Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

jruby-complete has incorrect license in META-INF #3199

Closed
busbey opened this issue Jul 30, 2015 · 11 comments
Closed

jruby-complete has incorrect license in META-INF #3199

busbey opened this issue Jul 30, 2015 · 11 comments
Milestone

Comments

@busbey
Copy link
Contributor

busbey commented Jul 30, 2015

the jruby-complete-9.0.0.0.jar file has META-INF/LICENSE.txt and META-INF/NOTICE.txt that don't line up with the jruby licensing.

It looks like we're not bundling our COPYING and associated licensing files in our jars. Additionally, the complete jar doesn't filter the files included from our dependencies, so we end up with the license and notice from joda-time. For downstream folks that rely on inspecting these files or aggregating them, we inappropriately appear to be ASLv2 licensed.

We should filter out LICENSE(.txt)? and NOTICE(.txt)? from our shading and put COPYING, LICENSE.RUBY, and LEGAL in META-INF.

@headius
Copy link
Member

headius commented Aug 1, 2015

@busbey Sounds like you know what we need to do...wanna put together a PR?

@busbey
Copy link
Contributor Author

busbey commented Aug 1, 2015

Sure, I can do that.
On Aug 1, 2015 11:02 AM, "Charles Oliver Nutter" notifications@github.com
wrote:

@busbey https://github.com/busbey Sounds like you know what we need to
do...wanna put together a PR?


Reply to this email directly or view it on GitHub
#3199 (comment).

@busbey
Copy link
Contributor Author

busbey commented Aug 2, 2015

ugh. min maven version at 3.3 means I'll need an upgrade. gotta wrap up some things before I risk a maven upgrade.

sorry for the delay.

@mkristian
Copy link
Member

you always can use ./mvnw from the root directory then you do not need to
install any updated maven.

On Sun, Aug 2, 2015 at 7:13 AM, Sean Busbey notifications@github.com
wrote:

ugh. min maven version at 3.3 means I'll need an upgrade. gotta wrap up
some things before I risk a maven upgrade.

sorry for the delay.


Reply to this email directly or view it on GitHub
#3199 (comment).

@jlovejoy
Copy link

has this been resolved? I was about to log a similar issue - where the download here http://jruby.org/files/downloads/1.7.21/index.html only has LICENSE.txt file with Apache-2.0 in META-INF and no other license info I could find - leading one to think that is the license. However, the corresponding here https://github.com/jruby/jruby lists the disjunctive EPL/GPL/LGPL as the main license.
Can someone 1) clarify what is the project license for jruby-complete-1.7.21 (and subsequent versions); and 2) preferably update that on the jruby.org download page?

thanks!

@busbey
Copy link
Contributor Author

busbey commented Nov 12, 2015

AFAIK it's still an issue. I haven't had time to take care of it and I'm not sure when I will. I'm happy to help with reviewing if someone else has time to put together a PR.

@slawo-ch
Copy link

slawo-ch commented Sep 8, 2017

Was about to log that too, this is still an issue in jruby-complete-9.1.13.0.jar

jruby-complete-9.1.13.0.jar:/META-INF/License.txt -> apache 2.0 license
jruby-complete-9.1.13.0.jar:/META-INF/COPYING -> triple license EPL/GPL/LGPL
jruby-complete-9.1.13.0.jar:/META-INF/BSDL -> another license file
jruby-complete-9.1.13.0.jar:/META-INF/LICENSE.RUBY -> another license file
jruby-complete-9.1.13.0.jar:/META-INF/LEGAL ->declared obsolete together with a stab at someone named Ola

LEGAL might be a good place for clarifying to users what the Jruby license is, and which other licenses apply due to its relationship to the ruby language, and dependency libraries.

License.txt should definitely contain the Jruby license.

All other license files maybe should be named after what they contain (i.e. apache_2.0_license.txt, ruby_license.txt, etc.) and LEGAL should maybe have an index of reasons why they are there and to which extent they apply.

@headius
Copy link
Member

headius commented Sep 10, 2017

I'm unclear of the damage an incorrect license bundled with a binary might be (as opposed to a source archive), but I agree we should tidy this up. I looks like it's just the wrong set of files getting included. If someone could lookup and clarify the proper/typical way to include license info in a binary jar, that would help move this forward.

If the license info in the source jars is misleading or nonstandard, of course we should fix that immediately.

@mkristian
Copy link
Member

@headius the META-INF files are merge of all the shaded libraries. so that is how this mix come in. this mix should be already there for the regular jruby.jar as we do shade libraries here as well. probably there is way to keep those out of the shaded file. try to look into this (time is limited nowadays).

@mkristian
Copy link
Member

@headius it looks like we can configure to shade-plugin to do something with the licenses - the question is what is wanted ? https://stackoverflow.com/questions/22968266/maven-shade-plugin-and-licenses

@headius
Copy link
Member

headius commented Jul 18, 2020

It appears that @busbey did get us a PR which was merged into 9.1.2.0 in #3839.

I'm making a small additional change to remove this weird LICENSE.txt with CDDL content, but we'll call this one done as of 9.1.2.0.

@headius headius closed this as completed Jul 18, 2020
@headius headius added this to the JRuby 9.1.2.0 milestone Jul 18, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants