Netty BOM - FOSS License management #12502
Replies: 2 comments
-
All dependencies should be optional, except for JCTools, which is also Apache 2. If we do something here, it should integrate with the Maven toolchain to avoid discrepancies, and handle optional dependencies. What's the problem with having many modules in one repository? |
Beta Was this translation helpful? Give feedback.
-
I believe the perspectives of the developer and compliance officer are very different... The dependencies you are referring to are runtime deps? Adopting REUSE/SPDX would specify licensing and copyright information in a machine-readable way. That makes clearing netty jars much easier, since after initial approval, any updates can be processed automatically. On itself its not an issue having multiple modules in one repository, it just makes it more difficult to figure out which copyrights belong to which module - I am sure there would be no benefit in splitting it up. Implementing some sort of standard SBOM format would make the issue irrelevant - since for every artifact you get the licensing / IP information automatically. The tooling would need to be integrated in maven of course - and it would also act as a test, ensuring all artifacts are covered with appropriate information. |
Beta Was this translation helpful? Give feedback.
-
Hi,
it would be cool if netty would adopt one of the emerging standards for Software Bill Of Material (SBOM).
Also supporting the standarized Copyright/Licensing management with tools like REUSE (https://reuse.software/) would greatly benefit people working with netty in terms of license compliance.
Scanning netty repository with FOSSOLOGY returns at least 10 different licenses and dozens of copyright statements.
The problem is multiplied by a number of netty modules being produced out of a single repository...
Would you be open for discussion in this direction, as well as excepting pull requests addressing this issue?
Cheers!
Nikola
Beta Was this translation helpful? Give feedback.
All reactions