From Fabian's excellent detailed and careful review:
http://mail-archives.apache.org/mod_mbox/incubator-marmotta-dev/201303.mbox/%3CCA%2B_sZ%2BjY_eH52KhEea19%3DL%3DGMJW%2BS5N7FBVmRM6TQeuL22Leuw%40mail.gmail.com%3E
I think we need to make sure we are agreed on each of these items:
== SHA1 archive and tag
>> The SHA1 checksum of the archive is
670d7c5d4d524acb86665f234dac4ade16be8da6.
Which archive are you referring to?
I went looking expecting this to the SHA1 of the tag commit but can't
find such a git commit or the tag with that SHA1.
What was this commit SHA1?
The KEYS are okay but could be placed at a location like
http://marmotta.incubator.apache.org/KEYS
== KEYS
See also comment on KEYS.asc vs KEYS
The file will be placed at http://marmotta.incubator.apache.org/KEYS
No response to the KEYS.asc naming. Is it changing?
== N&L 1
LICENSE & NOTICE: "software based on Sgvizler license under a
MIT-style license" in NOTICE but
"Sgvizler Javascript library, which is available under a "MIT"
license" in LICENSE. Is there a difference? Not a problem for the
release.
Fix in progress.
== N&L 2
"data based on JSON-LD Test Suite licensed under CC0 License" in
NOTICE but there is no info in LICENSE - what is CC0? Fix in future
releases.
Sebastain explained this but I'm unclear whether there is a proposed
change. I think it should be in LICENSE.
Checking
./apache-marmotta-3.0.0-incubating-webapp.zip
LICENSE & NOTICE: "H2 Database Engine under The H2 License, Version
1.0" in NOTICE but in LICENSE there is no "H2 License". In LICENSE it
says "is dual licensed and available
under a modified version of the MPL 1.1 (Mozilla Public License) or
under the (unmodified) EPL 1.0 (Eclipse Public License)". You do not
include a copy of this modified versions. I am really not an expert
but there might be people who would argue that you need to include a
copy of such licenses in LICENSE. My understanding of the ASF policies
is that you should include copies of the license not just pointers.
People need to be able to verify the licenses without the need to
follow pointers to websites which may change. In doubt I would include
the license text.
== N&L 3
To be added to LICENSE (in progress)
== DISCLAIMER
Missing in various binaries.
Checking
./apache-marmotta-3.0.0-incubating-installer.zip
marmotta-installer-3.0.0-incubating.jar/META-INF: Missing LICENSE,
NOTICE, DISCLAIMER
marmotta.war: Missing DISCLAIMER
Checking
./apache-marmotta-3.0.0-incubating-ldpath.zip
NOTICE has a list of included libs but the LICENSE does not list all
of them -> missing pointers to LICENSES
ldpath-3.0.0-incubating.jar/META-INF : Missing LICENSE, NOTICE, DISCLAIMER
== Maven artifacts
DISCLAIMER issues
Checking staged repo:
2013/3/22 Sebastian Schaffert <[email protected]>:
A staged Maven repository is available for review at:
https://repository.apache.org/content/repositories/orgapachemarmotta-013/
I checked arbitrary files in the staged repo. All JARs I checked are
missing the DISCLAIMER in META-INF. I assume this is a general problem
with the build system. But the DISCLAIMER has to be there.
== Handling included source code
Summary: I still believe that the NOTICE file is the wrong place for
listing included libs. It is for legal notices, only.
This was a point from last RC and we don't seem to have got to consensus
yet.
When I looked last cycle, I got to point where I think source inclusion
and binary bundling are handled differently:
-- source inclusion
http://www.apache.org/dev/licensing-howto.html#mod-notice
I concluded that when it's included source code, if the whole source
code is used and that includes the copyright/license statement, it
should be left as-is and a pointer in LICENSE is sufficient.
If, however, only part of the source code is used, or if it is not
correctly labelled with their BSD-style notice, then the full license
goes in LICENSE. Additionally, if there is a missing copyright, a
copyright statement goes in NOTICE (so there is no potential to believe
it (c) anything else).
It depends on how each item is used in Marmotta which means each usage
needs checking as to how it's used.
(I also trying to learn here - it's not something I'd had to deal with.
On Jena we had included BSD source fragments and bundled binaries only
and even then we have full license in LICENSE where we are shipping
binaries ourselves on the principle of being self-contained for the
bytes in the artifact.)
-- binary bundling
Sebastain came up [1] with the info:
http://www.apache.org/dev/licensing-howto.html#permissive-deps
when the binary artifact bundles BSD unchanged.
Fabian, Sebastian, all - Does that agree with your understanding?
But
since I am also still learning a lot about this legal stuff, others
may have another view on this.
We all are, and it's not completely static either :-)
Andy
