[ 
https://issues.apache.org/jira/browse/MNG-6771?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16976059#comment-16976059
 ] 

Enrico Olivelli commented on MNG-6771:
--------------------------------------

Using this command line it happens that we have some important stuff to copy to 
our NOTICE file from the jars in "lib"

 
{code:java}
for i in lib/*.jar boot/*.jar; do unzip -c $i META-INF/NOTICE; done{code}
{noformat}
 Archive:  lib/cdi-api-1.0.jar
Archive:  lib/commons-cli-1.4.jar
Archive:  lib/commons-io-2.5.jar
Archive:  lib/commons-lang3-3.8.1.jar
Archive:  lib/guava-25.1-android.jar
Archive:  lib/guice-4.2.1-no_aop.jar
  inflating: META-INF/NOTICE         Google Guice - Core Library
Copyright 2006-2018 Google, Inc.This product includes software developed at
The Apache Software Foundation (http://www.apache.org/).Archive:  
lib/jansi-1.17.1.jar
Archive:  lib/javax.inject-1.jar
Archive:  lib/jcl-over-slf4j-1.7.29.jar
Archive:  lib/jsoup-1.12.1.jar
Archive:  lib/jsr250-api-1.0.jar
Archive:  lib/maven-artifact-3.6.3-SNAPSHOT.jar
  inflating: META-INF/NOTICE         Maven Artifact
Copyright 2001-2019 The Apache Software FoundationThis product includes 
software developed at
The Apache Software Foundation (http://www.apache.org/).Archive:  
lib/maven-builder-support-3.6.3-SNAPSHOT.jar
  inflating: META-INF/NOTICE         Maven Builder Support
Copyright 2001-2019 The Apache Software FoundationThis product includes 
software developed at
The Apache Software Foundation (http://www.apache.org/).Archive:  
lib/maven-compat-3.6.3-SNAPSHOT.jar
  inflating: META-INF/NOTICE         Maven Compat
Copyright 2001-2019 The Apache Software FoundationThis product includes 
software developed at
The Apache Software Foundation (http://www.apache.org/).Archive:  
lib/maven-core-3.6.3-SNAPSHOT.jar
  inflating: META-INF/NOTICE         Maven Core
Copyright 2001-2019 The Apache Software FoundationThis product includes 
software developed at
The Apache Software Foundation (http://www.apache.org/).Archive:  
lib/maven-embedder-3.6.3-SNAPSHOT.jar
  inflating: META-INF/NOTICE         Maven Embedder
Copyright 2001-2019 The Apache Software FoundationThis product includes 
software developed at
The Apache Software Foundation (http://www.apache.org/).Archive:  
lib/maven-model-3.6.3-SNAPSHOT.jar
  inflating: META-INF/NOTICE         Maven Model
Copyright 2001-2019 The Apache Software FoundationThis product includes 
software developed at
The Apache Software Foundation (http://www.apache.org/).Archive:  
lib/maven-model-builder-3.6.3-SNAPSHOT.jar
  inflating: META-INF/NOTICE         Maven Model Builder
Copyright 2001-2019 The Apache Software FoundationThis product includes 
software developed at
The Apache Software Foundation (http://www.apache.org/).Archive:  
lib/maven-plugin-api-3.6.3-SNAPSHOT.jar
  inflating: META-INF/NOTICE         Maven Plugin API
Copyright 2001-2019 The Apache Software FoundationThis product includes 
software developed at
The Apache Software Foundation (http://www.apache.org/).Archive:  
lib/maven-repository-metadata-3.6.3-SNAPSHOT.jar
  inflating: META-INF/NOTICE         Maven Repository Metadata Model
Copyright 2001-2019 The Apache Software FoundationThis product includes 
software developed at
The Apache Software Foundation (http://www.apache.org/).Archive:  
lib/maven-resolver-api-1.4.1.jar
  inflating: META-INF/NOTICE         Maven Artifact Resolver API
Copyright 2010-2019 The Apache Software FoundationThis product includes 
software developed at
The Apache Software Foundation (http://www.apache.org/).Archive:  
lib/maven-resolver-connector-basic-1.4.1.jar
  inflating: META-INF/NOTICE         Maven Artifact Resolver Connector Basic
Copyright 2010-2019 The Apache Software FoundationThis product includes 
software developed at
The Apache Software Foundation (http://www.apache.org/).Archive:  
lib/maven-resolver-impl-1.4.1.jar
  inflating: META-INF/NOTICE         Maven Artifact Resolver Implementation
Copyright 2010-2019 The Apache Software FoundationThis product includes 
software developed at
The Apache Software Foundation (http://www.apache.org/).Archive:  
lib/maven-resolver-provider-3.6.3-SNAPSHOT.jar
  inflating: META-INF/NOTICE         Maven Artifact Resolver Provider
Copyright 2001-2019 The Apache Software FoundationThis product includes 
software developed at
The Apache Software Foundation (http://www.apache.org/).Archive:  
lib/maven-resolver-spi-1.4.1.jar
  inflating: META-INF/NOTICE         Maven Artifact Resolver SPI
Copyright 2010-2019 The Apache Software FoundationThis product includes 
software developed at
The Apache Software Foundation (http://www.apache.org/).Archive:  
lib/maven-resolver-transport-wagon-1.4.1.jar
  inflating: META-INF/NOTICE         Maven Artifact Resolver Transport Wagon
Copyright 2010-2019 The Apache Software FoundationThis product includes 
software developed at
The Apache Software Foundation (http://www.apache.org/).Archive:  
lib/maven-resolver-util-1.4.1.jar
  inflating: META-INF/NOTICE         Maven Artifact Resolver Utilities
Copyright 2010-2019 The Apache Software FoundationThis product includes 
software developed at
The Apache Software Foundation (http://www.apache.org/).Archive:  
lib/maven-settings-3.6.3-SNAPSHOT.jar
  inflating: META-INF/NOTICE         Maven Settings
Copyright 2001-2019 The Apache Software FoundationThis product includes 
software developed at
The Apache Software Foundation (http://www.apache.org/).Archive:  
lib/maven-settings-builder-3.6.3-SNAPSHOT.jar
  inflating: META-INF/NOTICE         Maven Settings Builder
Copyright 2001-2019 The Apache Software FoundationThis product includes 
software developed at
The Apache Software Foundation (http://www.apache.org/).Archive:  
lib/maven-shared-utils-3.2.1.jar
  inflating: META-INF/NOTICE         
This product includes software developed by
The Apache Software Foundation (http://www.apache.org/).Archive:  
lib/maven-slf4j-provider-3.6.3-SNAPSHOT.jar
  inflating: META-INF/NOTICE         Maven SLF4J Simple Provider
Copyright 2001-2019 The Apache Software FoundationThis product includes 
software developed at
The Apache Software Foundation (http://www.apache.org/).Archive:  
lib/org.eclipse.sisu.inject-0.3.4.jar
Archive:  lib/org.eclipse.sisu.plexus-0.3.4.jar
Archive:  lib/plexus-cipher-1.7.jar
Archive:  lib/plexus-component-annotations-2.1.0.jar
Archive:  lib/plexus-interpolation-1.25.jar
Archive:  lib/plexus-sec-dispatcher-1.4.jar
Archive:  lib/plexus-utils-3.2.1.jar
  inflating: META-INF/NOTICE         
This product includes software developed by the Indiana University 
  Extreme! Lab (http://www.extreme.indiana.edu/).This product includes software 
developed by 
The Apache Software Foundation (http://www.apache.org/).This product includes 
software developed by 
ThoughtWorks (http://www.thoughtworks.com).This product includes software 
developed by 
javolution (http://javolution.org/).This product includes software developed by 
Rome (https://rome.dev.java.net/).
