ode-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sathwik B P <sath...@apache.org>
Subject Re: Sources of dependencies
Date Wed, 18 Oct 2017 13:39:35 GMT
Hi Oliver,

We make our best effort to list all the third-party licenses. In case
something is missing feel free to report them.

regards,
sathwik

On Wed, Oct 18, 2017 at 7:02 PM, Sathwik B P <sathwik@apache.org> wrote:

> Hi Oliver,
>
> Apache project's source & binaries are under ASLV2.
>
> Third-party dependent binaries and their licenses will be included in the
> project distribution. If third-party binary license is not compatible with
> ASLV2, we don't ship that binary.
>
> As of Apache ODE source code distribution, we don't ship any third-party
> dependent source along with it nor do we take their source and compile it
> ourself. We only use third-party library in it's binary form and it's
> binary license will be shipped with the ODE binary distribution.
>
> The binary licenses are packaged under /lib directory of the war
> distribution in release 1.3.7 https://ode.apache.org/getting-ode.html
>
> You can also refer http://www.apache.org/legal/
>
> regards,
> sathwik
>
>
> On Wed, Oct 18, 2017 at 4:19 PM, Oliver Kopp <kopp.dev@gmail.com> wrote:
>
>> Hi,
>>
>> We are going to use Apache ODE in a project with involvement of
>> industry partners. There, we are obliged to proof all (transitive)
>> dependencies ODE uses, in order to guarantee that all of them apply to
>> the Apache License Version 2.0. Unfortunately, we were not able to
>> (automatically) retrieve/find the source code for 15 of the 83
>> dependencies (from Maven Central) which are packaged into the final
>> ODE WAR distribution and therefore cannot check what licenses these
>> dependencies REALLY have:
>>
>>
>>     1.  annogen:annogen:jar:sources:0.1.0
>>
>>     2.  org.apache.derby:derby:jar:sources:10.5.3.0_1
>>
>>     3.  org.apache.derby:derbytools:jar:sources:10.5.3.0_1
>>
>>     4.  tranql:tranql-connector:jar:sources:1.1
>>
>>     5.  org.apache.geronimo.specs:geronimo-j2ee-connector_1.5_spec:
>> jar:sources:1.0
>>
>>     6.  org.apache.velocity:velocity:jar:sources:1.5
>>
>>     7.  net.sourceforge.serp:serp:jar:sources:1.13.1
>>
>>     8.  org.jibx:jibx-run:jar:sources:1.2.1
>>
>>     9.  commons-primitives:commons-primitives:jar:sources:1.0
>>
>>     10. geronimo-spec:geronimo-spec-jms:jar:sources:1.1-rc4
>>
>>     11. org.apache.santuario:xmlsec:jar:sources:1.4.6
>>
>>     12. org.apache.xmlbeans:xmlbeans:jar:sources:2.6.0
>>
>>     13. org.opensaml:opensaml1:jar:sources:1.1
>>
>>     14. org.apache.axis2:axis2-transports:jar:sources:1.0-i6
>>
>>     15. stax:stax-api:jar:sources:1.0.1
>>
>>
>> The question is, if someone of the ODE team already has transitively
>> checked all related licenses of the used dependencies when open
>> sourcing Apache ODE so that we can rely on your checks?
>>
>> Otherwise, would it be potentially possible that someone can provide
>> us the source code for all dependencies bundled within the WAR
>> distribution of Apache ODE so that we can check them?
>>
>> Cheers,
>>
>> Oliver
>>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message