Fix <license><name> by using SPDX in pom.xml

[julianladisch]

Automated license compliance checkers complain when the <name>
and the <url> tag of a <license> element in the pom.xml don't match.

Any mismatch requires manual investigation.

The current tag <name>Apache Software License - Version 2.0</name>
doesn't match the official license name because the official license
name is Apache License and not Apache Software License:
https://www.apache.org/licenses/LICENSE-2.0

There are two official ways to fill the <name> tag:

• The full legal name of the license as specified by https://maven.apache.org/ref/3.9.11/maven-model/maven.html
• The SPDX identifier as recommended by https://maven.apache.org/pom.html#Licenses

During code review the full legal name was rejected as wrong and it was requested that
the SPDX identifier must be used.

Therefore the <name> is changed from the full legal name to the SPDX identifier.
This fixes the issue with the wrong license name.

[joakime]

Huh?

This is a free form field.
The <url> is the canonical license declaration found in the pom (not the <name>).
Along with any SPDX-License-Identifier in the declared LICENSE or META-INF/LICENSE* files.

Lets take a look at other Apache projects...

• Apache HADOOP
  https://github.com/apache/hadoop/blob/trunk/pom.xml#L74
  <name>Apache-2.0</name>

• Apache Struts
  https://github.com/apache/struts/blob/main/pom.xml#L95
  <name>The Apache Software License, Version 2.0</name>

• Apache Parent Pom
  https://github.com/apache/maven-apache-parent/blob/master/pom.xml#L46
  <name>Apache-2.0</name>

• Apache Maven itself is based on org.apache:apache:pom
  https://github.com/apache/maven-parent

[joakime]

Example of SPDX -

jetty.project/LICENSE

Line 483 in 1f185b6

SPDX-License-Identifier: EPL-2.0 OR Apache-2.0

[joakime]

Any "automated license compliance checkers" should be using the SPDX-License-Identifier as that correctly identifies the license, along with logic surrounding multiple licenses, like AND / OR behaviors (to name a few).

[joakime]

No, this isn't right either, we are not switching to SPDX short identifiers in the pom.xml.

The <license><name> is a free form text, for users, not "automated license compliance checkers".
Changing it to use the SPDX short identifiers helps noone. The fact that your "automated license compliance checkers" reacts to that change is disturbing.

Those "automated license compliance checkers" should be using the FULL "SPDX license expression" to understand the license, not the pom.xml, which lacks sufficient information to understand the project's license. (eg: our pom.xml has no statement about AND vs OR vs WITH on those two licenses, nor is the pom.xml capable of representing that kind of license).

See https://spdx.github.io/spdx-spec/v2.3/using-SPDX-short-identifiers-in-source-files/#e4-representing-multiple-licenses

The current tag <name>Apache Software License - Version 2.0</name>
doesn't match the official license name because the official license
name is Apache License and not Apache Software License:
https://www.apache.org/licenses/LICENSE-2.0

The ASL (aka Apache Software License) is an industry accepted term and acronym.
MOST projects hosted at apache.org are still using the full "Apache Software License" in their pom.xml (some with the extra "The" at the start), as that's the historical naming of that license.
You can see this in the license text itself.

• https://apache.org/licenses/LICENSE-1.0
• https://apache.org/licenses/LICENSE-1.1

The NEW license 2.0 dropped the "Software" on the official license text, but the projects hosted at apache.org themselves don't use that trimmed term.

In short, we are not going to bend and twist Jetty's pom.xml to satisfy your "automated license compliance checkers". Other automated tools in this same problem space have no issues with existing Jetty setup. We suggest you look at replacement tools that handle license validation in a more correct way.

Find a tool that supports both SPDX and ECMA-424 for license validation, then just use the information in the distributed JARs and BOMs for your license validation. (Note: ECMA-424 defines how to handle multiple licenses, even if they don't have the AND/OR/WITH language present in the BOM metadata)

Our ECMA-424 BOMs are found in the jetty-home artifact coordinates - https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-home/12.0.23/

[joakime]

I'm closing this, as we don't want to make this change to the pom.xml for a fundamentally broken license validation tool.

[julianladisch]

If the <licenses> tag contains multiple <license> elements they are combined using OR as specified in the pom.xml spec: https://maven.apache.org/ref/3.9.11/maven-model/maven.html#project

If multiple licenses are listed, it is assumed that the user can select any of them, not that they must accept all.

[julianladisch]

The compliance checker complains that in Apache Software License - Version 2.0 the name and the version don't match. It should be one of

• Apache Software License 1.0
• Apache Software License 1.1
• Apache License 2.0

The compliance checker handles SPDX-License-Identifier entries and reports any discrepancy from that SPDX-License-Identifier, including the discrepancy in the pom.xml <licence> tag.

[joakime]

What license checker are you using?

[joakime]

Add <distribution>repo</distribution> to each one too.

[joakime]

Lets use the same URL as org.apache:apache parent pom too.

<url>https://www.apache.org/licenses/LICENSE-2.0.txt</url>