incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Francesco Chicchiriccò <>
Subject Re: [VOTE] Apache Syncope 1.0.0-RC1-incubating / 2nd attempt
Date Wed, 16 May 2012 07:45:52 GMT
Hi all,
as far as I've understood we are quite in an impasse here: is there any
quick way out?

I've performed some more analysis and I've come to the following findings:

1. XPP3 is pulled in by XStream (syncope-core and syncope-console WAR files)

[INFO] +- com.thoughtworks.xstream:xstream:jar:1.4.2:compile
[INFO] |  \- xpp3:xpp3_min:jar:1.1.4c:compile

and by ApacheDS (syncope-build-tools WAR file)

[INFO] +-
[INFO] |  +-
[INFO] |  \-
[INFO] |     \- xpp3:xpp3:jar:1.1.4c:compile

XStream says that other XML parsers can be used (, I don't know
about ApacheDS - but guess Emmanuel does.

2. The following are all the transitive dependencies currently not
mentioned in L&N files:

xpp3:xpp3_min:jar:1.1.4c / xpp3:xpp3:jar:1.1.4c

Can we found a simple and shared way to assess what is the legal,
correct and complete, content of Syncope L&N files?
Is there any other ASF project distributing WAR files we can check?

If not: what if just include in L&N files all the deps reported above?
Is this harmful in any way?

Please help: we'd really like to cut out first release...

Best regards.

On 15/05/2012 11:36, Christian Grobmeier wrote:
>> The point is that we don't vote binaries, we vote sources. Generated
>> binaries are just by-products of the build.
>> That we distribute binaries is just for convenience.
> which does not change anything imho
>> Now, I do think that we should include into the N&L files the licenses for
>> 3rd parties we *directly* include, but not those that are transivitely
>> included. I may be wrong though. I understand your position, too.
>> It may be worthful to ask beside this thread what is the correct way to
>> refer those transitive dependencies...
> +1
> Did not know there were other positions actually.
>>> "All the licenses on all the files to be included within a package
>>> should be included in the LICENSE document. "
>> But as soon as we include the deps' licenses we include, even if they
>> themselves include some 3rd party licenses, my understanding is that they
>> already have done the job...
> If they did it it. I have not opened all the files to be honest, but
> is this something we can rely on (that they have done their job
> proberly)?
>>> It says to me, it does not matter who depends on what, it does only
>>> matter whats inside your war.
>>> Btw, I am still unsure which license XPP has. This is worse, because:
>>> "Again, these artifacts may be distributed only if they contain
>>> LICENSE and NOTICE files"
>> See on
>> unzip the
>> tarball and check the included license.
> Thanks! I opened the jar from the Syncope war, there was no info included.
> Is that compatible? "Indiana University Extreme! Lab Software License"
> I think its fine, but I am not very good with that boring stuff:
> Btw, this phrase is interesting:
> "Redistributions in binary form must reproduce the above copyright notice"
> This includes the provided war file. There is no copyright notice of
> XPP and my guess is the license holders are not interested if we are
> having it as transitive lib or not.
Francesco Chicchiriccò

Apache Cocoon PMC and Apache Syncope PPMC Member

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message