Missing license information for works included in woodstox binary JARs through shading

[tazle]

We noticed that the woodstox binary JARs include (parts of?) several projects that do not seem to be licensed under the Apache-2.0 license.

The comments in pom.xml make me wonder if they are actually necessary to distribute in the first place. If they are only necessary for some use cases, could they be moved to a separate JAR, or treated as optional Maven dependencies without shading, so to move the license problem to whoever wants to distribute the whole with the optional dependencies?

If they are necessary, I believe it is required by the 3rd party licenses in question (e.g. https://github.com/xmlark/msv/blob/master/docs/license.txt) that the license texts be included alongside the works distributed. That is, the license texts should be included in the woodstox binary JAR.

[cowtowncoder]

First things first: shaded dependencies are only needed for XML Schema based validation, so in theory they could be extracted as separate artifacts. This probably would require creation of new artifact with the little bit of Woodstox-side glue, shaded dependencies.

Version-wise that would have to be major new version since removal would break some usage, some users somewhere would be affected.

Unfortunately I am not sure I have time to spend on doing this: I would be happy to help with it, however.
I have been thinking of major version upgrade for just requiring newer JDK (see #134).

But perhaps inclusion of license would be simpler thing: esp. if there was a PR for it :)

One challenge may be that due to MSV being a legacy thing with no active maintenance for years, it may be challenging to gather necessary license pieces.