drill-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jason Altekruse <altekruseja...@gmail.com>
Subject Re: [VOTE] Release Apache Drill version 0.5.0-incubating
Date Tue, 02 Sep 2014 22:20:14 GMT
Hello Justin,

I am doing an audit of the Drill source and binary releases to clean up the
dependencies and find the remaining missing licenses.

I believe I have found the missing 9 files you spoke of in a directory of
the project that has gone stale and is no longer is use. The 'sandbox'
directory has a number of files that do not match any of the individual
file filters (by extension), but they were being ignored from the RAT check
by a rule to exclude the whole folder. Removing this shows 9 unknown
licenses (several are just data files without an extension and a few are
old python scripts for a web UI not in use, several mention the apache
license but the format does not match what RAT is looking for)

I want to confirm that these are indeed the correct files before we move
ahead with the next candidate. Is there a means by which you were able to
generate these numbers of standards, apache licenses and missing license
file counts over the whole project, or did you have to use grep over the
individual sub-projects' rat reports?

I want to run the same check that you had earlier to ensure that deleting
this directory does make the numbers line up more appropriately.

-Jason Altekruse

On Tue, Sep 2, 2014 at 9:38 AM, Jacques Nadeau <jacques@apache.org> wrote:

> Thanks for the feedback.  It is very helpful.  It sounds like you think we
> should make four modifications:
> 1. Do an audit of non classifed RAT files and verify that we aren't
> including other licenses.
> 2. Examine whether we are including unecessary license notices in the files
> (e.g. JUnit)
> 3. Exclude class B binary artifacts or require active user consent to
> include them
> 4. Maintain separate directories for class B licenses when included.
> I think that you have good points in 1 & 2.  I will open JIRAs to solve
> these.
> For points 3 & 4, I think you have a very conservative interpretation of
> Apache requirements which goes beyond the guidelines as well as what other
> projects do.  For class B licenses [1]: "[class B licenses require] an
> explicit action by the user to get the reciprocally-licensed source".  This
> seems to be specifically focused on source distribution, not binary
> artifacts.  Since we don't bundle the source, we should be okay according
> to these guidelines.
> Additionally, I did a quick review of similar projects.  For this review, I
> chose to look at the jersey-core artifact, something that falls under the
> CDDL license (class B).  If I review the published artifacts for both
> Hadoop (2.5.0) and HBase (94.21), both include the binary artifact for this
> within their distribution, without special user consent and in the same
> directory as other binary artifacts that fall under class A licenses.
> Thanks again for your feedback.  I think issues 1 & 2 above sink the rc1
> candidate so let's correct and roll another.
> Jacques
> [1] http://www.apache.org/legal/3party.html
> On Mon, Sep 1, 2014 at 6:16 PM, Justin Mclean <justin@classsoftware.com>
> wrote:
> > Hi,
> >
> > Looks like the source LICENSE are missing the MIT and BSD bundled
> software.
> >
> > Can you list out what software is bundled into the source release that is
> > MIT or BSD licensed?
> >
> > From a quick search I see that these have MIT licenses:
> > ./contrib/native/client/src/clientlib/y2038/time64.c
> > ./contrib/native/client/src/clientlib/y2038/time64.h
> > ./contrib/native/client/src/clientlib/y2038/time64_config.h
> > ./contrib/native/client/src/clientlib/y2038/time64_limits.h
> >
> > It's hard to check the rat report as there over 300 files that don't have
> > headers, while most of these a json and the like it makes it hard to
> review
> > and know what's going on.
> >
> > From rat I get 1897 standards, 1569 Apache licensed and 315 unknown (or
> > missing) licenses. 1897 - 1569 - 315 = 13 files that have other licences.
> > I've only found 4 above, so what are the other 9 files?
> >
> > Just follow the instructions at [1] and your project mentors should be
> > able to help with this.
> >
> > The binary LICENSE and NOTICE look better, but I think they are still
> > including too much, for example the LICENSE states:
> >
> > "This product bundles JUnit (junit:junit:4.11 - http://junit.org)"
> >
> > Does it actually bundle jars or source code from JUnit or does it just
> > contain tests that are run by JUnit? If it bundles the JUnit jar does it
> > really need to?
> >
> > There's also (IMO) an issue with how you've bundleding CDDL, EPL and MPL
> > licensed software in the binary release, see Category B licenses at [2].
> > They need to be clearly marked and you need to prompt the user to accept
> > their license (or not include them in the binary if that's at all
> > possible). I would also put them in another directory separate form the
> > category A licensed binaries if they do need to be bundled.
> >
> > Thanks,
> > Justin
> >
> > 1. http://www.apache.org/dev/licensing-howto.html#permissive-deps
> > 2. http://www.apache.org/legal/3party.html

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message