The project should comply with the obligations of the Apache Tomcat license

[sflorczy]

This is not a simple use or a mirror of the Apache Tomcat, so the NOTICE file should be included. The file should mention any modifications, such as removed elements. This will help accurately assess whether Tomcat's vulnerabilities also affect this project.

[joakime]

We do not remove license files or any notice files that come with Apache Jasper.

See: https://github.com/jetty-project/jasper-jsp/blob/apache-11.0.x/apache-jsp/pom.xml#L159

We only exclude the META-INF/maven/** tree (which has the build specific pom.xml and pom.properties files in a tree with META-INF/maven/<groupId>/<artifactId>/ syntax). Something that Apache Jasper sometimes has, sometimes doesn't.

https://github.com/jetty-project/jasper-jsp/blob/d0cadabf0042e8553b4b7dfe82316bd35333bca4/apache-jsp/pom.xml#L144-L163

If Apache Jasper artifact didn't come with a NOTICE file, then the resulting file also does not have a NOTICE file. We do not invent one, nor do we modify the existing one, we preserve the same licensing information that was present on the original artifacts.

But lets look closer ...

In our branch apache-11.0.x

The apache-jsp module has the following dependencies (this is from the branch HEAD) ...

[INFO] -------------------< org.mortbay.jasper:apache-jsp >--------------------
[INFO] Building MortBay :: Apache Jasper :: JSP Implementation 11.0.5-SNAPSHOT
[INFO]   from pom.xml
[INFO] --------------------------------[ jar ]---------------------------------
[INFO] 
[INFO] --- dependency:3.6.1:tree (default-cli) @ apache-jsp ---
[INFO] org.mortbay.jasper:apache-jsp:jar:11.0.5-SNAPSHOT
[INFO] +- jakarta.servlet.jsp:jakarta.servlet.jsp-api:jar:4.0.0:compile
[INFO] +- org.apache.tomcat:tomcat-jasper:jar:11.0.5:compile
[INFO] |  +- org.apache.tomcat:tomcat-juli:jar:11.0.5:compile
[INFO] |  +- org.apache.tomcat:tomcat-jsp-api:jar:11.0.5:compile
[INFO] |  +- org.apache.tomcat:tomcat-api:jar:11.0.5:compile
[INFO] |  \- org.apache.tomcat:tomcat-util-scan:jar:11.0.5:compile
[INFO] |     \- org.apache.tomcat:tomcat-util:jar:11.0.5:compile
[INFO] +- org.eclipse.jdt:ecj:jar:3.41.0:compile
[INFO] \- org.mortbay.jasper:apache-el:jar:11.0.5-SNAPSHOT:compile
[INFO]    \- jakarta.el:jakarta.el-api:jar:6.0.1:compile
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  1.370 s
[INFO] Finished at: 2025-05-07T07:09:20-05:00
[INFO] ------------------------------------------------------------------------

Lets take a closer look at a released org.apache.tomcat:tomcat-jasper:jar artifact and compare it with a released org.mortbay.jasper:apache-jsp artifact ...

# Download both from maven central.
[joakim@hyperion apache-jasper-detail]$ curl -O https://repo1.maven.org/maven2/org/apache/tomcat/tomcat-jasper/11.0.5/tomcat-jasper-11.0.5.jar
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  542k  100  542k    0     0  2575k      0 --:--:-- --:--:-- --:--:-- 2572k
[joakim@hyperion apache-jasper-detail]$ curl -O https://repo1.maven.org/maven2/org/mortbay/jasper/apache-jsp/11.0.4/apache-jsp-11.0.4.jar
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  902k  100  902k    0     0  4134k      0 --:--:-- --:--:-- --:--:-- 4120k

# Do they have notice and license files included?
[joakim@hyperion apache-jasper-detail]$ jar -tvf tomcat-jasper-11.0.4.jar | grep -iE "(notice|license)"
 11358 Fri Feb 01 00:00:00 CST 1980 META-INF/LICENSE
   167 Fri Feb 01 00:00:00 CST 1980 META-INF/NOTICE
[joakim@hyperion apache-jasper-detail]$ jar -tvf apache-jsp-11.0.4.jar | grep -iE "(notice|license)"
 11358 Fri Feb 01 00:00:00 CST 1980 META-INF/LICENSE
   167 Fri Feb 01 00:00:00 CST 1980 META-INF/NOTICE
# Both have a license and notice file.
# They are even the same size and timestamp.

