Uploaded image for project: 'Maven'
  1. Maven
  2. MNG-6771

Fix license issues on binary distribution

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 3.6.2
    • 3.6.3
    • General

    Description

      Please feel free to adjust the priority, however http://www.apache.org/legal/release-policy.html#licensing says that license clearance is a must, thus I report this as a Blocker.

      Every ASF release MUST comply with ASF licensing policy. This requirement is of utmost importance

      I downloaded apache-maven-3.6.2-bin.zip, and I see the following issues with it (note: there might be more):

      1) jcl-over-slf4j:1.7.25

      in apache-maven-3.6.2/LICENSE:

      The license for the artifact is most likely Apache 2.0 rather than MIT: https://github.com/qos-ch/slf4j/tree/master/jcl-over-slf4j

      2) slf4j-api:1.7.25

      in apache-maven-3.6.2/LICENSE:

      Maven does not comply with SLF4j license.
      Here's license for SLF4j: https://www.slf4j.org/license.html
      It requires to include slf4j copyright notice, however, Maven fails to do that

      3) MIT license

      http://www.opensource.org/licenses/mit-license.php must not be used as it almost never points to a true license. It is extremely unlucky that someone would copyright their work as "Copyright (c) <year> <copyright holders>"

      4) org.eclipse.sisu.inject:0.3.3

      in apache-maven-3.6.2/LICENSE:

      The link to eclipse.org/sisu responds with 404.

      sisu might have their own copyright notices that should be retained, however Maven re-distributes none of them (org.eclipse.sisu.inject.site-0.3.3.zip has notice.html file which is not present in Maven re-distribution)

      5) ASM in org.eclipse.sisu.inject-0.3.3.jar

      lib/org.eclipse.sisu.inject-0.3.3.jar bundles ASM. ASM is MIT licensed, thus every re-distribution MUST retain ASM copyright notice.
      Maven re-distributes ASM and fails to comply with ASM license.

      6) jsoup in wagon-http-3.3.3-shaded.jar

      lib/wagon-http-3.3.3-shaded.jar bundles jsoup (https://jsoup.org/license) which is MIT-licensed. Maven fails to comply with jsoup license.

      Attachments

        Issue Links

          There are no Sub-Tasks for this issue.

          Activity

            People

              eolivelli Enrico Olivelli
              vladimirsitnikov Vladimir Sitnikov
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 20m
                  20m