Listing Apache-2.0 dependencies in LICENSE file

> Hi guys,
>
> I just updated our LICENSE of the binary distribution and noticed that we
> also list dependencies which are licensed under Apache-2.0. As far as I
> understand the ASF guidelines [1], this is not strictly necessary. Since it
> is a lot of work to keep the list up to date, I was wondering whether we
> want to remove Apache-2.0 dependencies from this list or not. I would be in
> favour of this if it does not contradict an ASF policy which I miss.
>
> This might even have another advantage. Currently, we're shading in many
> modules the Guava and ASM dependency away. Thus their binary data is
> contained in nearly every jar we publish on maven. If we wanted to be
> consistent with our license policy then we would have to add in each of
> these jars a LICENSE/NOTICE file which lists these two dependencies, IMO.
>
> Cheers,
> Till
>
> [1] http://www.apache.org/dev/licensing-howto.html#mod-notice
>

> If it is not against the Apache Guidelines I would vote for removing them.
> I'm always in favour of keeping things simple.
>
> On Fri, 12 Jun 2015 at 18:34 Till Rohrmann <[hidden email]> wrote:
>
> > Hi guys,
> >
> > I just updated our LICENSE of the binary distribution and noticed that we
> > also list dependencies which are licensed under Apache-2.0. As far as I
> > understand the ASF guidelines [1], this is not strictly necessary. Since
> it
> > is a lot of work to keep the list up to date, I was wondering whether we
> > want to remove Apache-2.0 dependencies from this list or not. I would be
> in
> > favour of this if it does not contradict an ASF policy which I miss.
> >
> > This might even have another advantage. Currently, we're shading in many
> > modules the Guava and ASM dependency away. Thus their binary data is
> > contained in nearly every jar we publish on maven. If we wanted to be
> > consistent with our license policy then we would have to add in each of
> > these jars a LICENSE/NOTICE file which lists these two dependencies, IMO.
> >
> > Cheers,
> > Till
> >
> > [1] http://www.apache.org/dev/licensing-howto.html#mod-notice
> >
>

> Hi Till,
>
> That's correct, It is not necessary to include Apache 2.0-licensed projects
> in the LICENSE file, unless they contain non-Apache 2.0-licensed code. We
> should definitely remove those entries from the LICENSE file.
>
> Best,
> Max
>
> On Sat, Jun 13, 2015 at 4:51 PM, Aljoscha Krettek <[hidden email]>
> wrote:
>
>> If it is not against the Apache Guidelines I would vote for removing them.
>> I'm always in favour of keeping things simple.
>>
>> On Fri, 12 Jun 2015 at 18:34 Till Rohrmann <[hidden email]> wrote:
>>
>> > Hi guys,
>> >
>> > I just updated our LICENSE of the binary distribution and noticed that we
>> > also list dependencies which are licensed under Apache-2.0. As far as I
>> > understand the ASF guidelines [1], this is not strictly necessary. Since
>> it
>> > is a lot of work to keep the list up to date, I was wondering whether we
>> > want to remove Apache-2.0 dependencies from this list or not. I would be
>> in
>> > favour of this if it does not contradict an ASF policy which I miss.
>> >
>> > This might even have another advantage. Currently, we're shading in many
>> > modules the Guava and ASM dependency away. Thus their binary data is
>> > contained in nearly every jar we publish on maven. If we wanted to be
>> > consistent with our license policy then we would have to add in each of
>> > these jars a LICENSE/NOTICE file which lists these two dependencies, IMO.
>> >
>> > Cheers,
>> > Till
>> >
>> > [1] http://www.apache.org/dev/licensing-howto.html#mod-notice
>> >
>>

> Hi Till,
>
> There are several discussions about LICENSE for dependencies happening
> at the same time so I would like to make sure we merge them into a
> decision in dev@ list.
>
> Is this related to PR https://github.com/apache/flink/pull/830 for
> updating LICENSE and NOTCE of Flink dependencies?
>
> - Henry
>
> On Sun, Jun 14, 2015 at 6:28 AM, Maximilian Michels <[hidden email]>
> wrote:
> > Hi Till,
> >
> > That's correct, It is not necessary to include Apache 2.0-licensed
> projects
> > in the LICENSE file, unless they contain non-Apache 2.0-licensed code. We
> > should definitely remove those entries from the LICENSE file.
