-
Notifications
You must be signed in to change notification settings - Fork 18
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Please bundle LICENSE/NOTICE files in the produced jar files #38
Comments
@wrandelshofer this is due to a bug in the Jackson build and jackson team will fix that in the next Jackson release - see FasterXML/jackson-core#999 |
I did not notice jackson-core shades fastdoubleparser. |
@pjfanning I have licensed FastDoubleParser to Jackson-Core with Apache 2.0 License here: Therefore, Jackson-Core does not need to include an MIT License in their distro. |
I have done now the following changes:
|
Consider adding |
@pjfanning Does Jackson-Core really shadow FastDoubleParser? It would be better to pull them into the JacksonCore namespace. Shading of packages from another Java Module is not allowed in Java Modules. |
Here's 2.15.0:
|
So, it is not shadowing FastDoubleParser. Copying the code this way is a good thing in terms of security. JacksonCore has vetted a specific revision of FastDoubleParser and made it their own. This removes one vector of supply chain attacks. |
@cowtowncoder prefers not to have non-Jackson dependencies - that's why we bundle the code in jackson-core. The package names are changed as part of this bundling. |
Frankly speaking, the whole story of custom licensing FastDoubleParser to Jackson-core is really moot to me. Apparently, the current Jackson-core code does not have files like In other words, they just select current code of So did you explicitly mention that you license all versions of What happens to the people who do custom builds of jackson (e.g. if they maintain forks). Does that mean your grant of using fastdoubleparser in jackson-core under Apache-2.0 automatically means everyone who forks jackson could use fastdoubleparser under AL-2.0? Frankly speaking, it is extremely moot. |
@vlsi Yes, they automatically use AL-2.0. @pjfanning Consider replacing the FastDoubleParser file headers with the jackson-core file headers, and generating the References-Javadoc comment, as I had proposed in FasterXML/jackson-core#577 (comment). So that it is clear to everyone that these files are under the same license as jackson-core. |
In a nutshell, the current story of FastDoubleParser-Jackson is really fragile, and it is unclear what are the licensing implications for those who perform custom build of jackson-core. @pjfanning , I would suggest you follow the general licensing rules. For instance, shade the code based on the MIT license, and include the license text accordingly into jackson-core. An alternative option would be figuring out what are the implications for the users who build jackson-core from source. For instance, if everyone who builds jackson-core from source must include MIT license from fastdoubleparser or ask @wrandelshofer , then it is something that is extremely important in licensing notice of jackson-core. Taking jackson-core popularity into account, it would be really great to have regular licensing information rather than a custom agreement between fastdoubleparser and jackson developers. |
@wrandelshofer , jackson-core does not use source-form of fastdoubleparser. I would suggest avoid such license customizations as it inevitably requires lawyer analysis. It would be much easier if: |
If there is any confusion, then it is only in Jackson-Core. It is not in this project. Right? I mean, I licensed this project to Jackson-Core under AL-2.0, therefore Jackson-Core clearly has the right to redistribute it and make derivations under term 4 "Redistribution" of AL-2.0. And this is clearly perpetual, see term 2 of AL-2.0. |
Can you put the information to FastDoubleParser license ?
The license applies to each release individually. The perpetual in AL-2.0 means you have a perpetual terms on a specific package. Basically, if you mean that you grant the use of FDP to Jackson-Core, then it is de-facto a license term in FDP which you'd better put in the license explicitly. However, such customization for a single project would look really odd as it would produce a new license that will have to be analyzed by the lawyers. |
MIT license is Category A according to https://www.apache.org/legal/resolved.html - it is ok to include the code from Category A licenses. We can certainly do better in jackson-core but I think adding something to the NOTICE file acknowledging that the shaded code is MIT licensed and copyrighted is enough. |
@pjfanning we do not include fastdoubleparser directly in JMeter, and we include it through jackson-core that shades FDP at the build time. The license implications in jackson-core are moot. |
Would you please follow regular approach for shading dependencies in jackson-core instead of negotiating jackson-specific license terms for FDP? As jackson-core user, I would like to see proper licensing info on all the embedded packages. |
I'm involved in ASF projects and have dealt with ASF legal. I do not know where you are coming from - if you have a suggestion, do a PR and we can consider it. What is the regular approach? #38 (comment) points are basically directed at @wrandelshofer - I have little control over what Werner puts in his license files. Plenty of ASF projects shade code from non-Apache licensed sources and I see none of this hullabaloo on those projects. |
I'm from Apache JMeter project, I'm a member of PMC for JMeter, so a part of my duty is to keep licensing for JMeter clear.
