[ANN] Clojars now requires a license in the POM for new projects or projects that already specify a license
53 views
Skip to first unread message
Toby Crawley
Sep 29, 2023, 7:33:37 AM9/29/23
to Clojure
Hi all!
Clojars (https://clojars.org - the community repository for open source Clojure
libraries) will now require a license to be specified in the POM file for:
- newly uploaded versions for new projects
- newly uploaded versions for existing projects where the prior version had a license
We will then start requiring a license for *all* newly uploaded versions on or
after 2024-01-01. Note that this will not impact any *existing* versions;
existing versions that don't have a license in the POM file will remain
unchanged.
For more details, see this issue[1] for discussion of the change, and the
Deploying wiki entry[2] for how to add a license to your POM.
## Why is Clojars making this change?
We are making this change:
- to better support auditing from java ecosystem tools that use the POM as the
source of truth for the license
- enforce better hygiene; all open source projects should have a license
## How does this change impact me?
If you only consume projects from Clojars and do not release libraries, you
don't need to do anything.
If you publish projects to Clojars, you will need to:
- include a license with any new projects
- continue to include a license with new versions of projects where you already
provide a license
- update any projects that don't provide a license to provide one before the end
of the year if you plan to release a new version
If Clojars rejects your deploy, you will see a message like:
```
Could not transfer metadata org.clojars.tcrawley:deploytest/maven-metadata.xml from/to clojars (https://repo.clojars.org/): authorization failed for https://repo.clojars.org/org/clojars/tcrawley/deploytest/maven-metadata.xml, status: 403 Forbidden - the POM file does not include a license. See https://bit.ly/3PQunZU
```
Most versions already have licenses in their POM files since Leiningen[3]
includes one by default, and prints a warning when you try to deploy without
one. But newer tooling built on the Clojure CLI tools[4] doesn't have this
warning (however, clj-new[5] will generate a pom.xml that does include a license
if you use it to template your project).
## Thank you
Thanks to Peter Monks for suggesting this change, and Daniel Compton for
discussing a solution.
## Supporting this work
This work was done as part of an ongoing maintenance contract from Clojurists
Together[6]. You can also sponsor me directly on GitHub Sponsors[7] if you would
like to directly fund my maintenance of Clojars.
Please reply here or on the issue if you have any concerns or questions.
- Toby
[1]: https://github.com/clojars/clojars-web/issues/873
[2]: https://github.com/clojars/clojars-web/wiki/Pushing#licenses
[3]: https://leiningen.org/
[4]: https://clojure.org/guides/deps_and_cli
[5]: https://github.com/seancorfield/clj-new
[6]: https://www.clojuriststogether.org/
[7]: https://github.com/sponsors/tobias
Clojars (https://clojars.org - the community repository for open source Clojure
libraries) will now require a license to be specified in the POM file for:
- newly uploaded versions for new projects
- newly uploaded versions for existing projects where the prior version had a license
We will then start requiring a license for *all* newly uploaded versions on or
after 2024-01-01. Note that this will not impact any *existing* versions;
existing versions that don't have a license in the POM file will remain
unchanged.
For more details, see this issue[1] for discussion of the change, and the
Deploying wiki entry[2] for how to add a license to your POM.
## Why is Clojars making this change?
We are making this change:
- to better support auditing from java ecosystem tools that use the POM as the
source of truth for the license
- enforce better hygiene; all open source projects should have a license
## How does this change impact me?
If you only consume projects from Clojars and do not release libraries, you
don't need to do anything.
If you publish projects to Clojars, you will need to:
- include a license with any new projects
- continue to include a license with new versions of projects where you already
provide a license
- update any projects that don't provide a license to provide one before the end
of the year if you plan to release a new version
If Clojars rejects your deploy, you will see a message like:
```
Could not transfer metadata org.clojars.tcrawley:deploytest/maven-metadata.xml from/to clojars (https://repo.clojars.org/): authorization failed for https://repo.clojars.org/org/clojars/tcrawley/deploytest/maven-metadata.xml, status: 403 Forbidden - the POM file does not include a license. See https://bit.ly/3PQunZU
```
Most versions already have licenses in their POM files since Leiningen[3]
includes one by default, and prints a warning when you try to deploy without
one. But newer tooling built on the Clojure CLI tools[4] doesn't have this
warning (however, clj-new[5] will generate a pom.xml that does include a license
if you use it to template your project).
## Thank you
Thanks to Peter Monks for suggesting this change, and Daniel Compton for
discussing a solution.
## Supporting this work
This work was done as part of an ongoing maintenance contract from Clojurists
Together[6]. You can also sponsor me directly on GitHub Sponsors[7] if you would
like to directly fund my maintenance of Clojars.
Please reply here or on the issue if you have any concerns or questions.
- Toby
[1]: https://github.com/clojars/clojars-web/issues/873
[2]: https://github.com/clojars/clojars-web/wiki/Pushing#licenses
[3]: https://leiningen.org/
[4]: https://clojure.org/guides/deps_and_cli
[5]: https://github.com/seancorfield/clj-new
[6]: https://www.clojuriststogether.org/
[7]: https://github.com/sponsors/tobias
Reply all
Reply to author
Forward
0 new messages