> >
> > Best,
> > Max
> >
> > On Sat, Jun 13, 2015 at 4:51 PM, Aljoscha Krettek <[hidden email]>
> > wrote:
> >
> >> If it is not against the Apache Guidelines I would vote for removing
> them.
> >> I'm always in favour of keeping things simple.
> >>
> >> On Fri, 12 Jun 2015 at 18:34 Till Rohrmann <[hidden email]>
> wrote:
> >>
> >> > Hi guys,
> >> >
> >> > I just updated our LICENSE of the binary distribution and noticed
> that we
> >> > also list dependencies which are licensed under Apache-2.0. As far as
> I
> >> > understand the ASF guidelines [1], this is not strictly necessary.
> Since
> >> it
> >> > is a lot of work to keep the list up to date, I was wondering whether
> we
> >> > want to remove Apache-2.0 dependencies from this list or not. I would
> be
> >> in
> >> > favour of this if it does not contradict an ASF policy which I miss.
> >> >
> >> > This might even have another advantage. Currently, we're shading in
> many
> >> > modules the Guava and ASM dependency away. Thus their binary data is
> >> > contained in nearly every jar we publish on maven. If we wanted to be
> >> > consistent with our license policy then we would have to add in each
> of
> >> > these jars a LICENSE/NOTICE file which lists these two dependencies,
> IMO.
> >> >
> >> > Cheers,
> >> > Till
> >> >
> >> > [1] http://www.apache.org/dev/licensing-howto.html#mod-notice
> >> >
> >>
>

> Hi Henry,
>
> there are actually two licensing questions and one update for the current
> release going on but all of them are orthogonal and therefore I would like
> to keep them separate.
>
> The PR [1] which you referred to are the necessary updates for the source
> and binary distribution of the upcoming release. There it's important that
> maybe another pair of eyes takes a look at it.
>
> Then we have the question whether we have to include a LICENSE and NOTICE
> file in our jars because they contain shaded dependencies.
>
> And last but not least, the question of this thread is whether we want to
> keep the list of Apache-2.0 dependencies in our LICENSE files or not. Thus,
> let's first discuss and then maybe decide later on this issue here in this
> thread.
>
> Cheers,
> Till
>
> On Sun, Jun 14, 2015 at 8:03 PM Henry Saputra <[hidden email]>
> wrote:
>
>> Hi Till,
>>
>> There are several discussions about LICENSE for dependencies happening
>> at the same time so I would like to make sure we merge them into a
>> decision in dev@ list.
>>
>> Is this related to PR https://github.com/apache/flink/pull/830 for
>> updating LICENSE and NOTCE of Flink dependencies?
>>
>> - Henry
>>
>> On Sun, Jun 14, 2015 at 6:28 AM, Maximilian Michels <[hidden email]>
>> wrote:
>>> Hi Till,
>>>
>>> That's correct, It is not necessary to include Apache 2.0-licensed
>> projects
>>> in the LICENSE file, unless they contain non-Apache 2.0-licensed code. We
>>> should definitely remove those entries from the LICENSE file.
>>>
>>> Best,
>>> Max
>>>
>>> On Sat, Jun 13, 2015 at 4:51 PM, Aljoscha Krettek <[hidden email]>
>>> wrote:
>>>
>>>> If it is not against the Apache Guidelines I would vote for removing
>> them.
>>>> I'm always in favour of keeping things simple.
>>>>
>>>> On Fri, 12 Jun 2015 at 18:34 Till Rohrmann <[hidden email]>
>> wrote:
>>>>
>>>>> Hi guys,
>>>>>
>>>>> I just updated our LICENSE of the binary distribution and noticed
>> that we
>>>>> also list dependencies which are licensed under Apache-2.0. As far as
>> I
>>>>> understand the ASF guidelines [1], this is not strictly necessary.
>> Since
>>>> it
>>>>> is a lot of work to keep the list up to date, I was wondering whether
>> we
>>>>> want to remove Apache-2.0 dependencies from this list or not. I would
>> be
>>>> in
>>>>> favour of this if it does not contradict an ASF policy which I miss.
