Source and Javadoc Snapshot Jars are missing LICENSE and NOTICE files

[Claudenw]

LICENSE file should be included in all jars, releases and snapshots. It is currently missing from the SNAPSHOT jars. The change should place the LICENSE in ALL snapshot jars as well a the release jars when they are bult.

[pjfanning]

@Claudenw can you tell us which jar. We have tooling to include LICENSE in jars but maybe this is missing from some places

[pjfanning]

@Claudenw can you look at https://repository.apache.org/content/groups/snapshots/org/apache/pekko/pekko-actor_2.13/0.0.0+26660-7809c783-SNAPSHOT/ - last night's pekko-actor jars?

• Download pekko-actor_2.13-0.0.0+26660-7809c783-SNAPSHOT.jar
• It has these files in the jar

      551  01-01-2000 00:00   META-INF/DISCLAIMER
    12128  01-01-2000 00:00   META-INF/LICENSE
     1732  01-01-2000 00:00   META-INF/NOTICE

[pjfanning]

@mdedetrich we don't include LICENSE, NOTICE, DISCLAIMER in the -sources and -javadoc jars. Is that something that can be changed in sbt-apache-sonatype?

[mdedetrich]

Can we clarify if we need to add them into the -sources and -javadoc jars as well? Both suggestions are highly suspect because they are only meant to contain either Java/Scala sources or generated documentation.

[pjfanning]

I checked some random Apache -sources and -javadoc jars and found that they had LICENSE and NOTICE files. I doubt whether it's universal but it does seem like something that many teams try to support.

• https://repo1.maven.org/maven2/org/apache/spark/spark-core_2.13/
• https://repo1.maven.org/maven2/org/apache/streampark/streampark-common_2.12/

[pjfanning]

I'm not guaranteeing that sbt makes this easy - the sources and javadoc jars are basically generated using black box code and there doesn't appear to be straightforward ways to manipulate them to add extra files.

[mdedetrich]

I checked some random Apache -sources and -javadoc jars and found that they had LICENSE and NOTICE files. I doubt whether it's universal but it does seem like something that many teams try to support.

I checked some other projects like Apache Daffodil and indeed it does seem to be the case. Do we also have to include DISCLAIMER as well?

I'm not guaranteeing that sbt makes this easy - the sources and javadoc jars are basically generated using black box code and there doesn't appear to be straightforward ways to manipulate them to add extra files.

This shouldn't be that difficult. Apache Daffodil uses sbt so I can just check their code

[mdedetrich]

Actually I just checked -javadoc for Apache daffodil and it doesn't contain any license files, -sources is a lot more clear (see https://repo1.maven.org/maven2/org/apache/daffodil/daffodil-core_2.11/2.7.0/daffodil-core_2.11-2.7.0-javadoc.jar for reference).

[pjfanning]

with the DISCLAIMER file, I'm not 100% sure we need that in our jars at all - but since it's easy to extend what we have for adding LICENSE/NOTICE to also add DISCLAIMER - it just seems to be simpler to include it.

We will get dragged over coals for missing files but if we add extra ones, we are less likely to get in trouble.

[mdedetrich]

PR for the -sources package is already up https://github.com/mdedetrich/sbt-apache-sonatype/pull/15

[mdedetrich]

Release for v0.1.8 of sbt-apache-sonatype has been triggered. It should be available/downloadable on Maven in around half an hour. Bumping the version is enough for it to include the files in the -sources package.

[Claudenw]

https://nightlies.apache.org/pekko/snapshots/org/apache/pekko/pekko-cluster_3/0.0.0+26660-7809c783-SNAPSHOT/pekko-cluster_3-0.0.0+26660-7809c783-SNAPSHOT-sources.jar

A snapshot from May 23. Does not have the License file included.

[mdedetrich]

https://nightlies.apache.org/pekko/snapshots/org/apache/pekko/pekko-cluster_3/0.0.0+26660-7809c783-SNAPSHOT/pekko-cluster_3-0.0.0+26660-7809c783-SNAPSHOT-sources.jar

A snapshot from May 23. Does not have the License file included.

Snapshots are published nightly and the fix for this has only been published recently (see https://github.com/apache/incubator-pekko/issues/328#issuecomment-1559262610)

[Claudenw]

I was simply providing a reference to one that was broken.

[mdedetrich]

No worries, I will create a PR to fix this now (the sbt-apache-sonatype fix should be available in maven now).

[pjfanning]

@Claudenw this is partially done now - the sources jars now have LICENSE/NOTICE (the runtime jars already had them).

We don't yet support them on javadoc jars. It's not clear how hard it is to make this change. From checking other Apache projects, javadoc jars do not always contain the LICENSE/NOTICE. Is that going to be an issue? Should we take this to Legal team?

[pjfanning]

@mdedetrich there is https://issues.apache.org/jira/browse/LEGAL-28 and it seems to indicate that we should put LICENSE/NOTICE in javadoc jar. Even if it is ambiguous whether this is the case - it is going to cost time to discuss the issue. is there any chance that sbt-apache-sonatype could just be changed to add LICENSE/NOTICE to the javadoc jars?

[mdedetrich]

No worries, ill add it into sbt-apache-sonatype. Will also use this ticket as a reference.

[mdedetrich]

@pjfanning PR created at https://github.com/mdedetrich/sbt-apache-sonatype/pull/16, can you review it

[mdedetrich]

@pjfanning Release of v0.1.9 was just triggered, should be on Maven in ~30 min, see https://github.com/mdedetrich/sbt-apache-sonatype/actions/runs/5094036357

[mdedetrich]

Closing this as I have updated all pekko projects with sbt-apache-sonatype that makes sure these files are put into source and javadoc jars.

If there is something missing/wrong, feel free to re-open issue.