option, further distribute the Covered
Software under the terms of either this License or such Secondary
License(s).

As far as I can see that file is downloaded (as it should be under Cat B), so shouldn't be included in the source license file. In binary form, it could all be under ASL?

[lahodaj]

I am not sure I understand the complaint. This patch will not (to the best of my knowledge) make this part of the license for the source. It will make it part of the license for the binary. This is very similar to what we do e.g. here:
https://github.com/apache/netbeans/blob/b5bf037d91bc3f0fa4a09518ba4fd6c105f965c4/java/maven.embedder/external/apache-maven-3.9.6-javax.annotation-api-license.txt
(and for a somewhat similar license)

I wonder if there's some specific concern around MPL (or including MPL) that would warrant investigating alternative options? (Note that even the official binary distributed by Apache Commons has Apache 2.0 + MPL 2.0, it is just the specific artifact that is missing MPL.)

[matthiasblaesing]

For httpclient (both httpclient and httpcore) the license in the package is pure ALv2.0. I would suggest to stick with the upstream license and not pretend to know better. Once httpclient gets updated, I see no problem to follow though.

[lahodaj]

I am not quite sure why this specific change is so problematic. The official package distributed by ASF does have the MPL in its LICENSE.txt:
https://dlcdn.apache.org//httpcomponents/httpclient/binary/httpcomponents-client-4.5.14-bin.tar.gz

Even the source repository lists it:
https://github.com/apache/httpcomponents-client/blob/master/LICENSE.txt

This binary obviously has the MPL-licensed file. It is just the LICENSE file in this specific file that is missing it. It is fairly obviously a mistake. Do we really want to keep distributing something that's wrong? (Or, at least, highly doubtful?)

[matthiasblaesing]

I have no problem updating this here.

BUT: I refuse to chase down the potential intention of a packager through multiple layers of packages. httpclient-4.5.14.jar and httpcore-4.4.16.jar in the apache-maven-3.9.6-bin.zip both contain a LICENSE, both without MPL reference. It seems, that the maven central binaries are missing that part. This is an issue in apache maven. Next time this is updated, we will see a regression if it is not fixed in apache http client.

[neilcsmith-net]

The license file in the source tree is wrong. The license file in the Maven binary might not be wrong. MPL gives the right to redistribute that artefact under ASL.

[lahodaj]

I've removed this change to avoid the controversy.

Note that I've filled bugs against httpclient and Maven. So, while there's a potential for a regression on update, I think I did a lot to avoid that in the future. (And updating licenses is, sadly, not automatic when upgrading a library, so there's also an opposite risk - that Maven is fixed, but NetBeans is not.)

No sure I understand the argument of "they have it wrong, so it is OK for us to have it wrong". (While I hear Neil's idea about distributing under Apache 2.0 - noone has confirmed that would be what ASF could or would want to do.)

[lahodaj]

Specifying more appropriate version, to reduce confusion.

[lahodaj]

Specifying more appropriate version, to reduce confusion.

[lahodaj]

Updating the ko4j license to the version that is inside the binary - includes license terms for the Knockout library, in addition to the Apache 2.0 terms.

[lahodaj]

Updating the license text to the text that is inside the binary.

[matthiasblaesing]

Thank you for looking into this. I left some inline comments.

[matthiasblaesing]

The file nbbuild/licenses/MIT-slf4j could be removed. Not really a problem, but cleaning up now would IMHO make sense.

[matthiasblaesing]

I'm inclined not to honor broken licenses. The Apache license explicitly states, that the file you have to look for as a user is NOTICE. If it is not there, I would ignore it, the user obiously was not interested in it either. There is also no NOTICE in the binary jar, further strengthening the point.

[matthiasblaesing]

For httpclient (both httpclient and httpcore) the license in the package is pure ALv2.0. I would suggest to stick with the upstream license and not pretend to know better. Once httpclient gets updated, I see no problem to follow though.

[matthiasblaesing]

I think this is good to go. Thank you for the updates.

[mbien]

would this be ready to merge or is it still baking?

[lahodaj]

I'll merge sometime soon, unless there are objections.