Skip to content

fix: restore proper license headers for third-party code #4134

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
bobbai00 wants to merge 3 commits into
base: main
Choose a base branch
from
Open

fix: restore proper license headers for third-party code #4134

bobbai00 wants to merge 3 commits into from

Conversation

@bobbai00
Copy link
Contributor

@bobbai00 bobbai00 commented Dec 17, 2025
edited
Loading

What changes were proposed in this PR?

The third-party code (all MIT licensed, Category A) is compatible with Apache License 2.0 but requires proper attribution per Apache policy. This PR addresses license compliance issues identified during an audit:

  1. Restored original MIT license headers for third-party code:

    • common/workflow-operator/src/main/scala/com/kjetland/** (mbknor-jackson-jsonschema)
    • frontend/src/app/common/formly/array.type.ts (Google Angular)

  2. Updated LICENSE file with proper third-party attribution section including full MIT license text for each bundled dependency

  3. Updated .licenserc.yaml to exclude third-party files from Apache license header checking

  4. Added sbt-license-report plugin for automated dependency license tracking and compliance auditing

Any related issues, documentation, discussions?

Closes #4135. Related to #4132.

How was this PR tested?

Was this PR authored or co-authored using generative AI tooling?

Co-authored with Claude code.

@claude
fix: restore proper license headers for third-party code and add attr…
7f5333e 
…ibution

This commit addresses license compliance issues identified during an audit:

1. Restored original MIT license headers for third-party code:
   - pyright-language-service/src/*.ts (TypeFox monaco-languageclient)
   - common/workflow-operator/src/main/scala/com/kjetland/** (mbknor-jackson-jsonschema)
   - frontend/src/app/common/formly/array.type.ts (Google Angular)

2. Updated LICENSE file with proper third-party attribution section
   including full MIT license text for each bundled dependency

3. Updated .licenserc.yaml to exclude third-party files from
   Apache license header checking

4. Added sbt-license-report plugin (v1.7.0) for automated dependency
   license tracking and compliance auditing

The third-party code (all MIT licensed, Category A) is compatible with
Apache License 2.0 but requires proper attribution per Apache policy.
@github-actions github-actions bot added frontend Changes related to the frontend GUI docs Changes related to documentations service common labels Dec 17, 2025
@claude
fix: remove pyright changes (handled by PR apache#4132)
821a412 
Remove pyright-language-service license header changes as they are
already addressed in PR apache#4132. This commit now focuses only on:

- mbknor-jackson-jsonschema (MIT license attribution)
- Angular array.type.ts (MIT license attribution)
- sbt-license-report plugin for dependency tracking
@github-actions github-actions bot removed the service label Dec 17, 2025
@bobbai00 bobbai00 changed the title fix: restore proper license headers for third-party code and add attr… fix: restore proper license headers for third-party code Dec 17, 2025
@bobbai00 bobbai00 self-assigned this Dec 17, 2025
@parshimers
Copy link
Member

parshimers commented Dec 17, 2025

While this fixes some of the issues, I still think there are more remaining.
Anything under frontend/src/app/common/formly is MIT-licensed by Google, not just that one file.
Furthermore the required attribution from the MIT license belongs in NOTICE, not LICENSE. The text of the Apache License actually refers to the NOTICE file (https://www.apache.org/licenses/LICENSE-2.0.html#redistribution) as the place where these sorts of attributions go.

I would also suggest that this task not be done via Claude or other LLMs. I don't think it's the right tool for the job. Using a script that an LLM might generate could be good, but there is no easy way to check the validity of the output an LLM would generate in this task. In fact it's exceedingly hard to validate this task, and easy to mistake it for being done correctly, as we have seen. Therefore the method in which it is done is important to scrutinize and have a high degree of confidence in.

My method so far has been to look at the diff of the change that added all of the ASF headers (and inadvertently changed some), and look carefully at any instance where lines were removed instead of added. There are not many of these. Each of those should be scrutinized and marked as either appropriate or mistaken.

@bobbai00
Copy link
Contributor Author

bobbai00 commented Dec 28, 2025

While this fixes some of the issues, I still think there are more remaining. Anything under frontend/src/app/common/formly is MIT-licensed by Google, not just that one file. Furthermore the required attribution from the MIT license belongs in NOTICE, not LICENSE. The text of the Apache License actually refers to the NOTICE file (https://www.apache.org/licenses/LICENSE-2.0.html#redistribution) as the place where these sorts of attributions go.

I would also suggest that this task not be done via Claude or other LLMs. I don't think it's the right tool for the job. Using a script that an LLM might generate could be good, but there is no easy way to check the validity of the output an LLM would generate in this task. In fact it's exceedingly hard to validate this task, and easy to mistake it for being done correctly, as we have seen. Therefore the method in which it is done is important to scrutinize and have a high degree of confidence in.

My method so far has been to look at the diff of the change that added all of the ASF headers (and inadvertently changed some), and look carefully at any instance where lines were removed instead of added. There are not many of these. Each of those should be scrutinized and marked as either appropriate or mistaken.

Thank you for your review! I will manually check files and make the fix complete.

I have one question regarding the location of attribution. Quoting from https://infra.apache.org/licensing-howto.html#permissive-deps,

In LICENSE, add a pointer to the dependency's license within the distribution and a short note summarizing its licensing:
This product bundles SuperWidget 1.2.3, which is available under a
"3-clause BSD" license. For details, see deps/superwidget/.
Under normal circumstances, there is no need to modify NOTICE to mention a bundled dependency.

Seems the attribution should still be put in LICENSE, not NOTICE?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Yicong-Huang Yicong-Huang Awaiting requested review from Yicong-Huang

@parshimers parshimers Awaiting requested review from parshimers

@aglinxinyuan aglinxinyuan Awaiting requested review from aglinxinyuan

At least 1 approving review is required to merge this pull request.

Assignees

@bobbai00 bobbai00

Labels

common docs Changes related to documentations frontend Changes related to the frontend GUI

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Restore proper license headers for third-party bundled source code

3 participants

@bobbai00 @parshimers @claude