Versions Compared

Old Version 4

changes.mady.by.user Robert Metzger

Saved on

compared with

New Version Current

changes.mady.by.user Chesnay Schepler

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

All bundled dependencies must be listed in NOTICE, grouped by license type, using standard maven syntax (groupId:artifactId:[classifier:]version).

  • This DOES include ASLv2 dependencies (for maintainability reasons, as it simplifies matching of entries in the dependency-tree and NOTICE files)

    Expand
    titleExample

    flink-mesos
    Copyright 2014-2018 The Apache Software Foundation

    This product includes software developed at
    The Apache Software Foundation (http://www.apache.org/).

    This project bundles the following dependencies under the Apache Software License 2.0. (http://www.apache.org/licenses/LICENSE-2.0.txt)

    - com.netflix.fenzo:fenzo-core:0.10.1
    - org.apache.mesos:mesos:1.0.1
    - com.fasterxml.jackson.core:jackson-annotations:2.4.0
    - com.fasterxml.jackson.core:jackson-core:2.4.5
    - com.fasterxml.jackson.core:jackson-databind:2.4.5

    This project bundles the following dependencies under the BSD license.
    See bundled license files for details.

    - com.google.protobuf:protobuf-java:2.6.2



...

Attention: flink-dist bundles various Flink modules and their transitive dependencies. Any transitive dependency that is pulled in this way which is not included (and thus accounted for!) in a bundled Flink module MUST be accounted for in flink-dist.


FAQ: What does all this mean in practice?

I'm changing a Flink dependency, what do I need to do with the LICENSE and NOTICE files?

  • If you are adding a new dependency, make sure it is licensed in category A or B [3]
  • If you are modifying an existing dependency, make sure the license of the dependency is still the same
  • Everything below applies to the changed dependency version AND new or updated transitive dependencies
    • If you are changing a dependency in a module that does not release a "fat jar" / shaded jar to Maven central, there are no additional checks needed for that module. Downstream modules (such as flink-dist) might still have version changes that need attention.
    • If the module is releasing a shaded jar, you need to update the src/main/resources/META-INF/NOTICE file: Run maven, check the output of the shade plugin. For each "Including groupId:artifactId:.. into shaded jar" line, there needs to be an entry in this file (see details above!)
      • Group dependencies by license
      • mention the version
      • only include dependencies in the NOTICE file that are really there.
      • using "mvn dependency:tree" or "mvn project-info-reports:dependencies" (see "target/site/dependencies.html" of that module) are a best practice for analyzing a module's dependencies
    • If your module is bundled in flink-dist (or some other binary), the same rules as for shaded jars apply.


I'm copying code from another project, StackOverflow or somewhere else. What do I need to do?

Make sure it is licensed with a category A license [3], add a comment in the code that it is copied somewhere. Also specifically ask for a review of this in the pull request.
You can not copy code from StackOverflow or the internet into Apache Flink.


I'm verifying a Flink release. What do I need to do?

  • You need to ensure that all source and binaries Flink is distributing have been developed by Flink, or under a compatible license, and that we are fulfilling all requirements of these licenses. It is impractical to manually check all dependencies, code and binaries for every release.
  • We recommend:
    • Checking all pom.xml changes between the release candidate and the last release, and then checking if the NOTICE files have been touched (if necessary because of shading)
    • Checking the NOTICE file contents if possible. For a specific module whose dependency has changed in this release,
      • By using "mvn package -DskipTests -pl <module> | grep -i Including", you could filter the output like "[INFO] Excluding commons-codec:commons-codec:jar:1.15 from the shaded jar." . 
      • From the list you could get the list of dependencies get shaded in. For each dependency, sometimes they'll include the used license in the pom.xml files and you could find the file under maven local repositories of the given dependency. If that is not true, you could always find the type of license in maven repo like https://mvnrepository.com/artifact/com.google.api-client/google-api-client-jackson2/1.32.2
    • Checking all (or a sample of) jars in the staging repository and Flink distribution: Are shaded or bundled jars mentioned in the NOTICE file?
      • check using "jar tf <jar file> | grep" or "jar tf <jar file> | less"
    • Checking all (or a sample of, or changes of) non-Java-source-code files (such as build setup, documentation, javascript, ...).
      • Their license needs to be mentioned properly
      • requirements from their licenses need to be fulfilled (NOTICE file forwards, copyright owner mentions, ...)
      • we need to make sure we did everything correctly with copied code

[1] http://apache.org/legal/src-headers.html#headers
[2] http://apache.org/legal/src-headers.html#3party
[3] http://www.apache.org/legal/resolved.html#category-a
[4] http://www.apache.org/legal/resolved.html#category-b