[
https://issues.apache.org/jira/browse/MNG-6771?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16976059#comment-16976059
]
Enrico Olivelli commented on MNG-6771:
--------------------------------------
Using this command line it happens that we have some important stuff to copy to
our NOTICE file from the jars in "lib"
{code:java}
for i in lib/*.jar boot/*.jar; do unzip -c $i META-INF/NOTICE; done{code}
{noformat}
Archive: lib/cdi-api-1.0.jar
Archive: lib/commons-cli-1.4.jar
Archive: lib/commons-io-2.5.jar
Archive: lib/commons-lang3-3.8.1.jar
Archive: lib/guava-25.1-android.jar
Archive: lib/guice-4.2.1-no_aop.jar
inflating: META-INF/NOTICE Google Guice - Core Library
Copyright 2006-2018 Google, Inc.This product includes software developed at
The Apache Software Foundation (http://www.apache.org/).Archive:
lib/jansi-1.17.1.jar
Archive: lib/javax.inject-1.jar
Archive: lib/jcl-over-slf4j-1.7.29.jar
Archive: lib/jsoup-1.12.1.jar
Archive: lib/jsr250-api-1.0.jar
Archive: lib/maven-artifact-3.6.3-SNAPSHOT.jar
inflating: META-INF/NOTICE Maven Artifact
Copyright 2001-2019 The Apache Software FoundationThis product includes
software developed at
The Apache Software Foundation (http://www.apache.org/).Archive:
lib/maven-builder-support-3.6.3-SNAPSHOT.jar
inflating: META-INF/NOTICE Maven Builder Support
Copyright 2001-2019 The Apache Software FoundationThis product includes
software developed at
The Apache Software Foundation (http://www.apache.org/).Archive:
lib/maven-compat-3.6.3-SNAPSHOT.jar
inflating: META-INF/NOTICE Maven Compat
Copyright 2001-2019 The Apache Software FoundationThis product includes
software developed at
The Apache Software Foundation (http://www.apache.org/).Archive:
lib/maven-core-3.6.3-SNAPSHOT.jar
inflating: META-INF/NOTICE Maven Core
Copyright 2001-2019 The Apache Software FoundationThis product includes
software developed at
The Apache Software Foundation (http://www.apache.org/).Archive:
lib/maven-embedder-3.6.3-SNAPSHOT.jar
inflating: META-INF/NOTICE Maven Embedder
Copyright 2001-2019 The Apache Software FoundationThis product includes
software developed at
The Apache Software Foundation (http://www.apache.org/).Archive:
lib/maven-model-3.6.3-SNAPSHOT.jar
inflating: META-INF/NOTICE Maven Model
Copyright 2001-2019 The Apache Software FoundationThis product includes
software developed at
The Apache Software Foundation (http://www.apache.org/).Archive:
lib/maven-model-builder-3.6.3-SNAPSHOT.jar
inflating: META-INF/NOTICE Maven Model Builder
Copyright 2001-2019 The Apache Software FoundationThis product includes
software developed at
The Apache Software Foundation (http://www.apache.org/).Archive:
lib/maven-plugin-api-3.6.3-SNAPSHOT.jar
inflating: META-INF/NOTICE Maven Plugin API
Copyright 2001-2019 The Apache Software FoundationThis product includes
software developed at
The Apache Software Foundation (http://www.apache.org/).Archive:
lib/maven-repository-metadata-3.6.3-SNAPSHOT.jar
inflating: META-INF/NOTICE Maven Repository Metadata Model
Copyright 2001-2019 The Apache Software FoundationThis product includes
software developed at
The Apache Software Foundation (http://www.apache.org/).Archive:
lib/maven-resolver-api-1.4.1.jar
inflating: META-INF/NOTICE Maven Artifact Resolver API
Copyright 2010-2019 The Apache Software FoundationThis product includes
