incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex Harui <>
Subject Re: Licensing requirement for binary artifacts without transitive deps
Date Tue, 20 Sep 2016 19:08:01 GMT

On 9/20/16, 11:50 AM, "Donald Szeto" <> wrote:

>Hi all,
>I am preparing my first Apache release and am wondering if I need to check
>licenses of all transitive deps if the release contains:
>- a single source tarball;
>- a few binary JAR artifacts on Nexus that contain no transitive deps in
>either binary or source form.

An official Apache release only contains source.  It cannot contained
compiled binaries.

Official Apache releases may be accompanied by a "convenience binary
package" that contains the result of running the build contained in the
source script.  It could bundle third-party jars.

The LICENSE file in the source package may be different from the LICENSE
in the "convenience binary" if the convenience binary contains a bundled
third-party jar.  The LICENSE files must reflect the contents of its
containing package.

>Would it be sufficient to make sure the licenses of all sources comply
>Apache policy in this case? Do I need to check transitive deps in this

You must chase down transitive deps in the package.  If the source package
doesn't contain any non-ASF code then there isn't anything to chase for
the source package.  If the binary does contain third-party jars, then you
have to chase transitive deps on those jars.



View raw message