[ https://issues.apache.org/jira/browse/MNG-6771?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16976059#comment-16976059 ]
Enrico Olivelli commented on MNG-6771: -------------------------------------- Using this command line it happens that we have some important stuff to copy to our NOTICE file from the jars in "lib" {code:java} for i in lib/*.jar boot/*.jar; do unzip -c $i META-INF/NOTICE; done{code} {noformat} Archive: lib/cdi-api-1.0.jar Archive: lib/commons-cli-1.4.jar Archive: lib/commons-io-2.5.jar Archive: lib/commons-lang3-3.8.1.jar Archive: lib/guava-25.1-android.jar Archive: lib/guice-4.2.1-no_aop.jar inflating: META-INF/NOTICE Google Guice - Core Library Copyright 2006-2018 Google, Inc.This product includes software developed at The Apache Software Foundation (http://www.apache.org/).Archive: lib/jansi-1.17.1.jar Archive: lib/javax.inject-1.jar Archive: lib/jcl-over-slf4j-1.7.29.jar Archive: lib/jsoup-1.12.1.jar Archive: lib/jsr250-api-1.0.jar Archive: lib/maven-artifact-3.6.3-SNAPSHOT.jar inflating: META-INF/NOTICE Maven Artifact Copyright 2001-2019 The Apache Software FoundationThis product includes software developed at The Apache Software Foundation (http://www.apache.org/).Archive: lib/maven-builder-support-3.6.3-SNAPSHOT.jar inflating: META-INF/NOTICE Maven Builder Support Copyright 2001-2019 The Apache Software FoundationThis product includes software developed at The Apache Software Foundation (http://www.apache.org/).Archive: lib/maven-compat-3.6.3-SNAPSHOT.jar inflating: META-INF/NOTICE Maven Compat Copyright 2001-2019 The Apache Software FoundationThis product includes software developed at The Apache Software Foundation (http://www.apache.org/).Archive: lib/maven-core-3.6.3-SNAPSHOT.jar inflating: META-INF/NOTICE Maven Core Copyright 2001-2019 The Apache Software FoundationThis product includes software developed at The Apache Software Foundation (http://www.apache.org/).Archive: lib/maven-embedder-3.6.3-SNAPSHOT.jar inflating: META-INF/NOTICE Maven Embedder Copyright 2001-2019 The Apache Software FoundationThis product includes software developed at The Apache Software Foundation (http://www.apache.org/).Archive: lib/maven-model-3.6.3-SNAPSHOT.jar inflating: META-INF/NOTICE Maven Model Copyright 2001-2019 The Apache Software FoundationThis product includes software developed at The Apache Software Foundation (http://www.apache.org/).Archive: lib/maven-model-builder-3.6.3-SNAPSHOT.jar inflating: META-INF/NOTICE Maven Model Builder Copyright 2001-2019 The Apache Software FoundationThis product includes software developed at The Apache Software Foundation (http://www.apache.org/).Archive: lib/maven-plugin-api-3.6.3-SNAPSHOT.jar inflating: META-INF/NOTICE Maven Plugin API Copyright 2001-2019 The Apache Software FoundationThis product includes software developed at The Apache Software Foundation (http://www.apache.org/).Archive: lib/maven-repository-metadata-3.6.3-SNAPSHOT.jar inflating: META-INF/NOTICE Maven Repository Metadata Model Copyright 2001-2019 The Apache Software FoundationThis product includes software developed at The Apache Software Foundation (http://www.apache.org/).Archive: lib/maven-resolver-api-1.4.1.jar inflating: META-INF/NOTICE Maven Artifact Resolver API Copyright 2010-2019 The Apache Software FoundationThis product includes software developed at The Apache Software Foundation (http://www.apache.org/).Archive: lib/maven-resolver-connector-basic-1.4.1.jar inflating: META-INF/NOTICE Maven Artifact Resolver Connector Basic Copyright 2010-2019 The Apache Software