Use ASF 3rd Party License Policy for module evaluation #79
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
To current third party dependency criterium is not actionable: > Third party dependencies use an Apache 2.0 compatible license This creates some difficulties for module developers and module evaluators and requires verbose explanations that can easily been avoided. Change to what we usually use: > Inclusion of third party dependencies complies with [ASF 3rd Party License Policy](https://apache.org/legal/resolved.html) > * org.z3950.zing:cql-java is allowed, even if it is LGPL-2.1-only The exemption of cql-java is needed because Spring Way modules frequently use folio-spring-cql that uses cql2pgjson that uses cql-java: * https://github.com/search?q=org%3Afolio-org+folio-spring-cql+language%3A%22Maven+POM%22&type=code&l=Maven+POM * https://github.com/folio-org/folio-spring-support/blob/v8.1.2/folio-spring-cql/pom.xml#L35 * https://github.com/folio-org/raml-module-builder/blob/v35.2.2/cql2pgjson/pom.xml#L58 This criterium can be changed as soon as better third party requirements get proposed.
maccabeelevine
approved these changes
Oct 28, 2024
There was a problem hiding this comment.
Thanks @julianladisch, IMHO what you did with Category B looks great.
If TC agrees, we should discuss how to communicate that to dev teams, as it would be a change.
MODULE_ACCEPTANCE_CRITERIA.MD
Outdated
| * Third party dependencies use an Apache 2.0 compatible license (2) | ||
| * Inclusion of third party dependencies complies with [ASF 3rd Party License Policy](https://apache.org/legal/resolved.html) (2) | ||
| * Uses README for [Category B Appropriately Labelled Condition](https://apache.org/legal/resolved.html#appropriately-labelled-condition) | ||
| * org.z3950.zing:cql-java is allowed, even if it is LGPL-2.1-only |
There was a problem hiding this comment.
I see why you noted this exception, and it makes sense to me. But is there any action we should take for
This criterium can be changed as soon as better third party requirements get proposed.
?
There was a problem hiding this comment.
No, anyone can raise a proposal for better third party requirements at any time.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The current third party dependency criterium is not actionable:
The missing list of allowed licenses creates some difficulties for module developers and module evaluators and requires verbose explanations that can easily been avoided.
Change the criterium to what we usually use:
The exemption of cql-java is needed because Spring Way modules frequently use folio-spring-cql that uses cql2pgjson that uses cql-java:
The exemption of marc4j is needed because several modules already use it:
The exemption of hibernate is needed because most Spring way modules already use it, it's a Spring Framework dependency.
This criterium can be changed as soon as better third party requirements get proposed.
Automation of the license compliance check is out of scope of this pull request.