Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Please bundle LICENSE/NOTICE files in the produced jar files #63

Closed
vlsi opened this issue Jun 17, 2019 · 10 comments

Comments

Projects
None yet
2 participants
@vlsi
Copy link

commented Jun 17, 2019

It is great you use SPDX for license id, however it would be nice if you could add LICENSE to META-INF/LICENSE , so the license could be automatically discovered.

Clarification: dnsjava license enforces re-distributions to reproduce copyright notice.
The dnsjava.jar is often re-distributed via Maven dependency, thus it becomes complicated to automatically re-distribute the proper LICENSE file since MavenCentral misses that file.

Solution: include LICENSE to dnsjava.jar/META-INF/LICENSE

@ibauersachs

This comment has been minimized.

Copy link
Member

commented Jun 17, 2019

Will do for future releases. But out of curiosity, is there a Maven plugin or a publicly documented convention that uses the license file if it is bundled there?
Simply having the file in the jar IMO is not enough for being compliant.

@vlsi

This comment has been minimized.

Copy link
Author

commented Jun 17, 2019

@ibauersachs , thanks for super-fast turnaround.
I have no idea re Maven.

If you have 0 bundled dependencies in your jar, then referencing $projectRoot/LICENSE as additional Maven resource would probably do the trick
If you use bundled dependencies, then you need to somehow craft LICENSE/NOTICE files (e.g. incorporate third-party notices).

Simply having the file in the jar IMO is not enough for being compliant

I get that. I'm developing a Gradle plugin (https://github.com/vlsi/license-gather-plugin) that tries to parse licenses for third-party dependencies, and it unpacks LICENSE/NOTICE files accordingly.

However it is hard to unpack LICENSE in case the file is just absent.

@ibauersachs

This comment has been minimized.

Copy link
Member

commented Jun 17, 2019

If you have 0 bundled dependencies in your jar, then referencing $projectRoot/LICENSE as additional Maven resource would probably do the trick
If you use bundled dependencies, then you need to somehow craft LICENSE/NOTICE files (e.g. incorporate third-party notices).

I know how to put the file there, that's not the issue ;-)

Simply having the file in the jar IMO is not enough for being compliant

I get that. I'm developing a Gradle plugin (https://github.com/vlsi/license-gather-plugin) that tries to parse licenses for third-party dependencies, and it unpacks LICENSE/NOTICE files accordingly.

I assume you're aware of https://github.com/hierynomus/license-gradle-plugin?

However it is hard to unpack LICENSE in case the file is just absent.

Sure.

@vlsi

This comment has been minimized.

Copy link
Author

commented Jun 17, 2019

I assume you're aware of https://github.com/hierynomus/license-gradle-plugin?

I am, thanks. I should probably reference that plugin as well, however it is not sufficient for my cases.
Both jk1/Gradle-License-Report and hierynomus/license-gradle-plugin seem to be oriented towards human review of the license report rather than "generation of LICENSE / verification of improper dependencies"

@ibauersachs

This comment has been minimized.

Copy link
Member

commented Jun 17, 2019

We're using hierynomus' plugin quite successfully.
You'll always need to do a manual review, e.g. to choose a license if a project is dual-licensed (prime example are GPL+CE or CDDL for Oracle J2EE libs), map non-SPDX identifiers, download/hunt license files, etc.
And for that hunt I was asking if there's something like a spec (similar to https://semver.org/ or https://keepachangelog.com).

@vlsi

This comment has been minimized.

Copy link
Author

commented Jun 17, 2019

You'll always need to do a manual review, e.g. to choose a license if a project is dual-licensed

What I want is to automate that hunt.
In other words, I want to configure relevant "overrides" (once?) and/or manually downloaded files, so the checker would use either the discovered info or the one I have provided.

However, I want to reduce the amount of "overrides", so I kindly ask dnsjava to bundle the license.

And for that hunt I was asking if there's something like a spec

I guess SPDX is "the best" open list of licenses. However license "normalization" is not there: spdx/tools#192
In the same way, I guess there's no "single standard" to put license files.

Someone puts LICENSE/NOTICE files to META-INF (I've no a reason behind that)

There's Bundle-License header as well: https://osgi.org/specification/osgi.core/7.0.0/framework.module.html#framework.module-bundle-license

@vlsi

This comment has been minimized.

Copy link
Author

commented Jun 17, 2019

Update: NOTICE file is optional (you might omit it and it would be just fine). I was wrong when said NOTICE is required.

Bundling license text with JAR would still help to associate the license with a specific jar in question.

ibauersachs added a commit that referenced this issue Jun 17, 2019

@ibauersachs

This comment has been minimized.

Copy link
Member

commented Jun 17, 2019

Not sure what you mean with your last comment. Have a look at #64, is that okay for you?

ibauersachs added a commit that referenced this issue Jun 17, 2019

@vlsi

This comment has been minimized.

Copy link
Author

commented Jun 18, 2019

@ibauersachs , frankly speaking I don't get NOTICE meaning exactly, however to best of my knowledge it is to provide the attribution.

See https://issues.apache.org/jira/browse/LEGAL-62?focusedCommentId=13591546&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13591546

When carried by the LICENSE, the attribution language constitutes an
additional requirement which conflicts with the GPL. However, when carried by
the optional NOTICE file instead of the license, the attribution requirement
does not conflict with the GPL because the GPL requires the preservation of
notices even when it subsumes all other licenses

Just in case: NOTICE is optional, however you might want to include it to the jar.

@vlsi

This comment has been minimized.

Copy link
Author

commented Jun 18, 2019

In other words, if dnsjava is incorporated into GPL component, then derivative work would become licensed under GPL, and "noone would know the copyright owner of dnsjava subcomponent".

However, if there was a NOTICE file, then that file would have to be retained even in case dnsjava is included into GPL component.

ibauersachs added a commit that referenced this issue Jun 18, 2019

ibauersachs added a commit that referenced this issue Jun 18, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.