# Lets unpack each into separate directories.
[joakim@hyperion apache-jasper-detail]$ mkdir tomcat && cd tomcat && jar -xf ../tomcat-jasper-11.0.5.jar && popd
[joakim@hyperion apache-jasper-detail]$ mkdir jetty && cd jetty && jar -xf ../apache-jsp-11.0.4.jar && popd

# What does the Tomcat provided notice say?
[joakim@hyperion apache-jasper-detail]$ cat tomcat/META-INF/NOTICE 
Apache Tomcat
Copyright 1999-2025 The Apache Software Foundation

This product includes software developed at
The Apache Software Foundation (http://www.apache.org/).
[joakim@hyperion apache-jasper-detail]$ cat jetty/META-INF/NOTICE 
Apache Tomcat
Copyright 1999-2025 The Apache Software Foundation

This product includes software developed at
The Apache Software Foundation (http://www.apache.org/).

# Are they the same files?
[joakim@hyperion apache-jasper-detail]$ sha1sum tomcat/META-INF/[NL]*
2b8b815229aa8a61e483fb4ba0588b8b6c491890  tomcat/META-INF/LICENSE
a52f271a0f46d48045a1a9a0d6637a020c160247  tomcat/META-INF/NOTICE
[joakim@hyperion apache-jasper-detail]$ sha1sum jetty/META-INF/[NL]*
2b8b815229aa8a61e483fb4ba0588b8b6c491890  jetty/META-INF/LICENSE
a52f271a0f46d48045a1a9a0d6637a020c160247  jetty/META-INF/NOTICE
# Yup.

Hope you see that we satisfy the obligations of the Apache license here.

The differences are pointed out in https://github.com/jetty-project/jasper-jsp/blob/apache-11.0.x/README.md

• The original classes are used, not recompiled.
• The new artifact from this project excludes:
  • some Tomcat specific class files.
  • all Tomcat specific META-INF/services/ files.
  • all Tomcat specific META-INF/web-fragment.xml files.
  • any encountered META-INF/*.DSA and META-INF/*.RSA (Tomcat is not consistent in its use of these files, they are sometimes there, sometimes not. since we rebuild the META-INF/MANIFEST.MF, we cannot use these files anyway)
• The new artifact from this project provides a new META-INF/MANIFEST.MF
• Any other files that are not classes or specifically excluded get included (eg: META-INF/NOTICE, properties files, text files, etc..)

[joakime]

I suspect you are referring to this section in the Apache Source License.

https://github.com/apache/tomcat/blob/main/LICENSE#L90-L129

   4. Redistribution. You may reproduce and distribute copies of the
      Work or Derivative Works thereof in any medium, with or without
      modifications, and in Source or Object form, provided that You
      meet the following conditions:

      (a) You must give any other recipients of the Work or
          Derivative Works a copy of this License; and

      (b) You must cause any modified files to carry prominent notices
          stating that You changed the files; and

      (c) You must retain, in the Source form of any Derivative Works
          that You distribute, all copyright, patent, trademark, and
          attribution notices from the Source form of the Work,
          excluding those notices that do not pertain to any part of
          the Derivative Works; and

      (d) If the Work includes a "NOTICE" text file as part of its
          distribution, then any Derivative Works that You distribute must
          include a readable copy of the attribution notices contained
          within such NOTICE file, excluding those notices that do not
          pertain to any part of the Derivative Works, in at least one
          of the following places: within a NOTICE text file distributed
          as part of the Derivative Works; within the Source form or
          documentation, if provided along with the Derivative Works; or,
          within a display generated by the Derivative Works, if and
          wherever such third-party notices normally appear. The contents
          of the NOTICE file are for informational purposes only and
          do not modify the License. You may add Your own attribution
          notices within Derivative Works that You distribute, alongside
          or as an addendum to the NOTICE text from the Work, provided
          that such additional attribution notices cannot be construed
          as modifying the License.

      You may add Your own copyright statement to Your modifications and
      may provide additional or different license terms and conditions
      for use, reproduction, or distribution of Your modifications, or
      for any such Derivative Works as a whole, provided Your use,
      reproduction, and distribution of the Work otherwise complies with
      the conditions stated in this License.

The "within the Source form or documentation" part is satisfied by the README on the github page (as documentation). The modifications are not required to be listed in the NOTICE file that is shipped with the new artifact.

[sflorczy]

Thank you for the detailed explanation. The explanation that it's in the README on GitHub is probably sufficient, though I'm not a lawyer :) I'm not sure if not copying files can even be called a Derivative Work or modification. I didn't mean that you are removing or not copying any NOTICE file. I was referring to point (b) - to create your own dedicated one for jasper-jsp. If someone (like me) is using jasper-jsp indirectly, they have trouble finding information on why the Tomcat I'm using is different from the official one, and checking for vulnerabilities. The redistributor is not obligated to copy the README, but according to the license, they would be obligated to copy the NOTICE file.

The explanation is sufficient for me, and you can close the issue and treat it as a suggestion.