ode-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sathwik B P <sath...@apache.org>
Subject Re: Sources of dependencies
Date Wed, 18 Oct 2017 13:32:39 GMT
Hi Oliver,

Apache project's source & binaries are under ASLV2.

Third-party dependent binaries and their licenses will be included in the
project distribution. If third-party binary license is not compatible with
ASLV2, we don't ship that binary.

As of Apache ODE source code distribution, we don't ship any third-party
dependent source along with it nor do we take their source and compile it
ourself. We only use third-party library in it's binary form and it's
binary license will be shipped with the ODE binary distribution.

The binary licenses are packaged under /lib directory of the war
distribution in release 1.3.7 https://ode.apache.org/getting-ode.html

You can also refer http://www.apache.org/legal/

regards,
sathwik


On Wed, Oct 18, 2017 at 4:19 PM, Oliver Kopp <kopp.dev@gmail.com> wrote:

> Hi,
>
> We are going to use Apache ODE in a project with involvement of
> industry partners. There, we are obliged to proof all (transitive)
> dependencies ODE uses, in order to guarantee that all of them apply to
> the Apache License Version 2.0. Unfortunately, we were not able to
> (automatically) retrieve/find the source code for 15 of the 83
> dependencies (from Maven Central) which are packaged into the final
> ODE WAR distribution and therefore cannot check what licenses these
> dependencies REALLY have:
>
>
>     1.  annogen:annogen:jar:sources:0.1.0
>
>     2.  org.apache.derby:derby:jar:sources:10.5.3.0_1
>
>     3.  org.apache.derby:derbytools:jar:sources:10.5.3.0_1
>
>     4.  tranql:tranql-connector:jar:sources:1.1
>
>     5.  org.apache.geronimo.specs:geronimo-j2ee-connector_1.5_
> spec:jar:sources:1.0
>
>     6.  org.apache.velocity:velocity:jar:sources:1.5
>
>     7.  net.sourceforge.serp:serp:jar:sources:1.13.1
>
>     8.  org.jibx:jibx-run:jar:sources:1.2.1
>
>     9.  commons-primitives:commons-primitives:jar:sources:1.0
>
>     10. geronimo-spec:geronimo-spec-jms:jar:sources:1.1-rc4
>
>     11. org.apache.santuario:xmlsec:jar:sources:1.4.6
>
>     12. org.apache.xmlbeans:xmlbeans:jar:sources:2.6.0
>
>     13. org.opensaml:opensaml1:jar:sources:1.1
>
>     14. org.apache.axis2:axis2-transports:jar:sources:1.0-i6
>
>     15. stax:stax-api:jar:sources:1.0.1
>
>
> The question is, if someone of the ODE team already has transitively
> checked all related licenses of the used dependencies when open
> sourcing Apache ODE so that we can rely on your checks?
>
> Otherwise, would it be potentially possible that someone can provide
> us the source code for all dependencies bundled within the WAR
> distribution of Apache ODE so that we can check them?
>
> Cheers,
>
> Oliver
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message