Please consider providing expanded author information

[olekw]

Downstream distributors (such as Debian) like to provide detailed information about the origin of software packages in order to recognize the work of people who contribute to the overall system. The only attribution in Checker Framework is currently "Checker Framework developers" in LICENSE.txt. I see that there are additional names listed in the POM files but it is unclear if those are all-inclusive or merely the lead developers.

If possible, if would be great to have an AUTHORS.txt file or similar to recognize all contributors.

[olekw]

Also, I assume that the MIT license applies only to these files but it would be helpful if that were clarified as well. Thanks!

[mernst]

The names in the POM files are merely the lead developers.

If possible, if would be great to have an AUTHORS.txt file or similar to recognize all contributors.

The contributors are listed at https://checkerframework.org/manual/#credits and also in a file contributors.tex. Is that sufficient, or does Debian require them to be in a file named AUTHORS.txt?

Also, I assume that the MIT license applies only to these files but it would be helpful if that were clarified as well.

The MIT license applies to those files and a few more as explained in LICENSE.txt. Where would you like further clarification?

[olekw]

Hi @mernst and thanks for the quick reply!

The contributors are listed at https://checkerframework.org/manual/#credits and also in a file contributors.tex.

Perfect, thanks for pointing out the location of that file!

Also, I assume that the MIT license applies only to these files but it would be helpful if that were clarified as well.

The MIT license applies to those files and a few more as explained in LICENSE.txt. Where would you like further clarification?

Ok, so here's where I'm confused. Since it looks like the project has removed checker-compat-qual, I'll focus just on checker-qual. Regarding only files that are actually distributed in this repository, the LICENSE.txt specifies that the following are MIT-licensed:

every file in a qual/ directory,

Easy, the checker-qual build.gradle file has "include '**/org/checkerframework/**/qual/*.java'".

plus utility files such as NullnessUtil.java,

include "**/NullnessUtil.java"

RegexUtil.java,

include "**/RegexUtil.java"

SignednessUtil.java,

include "**/SignednessUtil.java"

etc

I assume this refers to the additional includes in the build.gradle file:
include '**/PurityUnqualified.java' // TODO: Should we move this into a qual directory?
include "**/FormatUtil.java"
include "**/UnitsTools.java"
include "**/I18nFormatUtil.java"
include '**/Opt.java'

So what are the additional MIT-licensed files in LICENSE.txt? Are you referring to the third-party files that are hosted in different repositories?

For clarity, I'm the one who packaged this software for Debian and I used the include list in checker-qual/build.gradle to specify which files are MIT-licensed vs GPL in the 3.0.1 release. If that was not a correct interpretation of LICENSE.txt, please let me know what else should be included.

I submit that something like the following might be a clearer way to state the licensing in LICENSE.txt:

The annotations are licensed under the MIT License. (The text of this
license also appears below.) More specifically, this applies to the
checker-qual*.jar and all the files that appear in it:
FormatUtil.java, I18nFormatUtil.java, NullnessUtil.java, Opt.java,
PurityUnqualified.java, RegexUtil.java, SignednessUtil.java,
UnitsTools.java, as well as every *.java file in a qual/ directory.

[mernst]

Thanks for the clarifications. Your interpretation is correct. There are just a few more MIT-licensed files that don't appear in checker.jar.
Could you see whether #3430 addresses your concerns? Please let me know if you have suggestions that can improve it.
Note that the annotated JDK is distributed differently in version 3.4.0 and later; there are no licensing changes, but the text about where it appears in the distribution is not correct for version 3.0.1.

(Also, thanks for packaging the Checker Framework for Debian! Let us know if you need any help, or if we should add some text to https://checkerframework.org/manual/#installation with another installation possibility.)

[olekw]

Could you see whether #3430 addresses your concerns? Please let me know if you have suggestions that can improve it.

Overall, looks great! Thank you for adding the location of the third-party annotations, I did not realize that they were part of this repository.

I made a couple comments on that PR. The most significant regards .astub licensing. Our license compliance checks will not allow that into Debian as-is. Please let me know if my recommended solution seems feasible.

Note that the annotated JDK is distributed differently in version 3.4.0 and later; there are no licensing changes, but the text about where it appears in the distribution is not correct for version 3.0.1.

Ok, good to know, thanks! I'll double-check the 3.0.1 location. Hopefully, if this all goes well, I can upgrade Debian to the newest version soon.

(Also, thanks for packaging the Checker Framework for Debian! Let us know if you need any help, or if we should add some text to https://checkerframework.org/manual/#installation with another installation possibility.)

You're welcome! I will definitely take you up on that. Once we can get this licensing stuff resolved and the package enters Debian (and Ubuntu, as well as other downstreams) I'll make a new issue with recommended verbiage for installing on Debian-based systems.