Follow the official licensing terms instead of custom agreements written in GitHub comments. See FasterXML/jackson-core#1002 At the same time, it would be nice if FDP could be relicensed under Apache-2.0 for everybody. That is not really required, and MIT license works just fine. However, Apache-2.0 is designed better, so there's no real reason to use MIT nowadays. |
I have now added a description to the README file, that states how this project can be licensed under Apache 2.0 License terms. Lines 14 to 26 in 23cfaf3
If someone uses the FastDoubleParser distro, the license is MIT. If someone needs it under another license, they have the possibility to do this at the source level, and they have to update the copyright notice in the file. So that no confusion can arise. @vlsi What do you think? |
MIT and Apache licenses are compatible. It's probably easier and less confusing if jackson uses FastDoubleParser code under standard MIT license and properly notes this in its docs and jar contents. |
I have done the following now:
What do you think?
|
That is great. Extra bonus point goes for using permalink for the license file in
Is there a specific reason why you require copy-pasting the sources for licensing under Apache 2.0? I would suggest one of the two: |
I was just trying to be helpful. You are right - they are free to just copy a few binary files. Thank you for always providing goal-oriented proposals. This is helpful, really! 🙂 a) I already have to mention Apache 2.0 because there is some Apache 2.0 code in the project repository. That code is not part of the deployed artefacts. |
That is yet another point for including the license in relevant archive files as each jar file might happen to include files under different licenses.
Frankly speaking, I would suggest refraining from overcomplicating licensing unless there's a justified demand. For instance, In other words, stick with MIT until somebody suggests a good reason for dual-licensing or whatever. |
I agree. We do not deploy FastDoubleParser artefacts with these files.
I agree. We do not deploy FastDoubleParser multi-license artefacts.
The way jackson-core was released, is legally sound. If you look at the artefacts that they published on mvncentral. Then all of that is under Apache 2.0. If they had copied the source from FastDoubleParser and changed the copyright notice in the file headers, as I had proposed, you would not be confused about it. |
It appears that it was not legally sound. 🙃 I have now changed the build scripts, so that Jar files contain the additional license files, that are required by the third-party code, that we use in this project. |
I have now added a NOTICE file to this project. The NOTICE file will be included in the META-INF folder of all Jar files, that we deploy. |
LICENSE and NOTICE files are now bundled in Release v0.9.0 of FastDoubleParser. |
Technically speaking, if
|
I don't understand. You stated that I can have a canonical license.
This texts, says 'give' and not 'include'. Therefore, I can 'give' other recipients the license, by providing the link to the canonical license. |
The canonical text would mean that you could have, well, a canonical text that is the same for all Apache-2.0 licensed projects. I have never said you won't be required to include AL-2.0 text.
The text says 'copy'. I doubt a link that might easily die qualifies as a copy. |
You can not claim that the license text is precise and that it is not precise at the same time. 4.(a) says 'give' for the license. So we 'give' the license. If they would have wanted me to include the license, they would have written so.
We did not give a link that might easily die. We did provide perma-links. |
They said 'copy', and a link is definitely not a 'copy'.
If you hate Apache-2.0 license, you always have an option to stop redistributing Apache-2.0-licensed dependencies.
The author could drop the repository (see leftpad in npmjs). Those are only a few cases when your "perma-link" will stop working. |
This is false. If you click at the link, you indeed get a copy of the license. If this is your argument, you could also argue that including the notice in the META-INF folder of a compresseed Zip file is definitely not a 'readable copy'. It can only be accessed with special tools. A separate text file would be more 'readily' available. But the license does not oblige us to do so. So, we do not do it.
This does not matter.
This is a federated repository. If the author drops it, there still exist many copies of the repository. |
If GitHub bans author or repository, then the link and all copies would easily become unavailable. It has happened many times in the past. Noone can guarantee GitHub links will be accessible forever. At the same time, countries might even block access to GitHub. For instance, GitHub is blocked in China. See the opinion of the Apache Software Foundation: https://infra.apache.org/apply-license.html#copy-per-file , https://www.apache.org/legal/src-headers.html#faq-binaries They have FAQ, and they explicitly mention the license text must be included
The canonical Apache-2.0 text is https://www.apache.org/licenses/LICENSE-2.0 It does not depend on individual users. However, there are no guarantees on page availability, so it would still be better copy just in case. |
We do not need to rely on GitHub. From the contents of the link it is easy to access the file. This still satisfies 'give'.
This is not enforceable. The FAQ is not part of the license. We are digressing here. I am closing this issue. |
You ignore that a link is not a copy. The faq is not a part of the license, however, it exists because many people thought the license file can be omitted. |
Please look up the meaning of the word 'give'. I have stated earlier in this thread, that I believe that it is impossible to construct a claim for this. If they made the FAQ, because many people thought that the license file can be omitted, then it must not have been an issue for them. If it would have been an issue, they would have made a new version of the license. No? |
I see that fast_float distributes its code in a single header file. Here: It only contains these lines from the Apache License:
What do you think? |
I have just downloaded Google Guava, and I looked in the guava-31.1-jre.jar and guava-31.1-jre-sources.jar, and neither contains a copy of the Apache License. https://mvnrepository.com/artifact/com.google.guava/guava/31.1-jre I believe, your request about inclusion of the Apache License in the jar file is wishful thinking. 🤔 |
@wrandelshofer , I asked Google Guava to bundle LICENSE, and they did that in google/guava@7d41e19
Just in case, here's the opinion of the Apache Software Foundation: https://issues.apache.org/jira/browse/LEGAL-642
I asked |
@vlsi Can be specific as to the problem you are having or trying to solve? If your legal team has an issue, I am open to a meeting to discuss it. I fail to see a problem with how we release the code in fast_float... https://github.com/fastfloat/fast_float/releases The license is provided in the source package, and there is a nice header in the source header that we provide. I have also checked Apache projects, and they don't appear to include a copy of the license with every artefact. |
@vlsi We are having a circular discussion now. I brought up all my arguments before, and you are bringing up your arguments again.
