[MNG-6771] Fix license issues on binary distribution - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 3.6.2
Fix Version/s: 3.6.3
Component/s: General
Labels:
- licenses

Description

Please feel free to adjust the priority, however http://www.apache.org/legal/release-policy.html#licensing says that license clearance is a must, thus I report this as a Blocker.

Every ASF release MUST comply with ASF licensing policy. This requirement is of utmost importance

I downloaded apache-maven-3.6.2-bin.zip, and I see the following issues with it (note: there might be more):

1) jcl-over-slf4j:1.7.25

in apache-maven-3.6.2/LICENSE:

JCL 1.2 implemented over SLF4J (http://www.slf4j.org) org.slf4j:jcl-over-slf4j:jar:1.7.25
License: MIT License (MIT) http://www.opensource.org/licenses/mit-license.php (lib/jcl-over-slf4j.license)

The license for the artifact is most likely Apache 2.0 rather than MIT: https://github.com/qos-ch/slf4j/tree/master/jcl-over-slf4j

2) slf4j-api:1.7.25

in apache-maven-3.6.2/LICENSE:

SLF4J API Module (http://www.slf4j.org) org.slf4j:slf4j-api:jar:1.7.25
License: MIT License (MIT) http://www.opensource.org/licenses/mit-license.php (lib/slf4j-api.license)

Maven does not comply with SLF4j license.
Here's license for SLF4j: https://www.slf4j.org/license.html
It requires to include slf4j copyright notice, however, Maven fails to do that

3) MIT license

http://www.opensource.org/licenses/mit-license.php must not be used as it almost never points to a true license. It is extremely unlucky that someone would copyright their work as "Copyright (c) <year> <copyright holders>"

4) org.eclipse.sisu.inject:0.3.3

in apache-maven-3.6.2/LICENSE:

org.eclipse.sisu.inject (http://www.eclipse.org/sisu/org.eclipse.sisu.inject/) org.eclipse.sisu:org.eclipse.sisu.inject:eclipse-plugin:0.3.3
License: Eclipse Public License, Version 1.0 (EPL-1.0) http://www.eclipse.org/legal/epl-v10.html (lib/org.eclipse.sisu.inject.license)

The link to eclipse.org/sisu responds with 404.

sisu might have their own copyright notices that should be retained, however Maven re-distributes none of them (org.eclipse.sisu.inject.site-0.3.3.zip has notice.html file which is not present in Maven re-distribution)

5) ASM in org.eclipse.sisu.inject-0.3.3.jar

lib/org.eclipse.sisu.inject-0.3.3.jar bundles ASM. ASM is MIT licensed, thus every re-distribution MUST retain ASM copyright notice.
Maven re-distributes ASM and fails to comply with ASM license.

6) jsoup in wagon-http-3.3.3-shaded.jar

lib/wagon-http-3.3.3-shaded.jar bundles jsoup (https://jsoup.org/license) which is MIT-licensed. Maven fails to comply with jsoup license.

Attachments

Issue Links

depends upon

MNG-6549 Remove unused transitive dependencies of Guava

Closed

relates to

MNG-6480 Eclipse.org site is down, and you are unable to build Maven?

Closed

links to

GitHub Pull Request #297

Sub-Tasks

1.	fix jcl-over-slf4j license: Apache 2.0 instead of MIT	Closed	Herve Boutemy
2.	fix slf4j-api license included	Closed	Unassigned
3.	fix org.eclipse.sisu.inject license	Closed	Unassigned
4.	add ASM license as ASM is included in sisu-inject	Closed	Unassigned
5.	add jsoup license as jsoup is included in wagon-http-shaded	Closed	Unassigned

Activity

People

Assignee:: Enrico Olivelli

Reporter:: Vladimir Sitnikov

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 01/Oct/19 13:34

Updated:: 28/Mar/20 23:17

Resolved:: 18/Nov/19 10:41

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

20m

Include sub-tasks