software developed at
The Apache Software Foundation (http://www.apache.org/).Archive:
lib/maven-resolver-connector-basic-1.4.1.jar
inflating: META-INF/NOTICE Maven Artifact Resolver Connector Basic
Copyright 2010-2019 The Apache Software FoundationThis product includes
software developed at
The Apache Software Foundation (http://www.apache.org/).Archive:
lib/maven-resolver-impl-1.4.1.jar
inflating: META-INF/NOTICE Maven Artifact Resolver Implementation
Copyright 2010-2019 The Apache Software FoundationThis product includes
software developed at
The Apache Software Foundation (http://www.apache.org/).Archive:
lib/maven-resolver-provider-3.6.3-SNAPSHOT.jar
inflating: META-INF/NOTICE Maven Artifact Resolver Provider
Copyright 2001-2019 The Apache Software FoundationThis product includes
software developed at
The Apache Software Foundation (http://www.apache.org/).Archive:
lib/maven-resolver-spi-1.4.1.jar
inflating: META-INF/NOTICE Maven Artifact Resolver SPI
Copyright 2010-2019 The Apache Software FoundationThis product includes
software developed at
The Apache Software Foundation (http://www.apache.org/).Archive:
lib/maven-resolver-transport-wagon-1.4.1.jar
inflating: META-INF/NOTICE Maven Artifact Resolver Transport Wagon
Copyright 2010-2019 The Apache Software FoundationThis product includes
software developed at
The Apache Software Foundation (http://www.apache.org/).Archive:
lib/maven-resolver-util-1.4.1.jar
inflating: META-INF/NOTICE Maven Artifact Resolver Utilities
Copyright 2010-2019 The Apache Software FoundationThis product includes
software developed at
The Apache Software Foundation (http://www.apache.org/).Archive:
lib/maven-settings-3.6.3-SNAPSHOT.jar
inflating: META-INF/NOTICE Maven Settings
Copyright 2001-2019 The Apache Software FoundationThis product includes
software developed at
The Apache Software Foundation (http://www.apache.org/).Archive:
lib/maven-settings-builder-3.6.3-SNAPSHOT.jar
inflating: META-INF/NOTICE Maven Settings Builder
Copyright 2001-2019 The Apache Software FoundationThis product includes
software developed at
The Apache Software Foundation (http://www.apache.org/).Archive:
lib/maven-shared-utils-3.2.1.jar
inflating: META-INF/NOTICE
This product includes software developed by
The Apache Software Foundation (http://www.apache.org/).Archive:
lib/maven-slf4j-provider-3.6.3-SNAPSHOT.jar
inflating: META-INF/NOTICE Maven SLF4J Simple Provider
Copyright 2001-2019 The Apache Software FoundationThis product includes
software developed at
The Apache Software Foundation (http://www.apache.org/).Archive:
lib/org.eclipse.sisu.inject-0.3.4.jar
Archive: lib/org.eclipse.sisu.plexus-0.3.4.jar
Archive: lib/plexus-cipher-1.7.jar
Archive: lib/plexus-component-annotations-2.1.0.jar
Archive: lib/plexus-interpolation-1.25.jar
Archive: lib/plexus-sec-dispatcher-1.4.jar
Archive: lib/plexus-utils-3.2.1.jar
inflating: META-INF/NOTICE
This product includes software developed by the Indiana University
Extreme! Lab (http://www.extreme.indiana.edu/).This product includes software
developed by
The Apache Software Foundation (http://www.apache.org/).This product includes
software developed by
ThoughtWorks (http://www.thoughtworks.com).This product includes software
developed by
javolution (http://javolution.org/).This product includes software developed by
Rome (https://rome.dev.java.net/).