Archive:  lib/slf4j-api-1.7.29.jar
Archive:  lib/wagon-file-3.3.4.jar
  inflating: META-INF/NOTICE         Apache Maven Wagon :: Providers :: File 
Provider
Copyright 2003-2019 The Apache Software FoundationThis product includes 
software developed at
The Apache Software Foundation (http://www.apache.org/).Archive:  
lib/wagon-http-3.3.4-shaded.jar
  inflating: META-INF/NOTICE         Apache Maven Wagon :: Providers :: HTTP 
Provider
Copyright 2003-2019 The Apache Software FoundationThis product includes 
software developed at
The Apache Software Foundation (http://www.apache.org/).Archive:  
lib/wagon-provider-api-3.3.4.jar
  inflating: META-INF/NOTICE         Apache Maven Wagon :: API
Copyright 2003-2019 The Apache Software FoundationThis product includes 
software developed at
The Apache Software Foundation (http://www.apache.org/).Archive:  
boot/plexus-classworlds-2.6.0.jar{noformat}

> Fix license issues on binary distribution
> -----------------------------------------
>
>                 Key: MNG-6771
>                 URL: https://issues.apache.org/jira/browse/MNG-6771
>             Project: Maven
>          Issue Type: Bug
>          Components: General
>    Affects Versions: 3.6.2
>            Reporter: Vladimir Sitnikov
>            Assignee: Enrico Olivelli
>            Priority: Major
>              Labels: licenses
>             Fix For: 3.6.3
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> Please feel free to adjust the priority, however 
> [http://www.apache.org/legal/release-policy.html#licensing] says that license 
> clearance is a must, thus I report this as a Blocker.
> {quote}Every ASF release MUST comply with ASF licensing policy. This 
> requirement is of utmost importance
> {quote}
> I downloaded apache-maven-3.6.2-bin.zip, and I see the following issues with 
> it (note: there might be more):
> h2. 1) jcl-over-slf4j:1.7.25
> in apache-maven-3.6.2/LICENSE:
> {quote} - JCL 1.2 implemented over SLF4J 
> ([http://www.slf4j.org|http://www.slf4j.org/]) 
> org.slf4j:jcl-over-slf4j:jar:1.7.25
>  License: MIT License (MIT) 
> [http://www.opensource.org/licenses/mit-license.php] 
> (lib/jcl-over-slf4j.license){quote}
> The license for the artifact is most likely Apache 2.0 rather than MIT: 
> [https://github.com/qos-ch/slf4j/tree/master/jcl-over-slf4j]
> h2. 2) slf4j-api:1.7.25
> in apache-maven-3.6.2/LICENSE:
> {quote} - SLF4J API Module ([http://www.slf4j.org|http://www.slf4j.org/]) 
> org.slf4j:slf4j-api:jar:1.7.25
>  License: MIT License (MIT) 
> [http://www.opensource.org/licenses/mit-license.php] 
> (lib/slf4j-api.license){quote}
> Maven does not comply with SLF4j license.
>  Here's license for SLF4j: [https://www.slf4j.org/license.html]
>  It requires to include slf4j copyright notice, however, Maven fails to do 
> that
> h2. 3) MIT license
> [http://www.opensource.org/licenses/mit-license.php] must not be used as it 
> almost never points to a true license. It is extremely unlucky that someone 
> would copyright their work as "Copyright (c) <year> <copyright holders>"
> h2. 4) org.eclipse.sisu.inject:0.3.3
> in apache-maven-3.6.2/LICENSE:
> {quote} - org.eclipse.sisu.inject 
> ([http://www.eclipse.org/sisu/org.eclipse.sisu.inject/]) 
> org.eclipse.sisu:org.eclipse.sisu.inject:eclipse-plugin:0.3.3
>  License: Eclipse Public License, Version 1.0 (EPL-1.0) 
> [http://www.eclipse.org/legal/epl-v10.html] 
> (lib/org.eclipse.sisu.inject.license){quote}
> The link to eclipse.org/sisu responds with 404.
> sisu might have their own copyright notices that should be retained, however 
> Maven re-distributes none of them (org.eclipse.sisu.inject.site-0.3.3.zip has 
> notice.html file which is not present in Maven re-distribution)
> h2. 5) ASM in org.eclipse.sisu.inject-0.3.3.jar
> lib/org.eclipse.sisu.inject-0.3.3.jar bundles ASM. ASM is MIT licensed, thus 
> every re-distribution MUST retain ASM copyright notice.
>  Maven re-distributes ASM and fails to comply with ASM license.
> h2. 6) jsoup in wagon-http-3.3.3-shaded.jar
> lib/wagon-http-3.3.3-shaded.jar bundles jsoup ([https://jsoup.org/license]) 
> which is MIT-licensed. Maven fails to comply with jsoup license.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to