Hi, Sorry but -1 (binding) due to source release containing EPL licensed software
I checked the source release: - incubating in release name - signatures and hashes correct - DISCLAIMER exists - LICENSE is missing a few thing and incorrectly lists licenses (see below) - NOTICE year is incorrect - no unexpected binary - source files have headers - can compile from source License issues: - Looks to me that RainbowVis-JS is EPL [1] not MIT. EPL can’t be included in a source release. - Missing normalize.css (MIT) [2] - Missing license for second bottle file (MIT) [3] - Bootstrap version bundled is Apache licensed not MIT licensed [4] - Short form of licenses in LICENSE is preferred i.e. pointers to the license files [5] - It’s also not mentioned for all licenses what each license is (MIT/BSD etc) that can be helpful. The version of the bundled software is also helpful. - Should include text of RainbowVis-JS license (or better still a pointer to a copy of the license file) [5] not a pointer to a URL on github For Hyracks source release: - incubating in release name - signatures and hashes correct - DISCLAIMER exists - LICENSE is ok - NOTICE OK except year is incorrect - no unexpected binary files - source files have Apache header - can compile from source For the binary release I see you listed out the licence of each jar - that’s great. But I think there can be some improvements: - You may need to go one step further, some of those jars contain bundled software which may need to be added to LICENSE and NOTICE - Your LICENSE lists a large number of CDDL licensed bits of software. CDDL is Category B and it’s my understanding that you must provide a link to the source code (see 3.1. Availability of Source Code in [8]) Pervious advice on legal discuss was this goes in NOTICE but recent discussions have left this a bit more muddled. -There's no need to list in NOTICE the copyright years and name of an ASF licensed product or the line " This product includes software developed by”. - The NOTICE files have a lot of not required information in them [7] I didn't check if there was anything missing form LICENSE/NOTICE in the binary releases. Thanks, Justin 1. https://github.com/anomal/RainbowVis-JS/blob/master/license.md 2. ./asterix-examples/src/main/resources/admaql101-demo/static/css/bootstrap.min.css 3. ./asterix-examples/src/main/resources/tweetbook-demo/bottle.py 4. ./asterix-app/src/main/resources/webui/static/js/bootstrap.min.js 5. http://www.apache.org/dev/licensing-howto.html#permissive-deps 7. http://www.apache.org/dev/licensing-howto.html#mod-notice 8. https://opensource.org/licenses/CDDL-1.0 --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