>>>>>
>>>>> This might even have another advantage. Currently, we're shading in
>> many
>>>>> modules the Guava and ASM dependency away. Thus their binary data is
>>>>> contained in nearly every jar we publish on maven. If we wanted to be
>>>>> consistent with our license policy then we would have to add in each
>> of
>>>>> these jars a LICENSE/NOTICE file which lists these two dependencies,
>> IMO.
>>>>>
>>>>> Cheers,
>>>>> Till
>>>>>
>>>>> [1] http://www.apache.org/dev/licensing-howto.html#mod-notice
>>>>>
>>>>
>>

> Hi Ted,
>
> The discussion seems to be about the convenience binary, not the official
> source release, so ASF policy differs.  The party who supplies a
> convenience binary bears responsibility for its licensing info.  The ASF's
> chief concern with regards to licensing info of a convenience binary is
> that
> it be legally correct, allowing us and anyone downstream to redistribute.
> Beyond that, we might not be as finicky as we are about licensing info in
> the
> official source release.
>
> That said, applying the Licensing HowTo to a convenience binary is not a
> bad
> plan -- it should result in correct licensing info.
>
> Bottom line: in all cases, LICENSE and NOTICE must reflect the bundled
> bits.
>
> It is true that the ASF does not require the enumeration of dependencies
> which
> are under the ALv2 in LICENSE.  Think of LICENSE as surfacing all the
> licenses
> for all code bundled in the artifact.  It would be a problem if bundled
> bits
> under BSD3 were not mentioned in the LICENSE of a convenience binary as
> required by BSD3's second clause -- and each BSD3 license differs slightly
> because it is a template with a copyright notice plugged in.  In contrast,
> a
> single copy of the ALv2 applies to all ALv2-licensed code.
>
> *However*, you still have to keep NOTICE up-to-date for all ALv2
> dependencies
> that supply one.  In practice, this means that you will end up enumerating
> ASF-sourced ALv2 dependencies (and possibly others) in NOTICE.
>
> With regards to shading/Guava/ASM, I don't fully understand what Till is
> proposing so I'm reluctant to comment specifically.  But the bottom line is
> still the bottom line: LICENSE and NOTICE must reflect the bundled bits.
>
> Hope this helps,
>
> Marvin
>
> On Fri, Jun 12, 2015 at 9:45 AM, Ted Dunning <[hidden email]>
> wrote:
> > Marvin,
> >
> > Can you comment on this question that the flink guys have?
> >
> >
> > ---------- Forwarded message ----------
> > From: Till Rohrmann <[hidden email]>
> > Date: Fri, Jun 12, 2015 at 9:33 AM
> > Subject: Listing Apache-2.0 dependencies in LICENSE file
> > To: "[hidden email]" <[hidden email]>
> >
> >
> > Hi guys,
> >
> > I just updated our LICENSE of the binary distribution and noticed that we
> > also list dependencies which are licensed under Apache-2.0. As far as I
> > understand the ASF guidelines [1], this is not strictly necessary. Since
> it
> > is a lot of work to keep the list up to date, I was wondering whether we
> > want to remove Apache-2.0 dependencies from this list or not. I would be
> in
> > favour of this if it does not contradict an ASF policy which I miss.
> >
> > This might even have another advantage. Currently, we're shading in many
> > modules the Guava and ASM dependency away. Thus their binary data is
> > contained in nearly every jar we publish on maven. If we wanted to be
> > consistent with our license policy then we would have to add in each of
> > these jars a LICENSE/NOTICE file which lists these two dependencies, IMO.
> >
> > Cheers,
> > Till
> >
> > [1] http://www.apache.org/dev/licensing-howto.html#mod-notice
> >
>
>

> Hi Henry,
>
> there are actually two licensing questions and one update for the current
> release going on but all of them are orthogonal and therefore I would like
> to keep them separate.
>
> The PR [1] which you referred to are the necessary updates for the source
> and binary distribution of the upcoming release. There it's important that
> maybe another pair of eyes takes a look at it.
>
> Then we have the question whether we have to include a LICENSE and NOTICE
> file in our jars because they contain shaded dependencies.
