[
https://issues.apache.org/jira/browse/MNG-6771?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16949167#comment-16949167
]
Herve Boutemy commented on MNG-6771:
------------------------------------
Official Apache releases are source releases only: binary are convenience,
provided "as is" as best effort. This does not mean that we should not do our
best efforts: thank you for reporting, helping us improving will be welcome.
FYI, the paragraph you're looking at is generated through automation based on
pom.xml
https://github.com/apache/maven/blob/master/apache-maven/src/main/appended-resources/META-INF/LICENSE.vm
Any additional requirement we find while doing a human review should ideally
finish in an automation for future releases.
On issues you found where license information in pom.xml is different from
files in source control, opening an issue (eventually with a PR) at originating
project seems the best thing to do.
On licenses that have additional requirements (MIT, EPL), we could probably
improve our automation: do you see how to automate retrieval and addition to
our binary bundle?
On wagon-http shaded, it's more tricky, I need to think more at how to do the
job both at wagon level to declare the additional license implied by shading,
then on Maven release to take it into account.
We should probably create sub-tasks for each issue found, so we can track
progress
> Please fix license issues
> -------------------------
>
> Key: MNG-6771
> URL: https://issues.apache.org/jira/browse/MNG-6771
> Project: Maven
> Issue Type: Bug
> Components: core
> Affects Versions: 3.6.2
> Reporter: Vladimir Sitnikov
> Priority: Blocker
>
> Please feel free to adjust the priority, however
> [http://www.apache.org/legal/release-policy.html#licensing] says that license
> clearance is a must, thus I report this as a Blocker.
> {quote}Every ASF release MUST comply with ASF licensing policy. This
> requirement is of utmost importance
> {quote}
> I downloaded apache-maven-3.6.2-bin.zip, and I see the following issues with
> it (note: there might be more):
> 1) apache-maven-3.6.2/LICENSE:
> {quote} - JCL 1.2 implemented over SLF4J
> ([http://www.slf4j.org|http://www.slf4j.org/])
> org.slf4j:jcl-over-slf4j:jar:1.7.25
> License: MIT License (MIT)
> [http://www.opensource.org/licenses/mit-license.php]
> (lib/jcl-over-slf4j.license){quote}
> The license for the artifact is most likely Apache 2.0 rather than MIT:
> [https://github.com/qos-ch/slf4j/tree/master/jcl-over-slf4j]
> 2) apache-maven-3.6.2/LICENSE:
> {quote} - SLF4J API Module ([http://www.slf4j.org|http://www.slf4j.org/])
> org.slf4j:slf4j-api:jar:1.7.25
> License: MIT License (MIT)
> [http://www.opensource.org/licenses/mit-license.php]
> (lib/slf4j-api.license){quote}
> Maven does not comply with SLF4j license.
> Here's license for SLF4j: [https://www.slf4j.org/license.html]
> It requires to include slf4j copyright notice, however, Maven fails to do
> that
> 3) [http://www.opensource.org/licenses/mit-license.php] must not be used as
> it almost never points to a true license. It is extremely unluky that someone
> would copyright their work as "Copyright (c) <year> <copyright holders>"
> 4) apache-maven-3.6.2/LICENSE:
> {quote} - org.eclipse.sisu.inject
> ([http://www.eclipse.org/sisu/org.eclipse.sisu.inject/])
> org.eclipse.sisu:org.eclipse.sisu.inject:eclipse-plugin:0.3.3
> License: Eclipse Public License, Version 1.0 (EPL-1.0)
> [http://www.eclipse.org/legal/epl-v10.html]
> (lib/org.eclipse.sisu.inject.license){quote}
> The link to eclipse.org/sisu responds with 404.
> sisu might have their own copyright notices that should be retained, however
> Maven re-distributes none of them (org.eclipse.sisu.inject.site-0.3.3.zip has
> notice.html file which is not present in Maven re-distribution)
> 5) lib/org.eclipse.sisu.inject-0.3.3.jar bundles ASM. ASM is MIT licensed,
> thus every re-distribution MUST retain ASM copyright notice.
> Maven re-distributes ASM and fails to comply with ASM license.
> 6) lib/wagon-http-3.3.3-shaded.jar bundles jsoup
> ([https://jsoup.org/license]) which is MIT-licensed. Maven fails to comply
> with jsoup license.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
