add copyright to pom.xml#2930
Conversation
|
There is a license section defined by Maven, something we already use. Which are the other libraries that are doing such practice? For example, I don't see it done in either Spring Boot or JUnit. My current feeling is this is not necessary. The scanner should look at the standard place for such information. |
|
@tobi5775 I reject this change but am happy to re-evaluate it if it turns out we don't follow standard Maven practices. |
|
Hi @scordio, Other libraries doing this practice are for example: |
|
The copyright information is in the text at the target URL: <url>https://www.apache.org/licenses/LICENSE-2.0.txt</url>What is the advantage of repeating it in each POM? It sounds like a tooling gap as we are compliant with Maven guidelines. I am not very keen on introducing clutter in the POMs to please a scanning tool. Is there any other alternative that would help the scanner to detect the license content we already publish to several places (e.g., LICENSE.txt in the repository root, Java comment on all source files)? |
|
@scordio , suppose someone wants to borrow code from In other words, you do have headers for |
How is a license header in a POM different from the license tag in the same file? |
The link above is an answer by Justin Mclean, Assistant V.P., Legal Affairs, see https://www.apache.org/foundation/#officers.
A slightly different answer would be: At the same time, files like |
|
Hi @scordio, I also have an additional aspect to one of your last comments:
The given url in your pom.xml (in the license-tag) links us to the original license text hosted by www.apache.org. So this is only the license text without your copyright (which is there in the java source code:
@tobi5775 's change would address this and I also support @vlsi 's opinion. |
Fair point, @robertschubert. @tobi5775 you proposed the manual addition of headers in this PR but you also opened PRs in other Maven projects with different strategies for the same purpose, e.g., adding META-INF/LICENSE files. Would such a file be sufficient for your purpose? |
|
|
|
@scordio Yes I've also created other PRs in other Maven Projects with different Strategies. In case of a MIT license I only added the LICENSE file to the jar, because the copyright is already included there. Alternatively I can create a COPYRIGHT file and add it to the jar under |
|
See also this PR google/gson#2307 as example |
|
I totally aggree with @vlsi |
For Apache License, the copyright is typically included into NOTICE file:
|
I don't think this argument by @vlsi is valid in the context. Yes, each source code file should have a license header in case somebody copies the source file itself. However, the original request by @tobi5775 is exactly to have license for a dependency, not a specific file:
Which is exactly the prupose of the license section in the pom.xml. There are also existing tools which handle the process of 3rd Party Licenses just fine (commercial and OSS). For example the: https://www.mojohaus.org/license-maven-plugin/plugin-info.html can create such a report and can download all the associated license texts. It even has fallback possibilities if the linked license file of a library in the pom is rubbish.
So, if the assertj pom.xml would just point to https://raw.githubusercontent.com/assertj/assertj/main/LICENSE.txt , which should be a project personlized version of the standard apache license at least the original PR would be fine. Just my two cents. |
@beckerjohannes , I responded to an exact question of scordio regarding "license header in a POM different from the license tag".
Please, no. That would have the following issues: b) The link might disappear altogether. For instance, suppose one day GitHub bans Here's a sample of a wildly used dependency (the last release was in 2007) that has a custom link for the license: https://repo1.maven.org/maven2/xpp3/xpp3_min/1.1.4c/xpp3_min-1.1.4c.pom <license>
<name>Indiana University Extreme! Lab Software License, vesion 1.1.1</name>
<url>http://www.extreme.indiana.edu/viewcvs/~checkout~/XPP3/java/LICENSE.txt</url>c) Redistribution section of Apache 2.0 license requires the one who distributes to include the copy of the license:
Of course, it is silly to include the copy of the license into d) The use of custom license links requires manual inspection since it might be a customized variation of the license. If the URL references a canonical link, then it is much better for both scanners and human verifiers to tell if the license is well-known or not e) The point of Apache 2.0 license is that there will be no project-personalized version of such a license. Every Apache 2.0 license text should be identical, and the copyright is tracked via |
|
@vlsi not valid in the context of the context of the original request. For having a license header in the pom.xml is not helpful for having a license for the artifact. The point with having the possiblity to point to a individual license was adressing the points raised by @robertschubert. As always it is hard to keep track in a linear discussion where multiple respond to various different other comments and it is not clear which responds to which. I think you right in all points. My main point was, that:
is core of the OPs issue and could be totaly avoided by using available oss infrastructure. Leaves your point c) to be resolved. |
|
thanks all for your comments, can someone summarizes what changes we would like to see in AssertJ then? sorry it's a bit hard to follow 😉 |
|
Thanks a lot for all your valuable input, @tobi5775 @vlsi @robertschubert @beckerjohannes. We discussed it with the team and we would prefer to take this in steps. As a start, we will make sure that ScanCode will properly detect license and copyright information for AssertJ so that we cover what @tobi5775 requires. We will analyze it in #2944. After that, we are open to further enhancing this aspect but ideally against concrete use cases/scan tooling that users can bring up. |
6 participants
Add copyright information to pom.xml.
For a customer project an OpenSource report has to be generated. Therefore a scanner was created to extract the copyright and licence information from our dependencies. This scanner can extract all informaton from pom.xml. Therefore it would be great to have the copyright in the pom.xml like other libraries do.