>
> And last but not least, the question of this thread is whether we want to
> keep the list of Apache-2.0 dependencies in our LICENSE files or not. Thus,
> let's first discuss and then maybe decide later on this issue here in this
> thread.
>
> Cheers,
> Till
>
> On Sun, Jun 14, 2015 at 8:03 PM Henry Saputra <[hidden email]>
> wrote:
>
> > Hi Till,
> >
> > There are several discussions about LICENSE for dependencies happening
> > at the same time so I would like to make sure we merge them into a
> > decision in dev@ list.
> >
> > Is this related to PR https://github.com/apache/flink/pull/830 for
> > updating LICENSE and NOTCE of Flink dependencies?
> >
> > - Henry
> >
> > On Sun, Jun 14, 2015 at 6:28 AM, Maximilian Michels <[hidden email]>
> > wrote:
> > > Hi Till,
> > >
> > > That's correct, It is not necessary to include Apache 2.0-licensed
> > projects
> > > in the LICENSE file, unless they contain non-Apache 2.0-licensed code.
> We
> > > should definitely remove those entries from the LICENSE file.
> > >
> > > Best,
> > > Max
> > >
> > > On Sat, Jun 13, 2015 at 4:51 PM, Aljoscha Krettek <[hidden email]
> >
> > > wrote:
> > >
> > >> If it is not against the Apache Guidelines I would vote for removing
> > them.
> > >> I'm always in favour of keeping things simple.
> > >>
> > >> On Fri, 12 Jun 2015 at 18:34 Till Rohrmann <[hidden email]>
> > wrote:
> > >>
> > >> > Hi guys,
> > >> >
> > >> > I just updated our LICENSE of the binary distribution and noticed
> > that we
> > >> > also list dependencies which are licensed under Apache-2.0. As far
> as
> > I
> > >> > understand the ASF guidelines [1], this is not strictly necessary.
> > Since
> > >> it
> > >> > is a lot of work to keep the list up to date, I was wondering
> whether
> > we
> > >> > want to remove Apache-2.0 dependencies from this list or not. I
> would
> > be
> > >> in
> > >> > favour of this if it does not contradict an ASF policy which I miss.
> > >> >
> > >> > This might even have another advantage. Currently, we're shading in
> > many
> > >> > modules the Guava and ASM dependency away. Thus their binary data is
> > >> > contained in nearly every jar we publish on maven. If we wanted to
> be
> > >> > consistent with our license policy then we would have to add in each
> > of
> > >> > these jars a LICENSE/NOTICE file which lists these two dependencies,
> > IMO.
> > >> >
> > >> > Cheers,
> > >> > Till
> > >> >
> > >> > [1] http://www.apache.org/dev/licensing-howto.html#mod-notice
> > >> >
> > >>
> >
>

> Here are some cogent comments from Marvin Humphrey.
>
>
>
> On Mon, Jun 15, 2015 at 6:04 PM, Marvin Humphrey <[hidden email]>
>  wrote:
>
> > Hi Ted,
> >
> > The discussion seems to be about the convenience binary, not the official
> > source release, so ASF policy differs.  The party who supplies a
> > convenience binary bears responsibility for its licensing info.  The
> ASF's
> > chief concern with regards to licensing info of a convenience binary is
> > that
> > it be legally correct, allowing us and anyone downstream to redistribute.
> > Beyond that, we might not be as finicky as we are about licensing info in
> > the
> > official source release.
> >
> > That said, applying the Licensing HowTo to a convenience binary is not a
> > bad
> > plan -- it should result in correct licensing info.
> >
> > Bottom line: in all cases, LICENSE and NOTICE must reflect the bundled
> > bits.
> >
> > It is true that the ASF does not require the enumeration of dependencies
> > which
> > are under the ALv2 in LICENSE.  Think of LICENSE as surfacing all the
> > licenses
> > for all code bundled in the artifact.  It would be a problem if bundled
> > bits
> > under BSD3 were not mentioned in the LICENSE of a convenience binary as
> > required by BSD3's second clause -- and each BSD3 license differs
> slightly
> > because it is a template with a copyright notice plugged in.  In
> contrast,
> > a
> > single copy of the ALv2 applies to all ALv2-licensed code.
