Open hyandell opened 1 year ago
hyandell
commented
1 year ago Noting that I see a lot more projects in the jar than are covered by pom.xml files in the META-INF. Use of GNU Trove for example is a surprise in a project stating it's Apache-2.0.
IgnatBeresnev
commented
8 months ago Thank you for bringing it to our attention.
GNU Trove specifically comes from the Kotlin compiler which Dokka uses for analyzing projects, so we can't get rid of it, unfortunately, but it is a problem. There are plans to stop using it in Kotlin's compiler itself (I asked the compiler team about it), so I'll keep an eye out and post the updates here.
Even if the usage of GNU trove is removed, we should address licensing questions and inconsistencies as part of this issue for sure.
hyandell
commented
3 weeks ago Just saying hi on this one to make sure it isn't forgotten :)
Hi Dokka folk, I'm a bit confused.
Describe the bug I'm looking at the jar for analysis-kotlin-descriptors-1.9.0 and it is not clear what the license is for this file. The META-INF has 6 license related files, but they are clearly flotsam of the build process and there is no indication of which license applies to what, or what the license of the whole is.
Also note that the source jar is empty.
Expected behaviour That the .jar file identifies the license of the bundled dependencies. A DEPENDENCIES file, SPDX, or CycloneDX would help a lot here.