incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lécharny <>
Subject Re: [VOTE] Apache Syncope 1.0.0-RC1-incubating / 2nd attempt
Date Thu, 17 May 2012 04:47:29 GMT
Le 5/16/12 9:45 AM, Francesco Chicchiriccò a écrit :
> Hi all,
Hi Francesco
> as far as I've understood we are quite in an impasse here: is there any
> quick way out?
Thinking twice about the third party components, I came to the 
conclusion that we should include the license of those requiring that it 
should be done, even if we have some transitive dependencies.

The reason is that if a direct 3rd party does not have a N&L containing 
transitive 3rd party, then those direct 3rd party are faulty. But 
because they are faulty does not mean we should also be (transitively) 
faulty !

That also means some of the ASF projects (including ApacheDS I'm working 
on !) have to double check their N&L files, something I'll do asap.

I'll be a bit busy the next 4 days, but I'll try to get a clear decision 
about this problem before next week, as it may impact many other projects.

Thanks !
> I've performed some more analysis and I've come to the following findings:
> 1. XPP3 is pulled in by XStream (syncope-core and syncope-console WAR files)
> [INFO] +- com.thoughtworks.xstream:xstream:jar:1.4.2:compile
> [INFO] |  \- xpp3:xpp3_min:jar:1.1.4c:compile
> and by ApacheDS (syncope-build-tools WAR file)
> [INFO] +-
> [INFO] |  +-
> [INFO] |  \-
> [INFO] |     \- xpp3:xpp3:jar:1.1.4c:compile
> XStream says that other XML parsers can be used (
>, I don't know
> about ApacheDS - but guess Emmanuel does.
> 2. The following are all the transitive dependencies currently not
> mentioned in L&N files:
> org.livetribe:livetribe-jsr223:jar:2.0.6
> org.mybatis:mybatis:jar:3.0.6
> xmlpull:xmlpull:jar:
> xpp3:xpp3_min:jar:1.1.4c / xpp3:xpp3:jar:1.1.4c
> aopalliance:aopalliance:jar:1.0
> asm:asm:jar:3.3.1
> antlr:antlr:jar:2.7.7
> dom4j:dom4j:jar:1.6.1
> joda-time:joda-time:jar:2.0
> Can we found a simple and shared way to assess what is the legal,
> correct and complete, content of Syncope L&N files?
> Is there any other ASF project distributing WAR files we can check?
> If not: what if just include in L&N files all the deps reported above?
> Is this harmful in any way?
> Please help: we'd really like to cut out first release...
> Best regards.
> On 15/05/2012 11:36, Christian Grobmeier wrote:
>>> The point is that we don't vote binaries, we vote sources. Generated
>>> binaries are just by-products of the build.
>>> That we distribute binaries is just for convenience.
>> which does not change anything imho
>>> Now, I do think that we should include into the N&L files the licenses for
>>> 3rd parties we *directly* include, but not those that are transivitely
>>> included. I may be wrong though. I understand your position, too.
>>> It may be worthful to ask beside this thread what is the correct way to
>>> refer those transitive dependencies...
>> +1
>> Did not know there were other positions actually.
>>>> "All the licenses on all the files to be included within a package
>>>> should be included in the LICENSE document. "
>>> But as soon as we include the deps' licenses we include, even if they
>>> themselves include some 3rd party licenses, my understanding is that they
>>> already have done the job...
>> If they did it it. I have not opened all the files to be honest, but
>> is this something we can rely on (that they have done their job
>> proberly)?
>>>> It says to me, it does not matter who depends on what, it does only
>>>> matter whats inside your war.
>>>> Btw, I am still unsure which license XPP has. This is worse, because:
>>>> "Again, these artifacts may be distributed only if they contain
>>>> LICENSE and NOTICE files"
>>> See on
>>> unzip the
>>> tarball and check the included license.
>> Thanks! I opened the jar from the Syncope war, there was no info included.
>> Is that compatible? "Indiana University Extreme! Lab Software License"
>> I think its fine, but I am not very good with that boring stuff:
>> Btw, this phrase is interesting:
>> "Redistributions in binary form must reproduce the above copyright notice"
>> This includes the provided war file. There is no copyright notice of
>> XPP and my guess is the license holders are not interested if we are
>> having it as transitive lib or not.

Emmanuel Lécharny

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message