> >
> > *However*, you still have to keep NOTICE up-to-date for all ALv2
> > dependencies
> > that supply one.  In practice, this means that you will end up
> enumerating
> > ASF-sourced ALv2 dependencies (and possibly others) in NOTICE.
> >
> > With regards to shading/Guava/ASM, I don't fully understand what Till is
> > proposing so I'm reluctant to comment specifically.  But the bottom line
> is
> > still the bottom line: LICENSE and NOTICE must reflect the bundled bits.
> >
> > Hope this helps,
> >
> > Marvin
> >
> > On Fri, Jun 12, 2015 at 9:45 AM, Ted Dunning <[hidden email]>
> > wrote:
> > > Marvin,
> > >
> > > Can you comment on this question that the flink guys have?
> > >
> > >
> > > ---------- Forwarded message ----------
> > > From: Till Rohrmann <[hidden email]>
> > > Date: Fri, Jun 12, 2015 at 9:33 AM
> > > Subject: Listing Apache-2.0 dependencies in LICENSE file
> > > To: "[hidden email]" <[hidden email]>
> > >
> > >
> > > Hi guys,
> > >
> > > I just updated our LICENSE of the binary distribution and noticed that
> we
> > > also list dependencies which are licensed under Apache-2.0. As far as I
> > > understand the ASF guidelines [1], this is not strictly necessary.
> Since
> > it
> > > is a lot of work to keep the list up to date, I was wondering whether
> we
> > > want to remove Apache-2.0 dependencies from this list or not. I would
> be
> > in
> > > favour of this if it does not contradict an ASF policy which I miss.
> > >
> > > This might even have another advantage. Currently, we're shading in
> many
> > > modules the Guava and ASM dependency away. Thus their binary data is
> > > contained in nearly every jar we publish on maven. If we wanted to be
> > > consistent with our license policy then we would have to add in each of
> > > these jars a LICENSE/NOTICE file which lists these two dependencies,
> IMO.
> > >
> > > Cheers,
> > > Till
> > >
> > > [1] http://www.apache.org/dev/licensing-howto.html#mod-notice
> > >
> >
> >
> On Mon, Jun 15, 2015 at 1:37 AM, Till Rohrmann <[hidden email]>
> wrote:
>
> > Hi Henry,
> >
> > there are actually two licensing questions and one update for the current
> > release going on but all of them are orthogonal and therefore I would
> like
> > to keep them separate.
> >
> > The PR [1] which you referred to are the necessary updates for the source
> > and binary distribution of the upcoming release. There it's important
> that
> > maybe another pair of eyes takes a look at it.
> >
> > Then we have the question whether we have to include a LICENSE and NOTICE
> > file in our jars because they contain shaded dependencies.
> >
> > And last but not least, the question of this thread is whether we want to
> > keep the list of Apache-2.0 dependencies in our LICENSE files or not.
> Thus,
> > let's first discuss and then maybe decide later on this issue here in
> this
> > thread.
> >
> > Cheers,
> > Till
> >
> > On Sun, Jun 14, 2015 at 8:03 PM Henry Saputra <[hidden email]>
> > wrote:
> >
> > > Hi Till,
> > >
> > > There are several discussions about LICENSE for dependencies happening
> > > at the same time so I would like to make sure we merge them into a
> > > decision in dev@ list.
> > >
> > > Is this related to PR https://github.com/apache/flink/pull/830 for
> > > updating LICENSE and NOTCE of Flink dependencies?
> > >
> > > - Henry
> > >
> > > On Sun, Jun 14, 2015 at 6:28 AM, Maximilian Michels <[hidden email]>
> > > wrote:
> > > > Hi Till,
> > > >
> > > > That's correct, It is not necessary to include Apache 2.0-licensed
> > > projects
> > > > in the LICENSE file, unless they contain non-Apache 2.0-licensed
> code.
> > We
> > > > should definitely remove those entries from the LICENSE file.
> > > >
> > > > Best,
> > > > Max
> > > >
> > > > On Sat, Jun 13, 2015 at 4:51 PM, Aljoscha Krettek <
> [hidden email]
> > >
> > > > wrote:
> > > >
> > > >> If it is not against the Apache Guidelines I would vote for removing
> > > them.