FoundationThis product includes software developed at The Apache Software Foundation (http://www.apache.org/).Archive: lib/maven-resolver-impl-1.4.1.jar inflating: META-INF/NOTICE Maven Artifact Resolver Implementation Copyright 2010-2019 The Apache Software FoundationThis product includes software developed at The Apache Software Foundation (http://www.apache.org/).Archive: lib/maven-resolver-provider-3.6.3-SNAPSHOT.jar inflating: META-INF/NOTICE Maven Artifact Resolver Provider Copyright 2001-2019 The Apache Software FoundationThis product includes software developed at The Apache Software Foundation (http://www.apache.org/).Archive: lib/maven-resolver-spi-1.4.1.jar inflating: META-INF/NOTICE Maven Artifact Resolver SPI Copyright 2010-2019 The Apache Software FoundationThis product includes software developed at The Apache Software Foundation (http://www.apache.org/).Archive: lib/maven-resolver-transport-wagon-1.4.1.jar inflating: META-INF/NOTICE Maven Artifact Resolver Transport Wagon Copyright 2010-2019 The Apache Software FoundationThis product includes software developed at The Apache Software Foundation (http://www.apache.org/).Archive: lib/maven-resolver-util-1.4.1.jar inflating: META-INF/NOTICE Maven Artifact Resolver Utilities Copyright 2010-2019 The Apache Software FoundationThis product includes software developed at The Apache Software Foundation (http://www.apache.org/).Archive: lib/maven-settings-3.6.3-SNAPSHOT.jar inflating: META-INF/NOTICE Maven Settings Copyright 2001-2019 The Apache Software FoundationThis product includes software developed at The Apache Software Foundation (http://www.apache.org/).Archive: lib/maven-settings-builder-3.6.3-SNAPSHOT.jar inflating: META-INF/NOTICE Maven Settings Builder Copyright 2001-2019 The Apache Software FoundationThis product includes software developed at The Apache Software Foundation (http://www.apache.org/).Archive: lib/maven-shared-utils-3.2.1.jar inflating: META-INF/NOTICE This product includes software developed by The Apache Software Foundation (http://www.apache.org/).Archive: lib/maven-slf4j-provider-3.6.3-SNAPSHOT.jar inflating: META-INF/NOTICE Maven SLF4J Simple Provider Copyright 2001-2019 The Apache Software FoundationThis product includes software developed at The Apache Software Foundation (http://www.apache.org/).Archive: lib/org.eclipse.sisu.inject-0.3.4.jar Archive: lib/org.eclipse.sisu.plexus-0.3.4.jar Archive: lib/plexus-cipher-1.7.jar Archive: lib/plexus-component-annotations-2.1.0.jar Archive: lib/plexus-interpolation-1.25.jar Archive: lib/plexus-sec-dispatcher-1.4.jar Archive: lib/plexus-utils-3.2.1.jar inflating: META-INF/NOTICE This product includes software developed by the Indiana University Extreme! Lab (http://www.extreme.indiana.edu/).This product includes software developed by The Apache Software Foundation (http://www.apache.org/).This product includes software developed by ThoughtWorks (http://www.thoughtworks.com).This product includes software developed by javolution (http://javolution.org/).This product includes software developed by Rome (https://rome.dev.java.net/). Archive: lib/slf4j-api-1.7.29.jar Archive: lib/wagon-file-3.3.4.jar inflating: META-INF/NOTICE Apache Maven Wagon :: Providers :: File Provider Copyright 2003-2019 The Apache Software FoundationThis product includes software developed at The Apache Software Foundation (http://www.apache.org/).Archive: lib/wagon-http-3.3.4-shaded.jar inflating: META-INF/NOTICE Apache Maven Wagon :: Providers :: HTTP Provider Copyright 2003-2019 The Apache Software FoundationThis product includes software developed at The Apache Software Foundation (http://www.apache.org/).Archive: lib/wagon-provider-api-3.3.4.jar inflating: META-INF/NOTICE Apache Maven Wagon :: API Copyright 2003-2019 The Apache Software FoundationThis product includes software developed at The Apache Software Foundation (http://www.apache.org/).Archive: boot/plexus-classworlds-2.6.0.jar{noformat} > Fix license issues on binary distribution > ----------------------------------------- > > Key: MNG-6771 > URL: https://issues.apache.org/jira/browse/MNG-6771 > Project: Maven > Issue Type: Bug > Components: General > Affects Versions: 3.6.2 > Reporter: Vladimir Sitnikov > Assignee: Enrico Olivelli > Priority: Major > Labels: licenses > Fix For: 3.6.3 > > Time Spent: 10m > Remaining Estimate: 0h > > Please feel free to adjust the priority, however > [http://www.apache.org/legal/release-policy.html#licensing] says that license > clearance is a must, thus I report this as a Blocker. > {quote}Every ASF release MUST comply with ASF licensing policy. This > requirement is of utmost importance > {quote} > I downloaded apache-maven-3.6.2-bin.zip, and I see the following issues with > it (note: there might be more): > h2. 1) jcl-over-slf4j:1.7.25 > in apache-maven-3.6.2/LICENSE: > {quote} - JCL 1.2 implemented over SLF4J > ([http://www.slf4j.org|http://www.slf4j.org/]) > org.slf4j:jcl-over-slf4j:jar:1.7.25 > License: MIT License (MIT) > [http://www.opensource.org/licenses/mit-license.php] > (lib/jcl-over-slf4j.license){quote} > The license for the artifact is most likely Apache 2.0 rather than MIT: > [https://github.com/qos-ch/slf4j/tree/master/jcl-over-slf4j] > h2. 2) slf4j-api:1.7.25 > in apache-maven-3.6.2/LICENSE: > {quote} - SLF4J API Module ([http://www.slf4j.org|http://www.slf4j.org/]) > org.slf4j:slf4j-api:jar:1.7.25 > License: MIT License (MIT) > [http://www.opensource.org/licenses/mit-license.php] > (lib/slf4j-api.license){quote} > Maven does not comply with SLF4j license. > Here's license for SLF4j: [https://www.slf4j.org/license.html] > It requires to include slf4j copyright notice, however, Maven fails to do > that > h2. 3) MIT license > [http://www.opensource.org/licenses/mit-license.php] must not be used as it > almost never points to a true license. It is extremely unlucky that someone > would copyright their work as "Copyright (c) <year> <copyright holders>" > h2. 4) org.eclipse.sisu.inject:0.3.3 > in apache-maven-3.6.2/LICENSE: > {quote} - org.eclipse.sisu.inject > ([http://www.eclipse.org/sisu/org.eclipse.sisu.inject/]) > org.eclipse.sisu:org.eclipse.sisu.inject:eclipse-plugin:0.3.3 > License: Eclipse Public License, Version 1.0 (EPL-1.0) > [http://www.eclipse.org/legal/epl-v10.html] > (lib/org.eclipse.sisu.inject.license){quote} > The link to eclipse.org/sisu responds with 404. > sisu might have their own copyright notices that should be retained, however > Maven re-distributes none of them (org.eclipse.sisu.inject.site-0.3.3.zip has > notice.html file which is not present in Maven re-distribution) > h2. 5) ASM in org.eclipse.sisu.inject-0.3.3.jar > lib/org.eclipse.sisu.inject-0.3.3.jar bundles ASM. ASM is MIT licensed, thus > every re-distribution MUST retain ASM copyright notice. > Maven re-distributes ASM and fails to comply with ASM license. > h2. 6) jsoup in wagon-http-3.3.3-shaded.jar > lib/wagon-http-3.3.3-shaded.jar bundles jsoup ([https://jsoup.org/license]) > which is MIT-licensed. Maven fails to comply with jsoup license. -- This message was sent by Atlassian Jira (v8.3.4#803005)