Login/Register
Publish open-source Maven parent POM without inheriting `<license>`
Asked Answered
mavenpom.xml
R

1

8

We want to publish a Maven POM that is useful to serve as the parent POM for various projects. Some of the projects that use the POM will be open source, but some will not be. To designate our parent POM as open source, we include this:

<licenses>
  <license>
    <name>Apache-2.0</name>
    <url>https://www.apache.org/licenses/LICENSE-2.0</url>
    <distribution>repo</distribution>
  </license>
</licenses>

This essentially says, "this project is open source".

Unfortunately because of POM inheritance, any project that uses this parent POM will also effectively be saying "this project is also open source", because the effective POM of all descendant projects will also include this same license section.

Developers could try to remember to include some <licenses> section to override this license, but the whole point of the parent POM is that it should given developers less to do, not more. Besides, some private projects (even ours) might not wish to indicate a license at all!

How can our public parent POM indicate that it is open source without effectively making all child projects open source as well through POM inheritance? Is there a POM setting to prevent the <licenses> section from being inherited for example?

Update: I filed improvement request ticket MNG-7562 for this capability.

Rilke answered 4/8, 2022 at 16:25 Comment(5)
'that uses this parent POM will also effectively be saying "this project is also open source"': I think this is not really clear. Just using the parent POM is not a statement about a license, the effective POM neither. It is different, though, when you create automatic documentation like a Maven site, which includes a license section.Calbert
"Just using the parent POM is not a statement about a license …" If having a license in the parent POM does not inherit to make a statement about the child POM, then why does Maven Central allow me to publish a child POM without a license if there is a license in the parent POM, but complain that a license is required if I remove it from the parent POM?Rilke
Good question, complex situation! ..but it sounds like (a solution) it is worth to maintain a parent-pom "per license type" (in your.org)!?Teriann
so "fight inheritance" with "more inheritance"!?? :):):)Teriann
@GarretWilson I just wanted to state that legally, this is not clear at all. So if If use your parent POM and did not notice that it has an open source license, you cannot safely assume that I give away my project as open source. Nevertheless, a solution to your problem would be great, I do not see any at the moment. Plugins have <inherited>false</inherited>, but licenses are a different kettle of fish.Calbert
S
0

From my point of view, you'll have 2 choices :

  • Include <licenses> in you POM, and expect the developer using it will override it, if the projet is not compliant with the license provided.
  • Remove the <licenses> from you POM, and include in the README the license (in that case, developer using your POM will also have to specify the license, if needed).

Edit: Remove part regarding child inheritance attribute only working for url (see below comments)

Subsidy answered 7/10, 2022 at 7:29 Comment(11)
Please explain what child.licences.append.path=false does, how it works, and where it is documented.Rilke
I've updated my answer with source. I've not tried the child.licences.append.path=false but using the child.scm.ATTRIBUTE.inherit.append.path="false" in my projectsSubsidy
DamienG, does ….append.path="false" prevent the child element from being inherited altogether, or does it merely prevent the child project from appending a path to the value, as in the <scm> case you linked to? Won't the value still be inherited? See MNG-5951, MNG-6059, and Maven Model Builder, the latter of which says that this setting is to "… avoid appending any path to parent value …".Rilke
You're right Garret Wilson, as per Maven Model Builder (and checked in the Maven source code), it only prevent appending only : project.url, site.url, scm.*. I'll update my answerSubsidy
"Include <licenses> in you POM, and expect the developer using it will override it …" But how would the developer remove it altogether in a child POM?Rilke
"Remove the <licenses> from you POM …" But then how could I publish it to Maven Central? Doesn't Nexus require a license in the POM in order to publish it?Rilke
Not aware about Maven central requirements, but neither Nexus nor Maven would require a licence in the POM. It's not a mandatory element : Minimal POMSubsidy
It's been a while since I verified that Nexus will deny a deployment without a license so I can't swear to it, but I'm pretty sure I tried to upload a POM without a license once and wasn't allowed. The Sonatype requirements do state that "You need to declare the license(s) used for distributing your components."Rilke
Indeed ! Then you'll have to leave it, and expect developer using your POM will override its license if needed. It's not anymore your responsibility once you've published an artifact its usage/misusageSubsidy
"… expect developer using your POM will override its license …" Now we've come full circle back to the starting point. That was the whole point of this question, wasn't it? "It's not anymore your responsibility once you've published an artifact its usage/misusage" That isn't entirely true. The POM isn't being "misused". Its purpose is to provide functionality. Libraries shouldn't come with hidden, unexpected legal implications. That's why I'm looking for a way for my library not to provide unexpected consequences, but Maven/Nexus/Sonatype is forcing me to.Rilke
Well then I guess you need to add a ReadMe with a giant flashing light warning about the license usageSubsidy

© 2022 - 2024 — McMap. All rights reserved.