> > > >> I'm always in favour of keeping things simple.
> > > >>
> > > >> On Fri, 12 Jun 2015 at 18:34 Till Rohrmann <[hidden email]>
> > > wrote:
> > > >>
> > > >> > Hi guys,
> > > >> >
> > > >> > I just updated our LICENSE of the binary distribution and noticed
> > > that we
> > > >> > also list dependencies which are licensed under Apache-2.0. As far
> > as
> > > I
> > > >> > understand the ASF guidelines [1], this is not strictly necessary.
> > > Since
> > > >> it
> > > >> > is a lot of work to keep the list up to date, I was wondering
> > whether
> > > we
> > > >> > want to remove Apache-2.0 dependencies from this list or not. I
> > would
> > > be
> > > >> in
> > > >> > favour of this if it does not contradict an ASF policy which I
> miss.
> > > >> >
> > > >> > This might even have another advantage. Currently, we're shading
> in
> > > many
> > > >> > modules the Guava and ASM dependency away. Thus their binary data
> is
> > > >> > contained in nearly every jar we publish on maven. If we wanted to
> > be
> > > >> > consistent with our license policy then we would have to add in
> each
> > > of
> > > >> > these jars a LICENSE/NOTICE file which lists these two
> dependencies,
> > > IMO.
> > > >> >
> > > >> > Cheers,
> > > >> > Till
> > > >> >
> > > >> > [1] http://www.apache.org/dev/licensing-howto.html#mod-notice
> > > >> >
> > > >>
> > >
> >
>

> Hi Henry,
>
> there are actually two licensing questions and one update for the current
> release going on but all of them are orthogonal and therefore I would like
> to keep them separate.
>
> The PR [1] which you referred to are the necessary updates for the source
> and binary distribution of the upcoming release. There it's important that
> maybe another pair of eyes takes a look at it.
>
> Then we have the question whether we have to include a LICENSE and NOTICE
> file in our jars because they contain shaded dependencies.
>
> And last but not least, the question of this thread is whether we want to
> keep the list of Apache-2.0 dependencies in our LICENSE files or not. Thus,
> let's first discuss and then maybe decide later on this issue here in this
> thread.
>
> Cheers,
> Till
>
> On Sun, Jun 14, 2015 at 8:03 PM Henry Saputra <[hidden email]>
> wrote:
>
>> Hi Till,
>>
>> There are several discussions about LICENSE for dependencies happening
>> at the same time so I would like to make sure we merge them into a
>> decision in dev@ list.
>>
>> Is this related to PR https://github.com/apache/flink/pull/830 for
>> updating LICENSE and NOTCE of Flink dependencies?
>>
>> - Henry
>>
>> On Sun, Jun 14, 2015 at 6:28 AM, Maximilian Michels <[hidden email]>
>> wrote:
>> > Hi Till,
>> >
>> > That's correct, It is not necessary to include Apache 2.0-licensed
>> projects
>> > in the LICENSE file, unless they contain non-Apache 2.0-licensed code. We
>> > should definitely remove those entries from the LICENSE file.
>> >
>> > Best,
>> > Max
>> >
>> > On Sat, Jun 13, 2015 at 4:51 PM, Aljoscha Krettek <[hidden email]>
>> > wrote:
>> >
>> >> If it is not against the Apache Guidelines I would vote for removing
>> them.
>> >> I'm always in favour of keeping things simple.
>> >>
>> >> On Fri, 12 Jun 2015 at 18:34 Till Rohrmann <[hidden email]>
>> wrote:
>> >>
>> >> > Hi guys,
>> >> >
>> >> > I just updated our LICENSE of the binary distribution and noticed
>> that we
>> >> > also list dependencies which are licensed under Apache-2.0. As far as
>> I
>> >> > understand the ASF guidelines [1], this is not strictly necessary.
>> Since
>> >> it
>> >> > is a lot of work to keep the list up to date, I was wondering whether
>> we
>> >> > want to remove Apache-2.0 dependencies from this list or not. I would
>> be
>> >> in
>> >> > favour of this if it does not contradict an ASF policy which I miss.