I have now included all license texts of the licenses that explicitly required to 'include' their text. Of course, it is not forbidden to include the Apache 2 License text. But that is not an obligation from the license.
My argument was, that an FAQ can not add new claims to a license. |
@lemire , please check the very first three sentences in the very first comment (issue description). I was trying to upgrade jackson version in Apache JMeter, and the build failed because jackson listed fastdoubelparser dependency that missed proper licensing.
As I clarified, Apache lawyers say every release must bundle the license https://issues.apache.org/jira/browse/LEGAL-642
@lemire , It is unfair to say "Apache projects fail to comply with the license, so everybody can ignore it".
So it should be quite easy to convince Apache projects to fix licensing issues. I am not involved in all the projects, however, if you find licensing issues in Apache JMeter releases, I would be glad to fix them. I doubt you will find issues with JMeter releases though.
I'm not much into C/C++ development, so I have little idea what people would consider to be a "release of fast_float". For instance, Redis integrated
@wrandelshofer , I am afraid you do not follow what I say. Last week you said "Guava misses LICENSE file in jar, so including the license is not needed": #38 (comment) I just proved that was an issue with Guava releases, and the upcoming releases will bundle LICENSE file just like Google Guice.
You keep saying "wanted 'give' for the license". However, I asked that very same question at https://issues.apache.org/jira/browse/LEGAL-642, and both volunteers and lawyers (Roman Shaposhnik is V.P. Legal Affairs at the ASF: https://apache.org/foundation/#who-runs-the-asf ) say that the intention of the license is that everybody should get a readable copy of the license without any extra Internet access. I do not see why you say "I am going in circles". |
You haven't proved that. My counter-argument was:
Good. Now please lookup the number of meanings for 'include'.
Here, my argument still is: One can not add claims to a contract using an FAQ or Q&A.
It is our arguments that are going in circles. I have no new arguments that I can give to the arguments that you are bringing up. |
Speaking for myself, I am committed to working with any project that wants to use a library I maintain. I will help work through any issues they have, either due to licenses or other issues. |
I am using now code from fast_float under the MIT License instead of the Apache 2.0 License. hth |
I'm upgrading jackson in Apache JMeter, and I found the new jackson version depends on fastdoubleparser.
It turns out fastdoubleparser does not ship with the license, so it is problematic for the consumers.
See apache/jmeter#5831, and the build failure: https://github.com/apache/jmeter/actions/runs/4823397202/jobs/8592678119?pr=5831#step:4:1857
I have created a lot of similar requests, and almost all of them got fixed eventually, see
Dependency with "manual" license configuration
in apache/jmeter#469Current issues
However, please note that there's no canonical MIT license text. Every MIT license is different since the copyright is a part of the license text.
In other words, the line
Copyright (c) 2021 Werner Randelshofer, Switzerland
is a part of the license, and the license text requires thatThe above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software
It is hard for consumers to comply with the requirement above, especially if fastdoubleparser.jar does not include the license text.
The pom file for fastdoubleparser refers to a different license. See https://repo1.maven.org/maven2/ch/randelshofer/fastdoubleparser/0.8.0/fastdoubleparser-0.8.0.pom
The URL there is http://www.opensource.org/licenses/mit-license.php, which does not mention Werner Randelshofer.
fastdoubleparser.jar
misses reference to the license. There are cases whenfastdoubleparser.jar
appears without the correspondingpom.xml
, so if you considerfastdoubleparser.jar
alone, it is hard to tell what is the license for that artifact.Consider relicensing with Apache-2.0
You might want to consider switching to Apache-2.0 license. It has several advantages for the consumers:
NOTICE
file. In general, it becomes easier to review, since every MIT license is different while every Apache-2.0 is the same.Grant of Patent License
while MIT does not mention patentspom.xml
andMANIFEST.MF
If you absolutely like MIT, you might go with
MIT or Apache-2.0
, however, I'm not sure if you want that complication (as it would be impossible to express inpom.xml
)Fix steps
META-INF/LICENSE
,META-INF/NOTICE
, etc. It would enable consumers to get up-to-date licenses when they depend on fastdoubleparser.pom.xml
to point to the proper license text (e.g. a permalink to GitHub). The current linkhttp://www.opensource.org/licenses/mit-license.php
is invalid as it points to a wrong license text.Bundle-License: Apache-2.0
(orBundle-License: MIT; link=...
) manifest entry (whereApache-2.0
is SPDX identifier, see https://osgi.org/specification/osgi.core/7.0.0/framework.module.html#framework.module-bundle-license )The text was updated successfully, but these errors were encountered: