Open
Description
Description
While chatting with @ppkarwasz I ran a scancode scan of https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.24.3/log4j-core-2.24.3-sources.jar using the latest https://github.com/aboutcode-org/scancode.io
Here are some notes:
- Overall the scan clarity in the latest scancode.io looks fine to me:
There are a few small oddities:
- A sample copyright there is not useful IMHO:
- the META-INF/DEPENDENCIES file comes with good intentions, but is not useful and eventually misleading as not all these deps may be installed. I would advise against including such data that is likely wrong. (and will be detected by ScanCode but will lead to busy work for reviewing this)
- if you intend for your NOTICE file to include all copyrights, it is incomplete as it is missing
- this license header may be not the original one https://github.com/apache/logging-log4j2/blob/7acbc486854cd9b62184883ef9ee5973e1ef1b8b/log4j-core/src/main/java/org/apache/logging/log4j/core/util/CronExpression.java ... back in ~ 2015, this was likely like this https://github.com/quartz-scheduler/quartz/blob/40b70e3ab49ecc0b53f4d719e6e81392469fd5f6/quartz-core/src/main/java/org/quartz/CronExpression.java ... I would likely restore the original one. And same ... if you really intend your NOTICE to be comprehensive, this is missing there.
- Your NOTICE file dates are likely outdated. I would remove dates or remove the NOTICE
- The author and copyright info from Tim Fennel was stripped from its original at https://github.com/apache/logging-log4j2/blob/3e6bb87f728a9da48d33cecf9dd02dd09bc1a330/log4j2-core/src/main/java/org/apache/logging/log4j/core/config/plugins/ResolverUtil.java and the license notice changed. I would restore it.
Metadata
Metadata
Assignees
Type
Projects
Status
Ready