License in Spring Boot parent is applied to generated projects with Maven

[JaroslavTulach]

I used https://start.spring.io/ to create 2.5.0 template Maven project:

To my surprise the created project declares a bit strange licensing information. The license is Apache for example:

demo$ mvn help:effective-pom | grep licenses -C 2
  <description>Demo project for Spring Boot</description>
  <url>https://spring.io/projects/spring-boot/demo</url>
  <licenses>
    <license>
      <name>The Apache Software License, Version 2.0</name>
      <url>http://www.apache.org/licenses/LICENSE-2.0.txt</url>
    </license>
  </licenses>
  <developers>
    <developer>

You may be inclined to discard this report saying that the generated pom.xml doesn't have such licensing information and that's just the effecitve pom inheriting the license from the parent pom. True, but for various tools it's the effective pom that matters!

I've discovered this issue because my IDE started to insert Apache license headers into newly created files in the project. Why? Because it asked mvn help:effective-pom for project object model. The model claims the project has Apache license.

Should I take the generated project and use mvn deploy - it would be uploaded into Maven central or any other Nexus, Artifactory repository under the Apache license.

Should some hacker break in and steal my code and then claim hey well the code is apache licensed so whatever, how am I supposed to defend? Shall I argue that spring initializr assigned Apache license to my code without letting me know?

I can easily fix my generated pom.xml by adding:

  <licenses>
      <license>
          <name>license of your choice</name>
      </license>      
  </licenses> 

as such direct declaration overrides anything inherited from parent projects. However I wanted to bring this issue to your attention as it seems to have interesting consequences.

[snicoll]

We are aware of this problem and it was already discussed in #1017.

The TL:DR of it is that we feel it is a shortcoming of Maven. We must set those in order to be able to deploy the parent to Maven Central. Maven doesn't offer us any tool where we can offer a parent and yet "undo" the license we had to define.

Having said that, I think that if someone who creates a project and then intends to publish it to Maven Central will choose a license and define it at the project level. The build tool is just one place where that metadata is defined so I find the use cases a bit off balance personally.

I'd like to give this yet another go with the team to see if we can improve something. #1017 mentions the reference doc and I am not sure this was properly addressed.

[bmarwell]

Has this ever been on the Maven mailing list? It should be...

[snicoll]

@bmarwell this specific issues is part of a larger problem of mixing build information and published pom for user's consumption. There isn't anything new that hasn't been reported in several forms already.

[JaroslavTulach]

The (rejected) suggestion of #1017 to include

<developers>
    <developer/>
</developers>
<licenses>
    <license/>
</licenses>
<scm>
    <url/>
</scm>
<url/>

in the generated project would be my solution as well.

[aalmiray]

FWIW defining empty elements as mentioned by @JaroslavTulach is what the Helidon team decided. You might want to check with them for pros & cons of that approach.

[mhalbritter]

While looking at SBOM stuff, this has bitten me too. The SBOM declared the license of my project to be Apache 2.0, and I wondered where it found that. Turns out, it's the license inherited from the Spring Boot parent.

[mhalbritter]

We talked about that and we want to override the inherited stuff with empty defaults. We add something in the help.md file to warn users that if they switch to their own parent, they'll have to remove those overrides.