-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
License in Spring Boot parent is applied to generated projects with Maven #1242
Comments
We are aware of this problem and it was already discussed in #1017. The TL:DR of it is that we feel it is a shortcoming of Maven. We must set those in order to be able to deploy the parent to Maven Central. Maven doesn't offer us any tool where we can offer a parent and yet "undo" the license we had to define. Having said that, I think that if someone who creates a project and then intends to publish it to Maven Central will choose a license and define it at the project level. The build tool is just one place where that metadata is defined so I find the use cases a bit off balance personally. I'd like to give this yet another go with the team to see if we can improve something. #1017 mentions the reference doc and I am not sure this was properly addressed. |
Has this ever been on the Maven mailing list? It should be... |
@bmarwell this specific issues is part of a larger problem of mixing build information and published pom for user's consumption. There isn't anything new that hasn't been reported in several forms already. |
The (rejected) suggestion of #1017 to include <developers>
<developer/>
</developers>
<licenses>
<license/>
</licenses>
<scm>
<url/>
</scm>
<url/> in the generated project would be my solution as well. |
FWIW defining empty elements as mentioned by @JaroslavTulach is what the Helidon team decided. You might want to check with them for pros & cons of that approach. |
While looking at SBOM stuff, this has bitten me too. The SBOM declared the license of my project to be Apache 2.0, and I wondered where it found that. Turns out, it's the license inherited from the Spring Boot parent. |
We talked about that and we want to override the inherited stuff with empty defaults. We add something in the help.md file to warn users that if they switch to their own parent, they'll have to remove those overrides. |
I used https://start.spring.io/ to create 2.5.0 template Maven project:
To my surprise the created project declares a bit strange licensing information. The license is Apache for example:
You may be inclined to discard this report saying that the generated
pom.xml
doesn't have such licensing information and that's just the effecitve pom inheriting the license from the parent pom. True, but for various tools it's the effective pom that matters!I've discovered this issue because my IDE started to insert Apache license headers into newly created files in the project. Why? Because it asked
mvn help:effective-pom
for project object model. The model claims the project has Apache license.Should I take the generated project and use
mvn deploy
- it would be uploaded into Maven central or any other Nexus, Artifactory repository under the Apache license.Should some hacker break in and steal my code and then claim hey well the code is apache licensed so whatever, how am I supposed to defend? Shall I argue that spring initializr assigned Apache license to my code without letting me know?
I can easily fix my generated
pom.xml
by adding:as such direct declaration overrides anything inherited from parent projects. However I wanted to bring this issue to your attention as it seems to have interesting consequences.
The text was updated successfully, but these errors were encountered: