directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Smith, Shawn E" <se...@psu.edu>
Subject Re: PSU SCIMple donation
Date Thu, 14 Jun 2018 17:14:03 GMT
Is an exclusion sufficient from a license perspective?


For instance if I change the pom in scim-spec-protocol to have


<dependency>
<groupId>io.swagger</groupId>
<artifactId>swagger-jaxrs</artifactId>
<version>1.5.0</version>
<exclusions>
<exclusion>
<groupId>com.fasterxml.jackson.dataformat</groupId>
<artifactId>jackson-dataformat-xml</artifactId>
</exclusion>
<exclusion>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-core</artifactId>
</exclusion>
<exclusion>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-annotations</artifactId>
</exclusion>
<exclusion>
<groupId>com.google.code.findbugs</groupId>
<artifactId>annotations</artifactId>
</exclusion>
<exclusion>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
</exclusion>
<exclusion>
<artifactId>jsr311-api</artifactId>
<groupId>javax.ws.rs</groupId>
</exclusion>
</exclusions>
</dependency>

findbugs is no longer represented in the dependency tree

[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ scim-spec-protocol ---
[INFO] edu.psu.swe.scim:scim-spec-protocol:jar:2.23-SNAPSHOT
[INFO] +- javax:javaee-api:jar:7.0:provided
[INFO] |  \- com.sun.mail:javax.mail:jar:1.5.0:provided
[INFO] |     \- javax.activation:activation:jar:1.1.1:compile
[INFO] +- io.swagger:swagger-jaxrs:jar:1.5.0:compile
[INFO] |  +- com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:jar:2.8.8:compile
[INFO] |  |  \- org.yaml:snakeyaml:jar:1.15:compile
[INFO] |  +- io.swagger:swagger-core:jar:1.5.0:compile
[INFO] |  |  +- com.fasterxml.jackson.datatype:jackson-datatype-joda:jar:2.8.8:compile
[INFO] |  |  |  \- joda-time:joda-time:jar:2.7:compile
[INFO] |  |  \- io.swagger:swagger-models:jar:1.5.0:compile
[INFO] |  |     \- io.swagger:swagger-annotations:jar:1.5.0:compile
[INFO] |  +- org.reflections:reflections:jar:0.9.10:compile
[INFO] |  |  +- com.google.guava:guava:jar:20.0:compile
[INFO] |  |  \- org.javassist:javassist:jar:3.18.2-GA:compile
[INFO] |  \- com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider:jar:2.8.8:compile
[INFO] |     +- com.fasterxml.jackson.jaxrs:jackson-jaxrs-base:jar:2.8.8:compile
[INFO] |     \- com.fasterxml.jackson.module:jackson-module-jaxb-annotations:jar:2.8.8:compile
[INFO] +- edu.psu.swe.scim:scim-spec-schema:jar:2.23-SNAPSHOT:compile
[INFO] |  +- javax.xml.bind:jaxb-api:jar:2.1:compile
[INFO] |  |  \- javax.xml.stream:stax-api:jar:1.0-2:compile
[INFO] |  +- javax.validation:validation-api:jar:1.1.0.Final:compile
[INFO] |  +- org.slf4j:slf4j-api:jar:1.7.12:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-annotations:jar:2.8.0:compile
[INFO] |  \- org.apache.commons:commons-lang3:jar:3.1:compile
[INFO] +- org.projectlombok:lombok:jar:1.16.14:provided
[INFO] +- junit:junit:jar:4.12:test
[INFO] |  \- org.hamcrest:hamcrest-core:jar:1.3:test
[INFO] +- pl.pragmatists:JUnitParams:jar:1.0.4:test
[INFO] +- org.slf4j:slf4j-simple:jar:1.7.12:test
[INFO] \- org.antlr:antlr4-runtime:jar:4.5.3:compile

Shanw

________________________________
From: Smith, Shawn E <ses44@psu.edu>
Sent: Saturday, June 9, 2018 1:20:25 PM
To: dev@directory.apache.org; Apache Directory Developers List
Subject: Re: PSU SCIMple donation

The dependency problem should be pretty easy to address,  they're mostly in example projects.
  I'll look at it tomorrow.

By the way,  is anyone on the list going to  Dockercon?

Get Outlook for Android<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Faka.ms%2Fghei36&data=02%7C01%7Cses44%40psu.edu%7C92c37f4f451c419e1f1908d5ce2d54f3%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C636641616466043478&sdata=BSjhJ6N2DnBtFLtIATcELb0DgLxIvZTfMgaGJyb5mdg%3D&reserved=0>

________________________________
From: Stefan Seelmann <mail@stefan-seelmann.de>
Sent: Saturday, June 9, 2018 10:01:16 AM
To: dev@directory.apache.org
Subject: Re: PSU SCIMple donation

On 06/03/2018 10:39 AM, Stefan Seelmann wrote:
> Next steps:
> * Identify the codebase: What I see [2] is the latest commit, correct?
> * Decide on a name: which name should we use? SCIMple, eSCIMo, something
> else? We just make to be sure the name is not trademarked yet.

Any thoughts on this?

> * Check source and dependencies for Apache License compatibility (I do,
> but more eyes are welcomed :-)

I found the following problematic dependencies which are LGPL licensed
and must not be included in an Apache release artifact.

com.google.code.findbugs:annotations:2.0.1
* LGPL
* scim-server-rdbms, scim-spec-protocol, scim-server-couchdb, etc.
* Transitive dependency of swagger-jaxrs
* Fix: try to exclude?

org.hibernate:hibernate-jpamodelgen:5.2.0.Final
* LGPL
* scim-server-rdbms
* Fix: Change scope to provided as it is only used at build time

org.hibernate:hibernate-core:5.0.9.Final
org.hibernate:hibernate-entitymanager:5.0.9.Final
* LGPL
* scim-errai
* Fix: switch to another JPA implementation (Apache OpenJPA), but I
don't know deep Hibernate is wired into Errai.
* Note: this is only an issue if it's planned to publish a WAR file that
includes Hibernate. The current scim-errai seems to only be a showcase app.

> * Wait for secretary confirmation that CCLA is recorded

This is done



Mime
View raw message