The bookkeeper project ships one source distribution and two binary distributions.
bookkeeper-<version>-src.tar.gz
, which contains the source code to build bookkeeper.bookkeeper-all-<version>-bin.tar.gz
, which contains the bookkeeper server and all optional dependencies.bookkeeper-server-<version>-bin.tar.gz
, which contains the bare minimum to run a bookkeeper server.The source distribution can contain source code copied from third parties. The binaries ship with third party dependencies in jar file form.
As the ASF may not own the copyright on the contents of this copied source code or third party jars, we may need to account for them in the LICENSE and/or NOTICE file of the distribution.
The LICENSE and NOTICE files for the source distribution are found at:
The LICENSE and NOTICE files for the binary distribution are found at:
When updating these files, use the following rules of thumb:
For bookkeeper, a source dependency is any code which has been copied in code form into our source tree. An example of this is circe-checksum which was copied into our codebase and modified. Depending on the license of source code, you may need to update the source distribution LICENSE and NOTICE files.
In the case of circe-checksum, the original code is under the Apache Software License, Version 2 (ASLv2), and there is no NOTICE file, so neither LICENSE nor NOTICE need to be updated.
If, for example, we were to copy code from Hadoop, and the code in question was originally written for Hadoop, then we would not need to update LICENSE or NOTICE, as Hadoop is also licensed under the ASLv2, and while it has a NOTICE file, the part covering code originally written for Hadoop is covered by the line, “This product includes software developed by The Apache Software Foundation (http://www.apache.org/).”, which already exists in our NOTICE. However, if we were to copy code from Hadoop that originally originated elsewhere, such as their pure java CRC library, this code is originally from Intel, under a BSD style license, so you would have to track down the original license, add it to deps/ and link it from our LICENSE file.
If we were to copy code from Netty, and the code in question was originally written for Netty, then we would need to update NOTICE with the relevant portions (i.e. the first section) from the Netty NOTICE file, as Netty is licensed under the ASLv2 and it does contain a NOTICE file. If we were to copy code from Netty which originally originated elsewhere, but had also been modified by Netty, for example their SLF4J modifications, we would need to update our NOTICE with the relevant portions (i.e. the first section) from Netty's NOTICE, and also add the SLF4J license to deps/ and link it from our LICENSE file (as it has an MIT-style license).
If we were to copy code from Protobuf or SLF4J into our code base, then we would have to copy their license to deps/ and link it from our LICENSE file, as these projects are under BSD-style and MIT-style licenses respectively.
When a new binary dependency is added, or a dependency version is updated, we need to update the LICENSE and NOTICE files for our binary packages. There is a separate version of each of these files for both the -all tarball and the -server tarball. The files can be found at bookkeeper-dist/src/main/resources
.
How you update the files depends on the licensing of the dependency. Most dependencies come under either the Apache Software License, Version 2, or an MIT/BSD style license. If the software comes under anything else, it's best to ask for advice on the dev@ list.
We provide a script which will check if the LICENSE file attached to a binary tarball matches the jar files distributed in that tarball. The goal of the script is to ensure that all shipped binaries are accounted for, and that nothing else is mentioned in the LICENSE or NOTICE files.
To check that licensing is correct, generate the tarball and run the script against it as follows (in this example I've removed references to protobuf from the LICENSE file).
~/src/bookkeeper $ mvn clean package -DskipTests ... ~/src/bookkeeper $ dev/check-binary-license bookkeeper-dist/server/target/bookkeeper-server-4.7.0-SNAPSHOT-bin.tar.gz com.google.protobuf-protobuf-java-3.4.0.jar unaccounted for in LICENSE deps/protobuf-3.4.0/LICENSE bundled, but not linked from LICENSE ~/src/bookkeeper $
The script checks the following:
This script will fail the check even if only the version of the dependency has changed. This is intentional. The licensing requirements of a dependency can change between versions, so if a dependency version changes, we should check that the entries for that dependency are correct in our LICENSE and NOTICE files.
bookkeeper-dist/src/main/resources/deps/
and add a link to this file from the LICENSE file.bookkeeper-dist/src/assemble/
).