>> >> >
>> >> > This might even have another advantage. Currently, we're shading in
>> many
>> >> > modules the Guava and ASM dependency away. Thus their binary data is
>> >> > contained in nearly every jar we publish on maven. If we wanted to be
>> >> > consistent with our license policy then we would have to add in each
>> of
>> >> > these jars a LICENSE/NOTICE file which lists these two dependencies,
>> IMO.
>> >> >
>> >> > Cheers,
>> >> > Till
>> >> >
>> >> > [1] http://www.apache.org/dev/licensing-howto.html#mod-notice
>> >> >
>> >>
>>

> Thanks Till, that clears up the confusion I had =)
>
> On Mon, Jun 15, 2015 at 1:37 AM, Till Rohrmann <[hidden email]>
> wrote:
> > Hi Henry,
> >
> > there are actually two licensing questions and one update for the current
> > release going on but all of them are orthogonal and therefore I would
> like
> > to keep them separate.
> >
> > The PR [1] which you referred to are the necessary updates for the source
> > and binary distribution of the upcoming release. There it's important
> that
> > maybe another pair of eyes takes a look at it.
> >
> > Then we have the question whether we have to include a LICENSE and NOTICE
> > file in our jars because they contain shaded dependencies.
> >
> > And last but not least, the question of this thread is whether we want to
> > keep the list of Apache-2.0 dependencies in our LICENSE files or not.
> Thus,
> > let's first discuss and then maybe decide later on this issue here in
> this
> > thread.
> >
> > Cheers,
> > Till
> >
> > On Sun, Jun 14, 2015 at 8:03 PM Henry Saputra <[hidden email]>
> > wrote:
> >
> >> Hi Till,
> >>
> >> There are several discussions about LICENSE for dependencies happening
> >> at the same time so I would like to make sure we merge them into a
> >> decision in dev@ list.
> >>
> >> Is this related to PR https://github.com/apache/flink/pull/830 for
> >> updating LICENSE and NOTCE of Flink dependencies?
> >>
> >> - Henry
> >>
> >> On Sun, Jun 14, 2015 at 6:28 AM, Maximilian Michels <[hidden email]>
> >> wrote:
> >> > Hi Till,
> >> >
> >> > That's correct, It is not necessary to include Apache 2.0-licensed
> >> projects
> >> > in the LICENSE file, unless they contain non-Apache 2.0-licensed
> code. We
> >> > should definitely remove those entries from the LICENSE file.
> >> >
> >> > Best,
> >> > Max
> >> >
> >> > On Sat, Jun 13, 2015 at 4:51 PM, Aljoscha Krettek <
> [hidden email]>
> >> > wrote:
> >> >
> >> >> If it is not against the Apache Guidelines I would vote for removing
> >> them.
> >> >> I'm always in favour of keeping things simple.
> >> >>
> >> >> On Fri, 12 Jun 2015 at 18:34 Till Rohrmann <[hidden email]>
> >> wrote:
> >> >>
> >> >> > Hi guys,
> >> >> >
> >> >> > I just updated our LICENSE of the binary distribution and noticed
> >> that we
> >> >> > also list dependencies which are licensed under Apache-2.0. As far
> as
> >> I
> >> >> > understand the ASF guidelines [1], this is not strictly necessary.
> >> Since
> >> >> it
> >> >> > is a lot of work to keep the list up to date, I was wondering
> whether
> >> we
> >> >> > want to remove Apache-2.0 dependencies from this list or not. I
> would
> >> be
> >> >> in
> >> >> > favour of this if it does not contradict an ASF policy which I
> miss.
> >> >> >
> >> >> > This might even have another advantage. Currently, we're shading in
> >> many
> >> >> > modules the Guava and ASM dependency away. Thus their binary data
> is
> >> >> > contained in nearly every jar we publish on maven. If we wanted to
> be
> >> >> > consistent with our license policy then we would have to add in
> each
> >> of
> >> >> > these jars a LICENSE/NOTICE file which lists these two
> dependencies,
> >> IMO.
> >> >> >
> >> >> > Cheers,
> >> >> > Till
> >> >> >
> >> >> > [1] http://www.apache.org/dev/licensing-howto.html#mod-notice
> >> >> >
> >> >>
> >>
>