vlsi-release-plugins
vlsi-release-plugins copied to clipboard
vlsi
[license-gather-plugin] Ability to handle multiple licensed artefacts
I noticed some that some dependencies were not in the output, because it happens they are dual licensed.
EDIT: Actually, it may be (partly) working as some dependencies are in the report but not all of those that are ignored due to multiple licenses in Bundle-License.
> LICENSE-like files are missing
==============================
BSD-3-Clause
* org.pushing-pixels:radiance-animation:6.0.1
MIT
* com.github.scribejava:scribejava-core:8.3.1
* com.github.scribejava:scribejava-java8:8.3.1
* org.brotli:dec:0.1.2
Apache-2.0 AND LGPL 2.1 (http://www.gnu.org/licenses/lgpl-2.1.html) AND MPL-1.1
* org.javassist:javassist:3.25.0-GA
EPL-2.0 AND GPL2 w/ CPE (https://www.gnu.org/software/classpath/license.html)
* org.glassfish.hk2:osgi-resource-locator:1.0.3
I discovered by adding the --info
Ignoring Bundle-License 'http://www.eclipse.org/legal/epl-2.0, https://www.gnu.org/software/classpath/license.html, http://www.apache.org/licenses/LICENSE-2.0.html' in /Users/brice.dutheil/.gradle/caches/modules-2/files-2.1/org.glassfish.jersey.media/jersey-media-json-jackson/3.0.4/cad1796630c5c79decde3f9dc2205bd95093aee5/jersey-media-json-jackson-3.0.4.jar since it contains multiple license references
Looking at the jar itself, we see that
-
jersey-media-json-jackson-3.0.4.jar!/META-INF/MANIFEST.MFBundle-License: http://www.eclipse.org/legal/epl-2.0, https://www.gnu. org/software/classpath/license.html, http://www.apache.org/licenses/L ICENSE-2.0.html -
jersey-media-json-jackson-3.0.4.jar!/META-INF/LICENSE.md# Eclipse Public License - v 2.0 THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS ECLIPSE --- ## The GNU General Public License (GPL) Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc. ... --- ## CLASSPATH EXCEPTION Linking this library statically or dynamically with other modules is ...
The most interesting details seem to come from the pom licenses element.
-
jersey-media-json-jackson-3.0.4.jar!/META-INF/maven/org.glassfish.jersey.media/jersey-media-json-jackson/pom.xml<licenses> <license> <name>EPL 2.0</name> <url>http://www.eclipse.org/legal/epl-2.0</url> <distribution>repo</distribution> <comments>Except for Guava, JSR-166 files, Dropwizard Monitoring inspired classes, ASM and Jackson JAX-RS Providers. See also https://github.com/eclipse-ee4j/jersey/blob/master/NOTICE.md</comments> </license> <license> <name>The GNU General Public License (GPL), Version 2, With Classpath Exception</name> <url>https://www.gnu.org/software/classpath/license.html</url> <distribution>repo</distribution> <comments>Except for Jackson JAX-RS Providers. See also https://github.com/jersey/jersey/blob/master/NOTICE.md</comments> </license> <license> <name>Apache License, 2.0</name> <url>http://www.apache.org/licenses/LICENSE-2.0.html</url> <distribution>repo</distribution> <comments>Jackson JAX-RS Providers @ org.glassfish.jersey.jackson.internal.jackson.jaxrs</comments> </license> </licenses>
I'm not sure how to handle these cases, but this seem legitimate in particular if the artifact has shadowed dependencies or if it's simply a fatjar.
Does https://github.com/vlsi/vlsi-release-plugins/issues/50#issuecomment-1010731908 cover your case?
Frankly speaking, there's no way to automatically resolve cases when the developer list multiple licenses.
It would be awesome if they used SPDX license expression in Bundle-License, however, they rarely do so,
In the non-tirival cases, I do the following:
a) Approach projects to update their MANIFEST, pom.xml, etc. For instance, here's the list of issues I created when adding license verification to JMeter: https://github.com/apache/jmeter/pull/469#issuecomment-502834212
b) Use overrideLicense to clarify the actual meaning. For instance, it detected EPL-2.0 AND GPL2 w/ CPE, and most likely the actual license is EPL-2.0 OR GPL2-or-later with Classpath-Exception. If that is the case, you could add the relevant override.
I might start collecting a set of well-known resolution cases (e.g. I have resolution history in JMeter: https://github.com/apache/jmeter/blob/da6efde33eb80751eff1f778d63b67e4f9bcd652/src/licenses/build.gradle.kts#L72 ) However, I have not explored that yet.