Archive: lib/slf4j-api-1.7.29.jar
Archive: lib/wagon-file-3.3.4.jar
inflating: META-INF/NOTICE Apache Maven Wagon :: Providers :: File
Provider
Copyright 2003-2019 The Apache Software FoundationThis product includes
software developed at
The Apache Software Foundation (http://www.apache.org/).Archive:
lib/wagon-http-3.3.4-shaded.jar
inflating: META-INF/NOTICE Apache Maven Wagon :: Providers :: HTTP
Provider
Copyright 2003-2019 The Apache Software FoundationThis product includes
software developed at
The Apache Software Foundation (http://www.apache.org/).Archive:
lib/wagon-provider-api-3.3.4.jar
inflating: META-INF/NOTICE Apache Maven Wagon :: API
Copyright 2003-2019 The Apache Software FoundationThis product includes
software developed at
The Apache Software Foundation (http://www.apache.org/).Archive:
boot/plexus-classworlds-2.6.0.jar{noformat}
> Fix license issues on binary distribution
> -----------------------------------------
>
> Key: MNG-6771
> URL: https://issues.apache.org/jira/browse/MNG-6771
> Project: Maven
> Issue Type: Bug
> Components: General
> Affects Versions: 3.6.2
> Reporter: Vladimir Sitnikov
> Assignee: Enrico Olivelli
> Priority: Major
> Labels: licenses
> Fix For: 3.6.3
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Please feel free to adjust the priority, however
> [http://www.apache.org/legal/release-policy.html#licensing] says that license
> clearance is a must, thus I report this as a Blocker.
> {quote}Every ASF release MUST comply with ASF licensing policy. This
> requirement is of utmost importance
> {quote}
> I downloaded apache-maven-3.6.2-bin.zip, and I see the following issues with
> it (note: there might be more):
> h2. 1) jcl-over-slf4j:1.7.25
> in apache-maven-3.6.2/LICENSE:
> {quote} - JCL 1.2 implemented over SLF4J
> ([http://www.slf4j.org|http://www.slf4j.org/])
> org.slf4j:jcl-over-slf4j:jar:1.7.25
> License: MIT License (MIT)
> [http://www.opensource.org/licenses/mit-license.php]
> (lib/jcl-over-slf4j.license){quote}
> The license for the artifact is most likely Apache 2.0 rather than MIT:
> [https://github.com/qos-ch/slf4j/tree/master/jcl-over-slf4j]
> h2. 2) slf4j-api:1.7.25
> in apache-maven-3.6.2/LICENSE:
> {quote} - SLF4J API Module ([http://www.slf4j.org|http://www.slf4j.org/])
> org.slf4j:slf4j-api:jar:1.7.25
> License: MIT License (MIT)
> [http://www.opensource.org/licenses/mit-license.php]
> (lib/slf4j-api.license){quote}
> Maven does not comply with SLF4j license.
> Here's license for SLF4j: [https://www.slf4j.org/license.html]
> It requires to include slf4j copyright notice, however, Maven fails to do
> that
> h2. 3) MIT license
> [http://www.opensource.org/licenses/mit-license.php] must not be used as it
> almost never points to a true license. It is extremely unlucky that someone
> would copyright their work as "Copyright (c) <year> <copyright holders>"
> h2. 4) org.eclipse.sisu.inject:0.3.3
> in apache-maven-3.6.2/LICENSE:
> {quote} - org.eclipse.sisu.inject
> ([http://www.eclipse.org/sisu/org.eclipse.sisu.inject/])
> org.eclipse.sisu:org.eclipse.sisu.inject:eclipse-plugin:0.3.3
> License: Eclipse Public License, Version 1.0 (EPL-1.0)
> [http://www.eclipse.org/legal/epl-v10.html]
> (lib/org.eclipse.sisu.inject.license){quote}
> The link to eclipse.org/sisu responds with 404.
> sisu might have their own copyright notices that should be retained, however
> Maven re-distributes none of them (org.eclipse.sisu.inject.site-0.3.3.zip has
> notice.html file which is not present in Maven re-distribution)
> h2. 5) ASM in org.eclipse.sisu.inject-0.3.3.jar
> lib/org.eclipse.sisu.inject-0.3.3.jar bundles ASM. ASM is MIT licensed, thus
> every re-distribution MUST retain ASM copyright notice.
> Maven re-distributes ASM and fails to comply with ASM license.
> h2. 6) jsoup in wagon-http-3.3.3-shaded.jar
> lib/wagon-http-3.3.3-shaded.jar bundles jsoup ([https://jsoup.org/license])
> which is MIT-licensed. Maven fails to comply with jsoup license.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
