fluo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Josh Elser <els...@apache.org>
Subject On Findbugs jsr305 (was Re: [VOTE] Apache Fluo Recipes 1.0.0-incubating-rc1)
Date Sun, 23 Oct 2016 18:46:59 GMT
The ambiguity of the conversation you provided in [6] is exactly why I 
have this opinion. Unless one of the devs can definitively say "it is 
BSD", there's way too much mis-information for me to feel comfortable 
with it.

Given the availability of 
https://stephenc.github.com/findbugs-annotations, it's a no-brainer to 
use that instead, IMO.

Specifically to Fluo, I did not inspect its usage that closely. If it's 
only used at build time, then, as you point out, it's a non-issue.

Christopher wrote:
> What makes you think that jsr305 is not compatibly licensed? I spent some
> time investigating this and the following is what I found. Unless I've
> missed something, it looks like there's no issue with jsr305 as a
> dependency.
>
> * It looks to me like it's licensed under BSD. This is according to the
> findbugs project[1], which has been redistributing the artifact after it
> effectively went dormant[2]. The Google Groups set up for developing jsr305
> seems to confirm the developers had agreed to distribute it under this[3].
> * It looks like jsr305 is often incorrectly uploaded to Maven Central (by
> findbugs?) under AL2, which is the license in the POM for our dependency
> (version 3.0.0) [4]. It was once uploaded (again, seemingly incorrectly) as
> LGPL, but we're not using that version [5].
> * There is an outstanding GitHub issue for findbugs to clarify the
> license[6], because it looks like they've been mislabeling it when they
> redistribute. But, it's also possible that they've been able to relicense
> under AL2, and forgot to update their docs which still say it's BSD.
> * jsr305 is used by us during the build, as a test dependency. it looks
> like that's okay, since we're not bundling it[7].
> * It is also used as a compile and/or runtime transitive dependency via
> Apache Spark. Even if we did depend on it directly, it seems like it should
> be fine because it's an optional part of the project[8], as long as we're
> not bundling it, and we're not.
> * Is it a problem for Apache Spark to depend on this directly? If it's not,
> I can't imagine it would be for us to depend on it transitively, through
> them.
>
> [1]:
> https://github.com/findbugsproject/findbugs/blob/3.0.1/findbugs/licenses/LICENSE-jsr305.txt
> [2]: https://jcp.org/en/jsr/detail?id=305
> [3]: https://groups.google.com/forum/#!topic/jsr-305/gQWGmiWMjE8
> [4]:
> https://repo1.maven.org/maven2/com/google/code/findbugs/jsr305/3.0.0/jsr305-3.0.0.pom
> [5]:
> https://repo1.maven.org/maven2/com/google/code/findbugs/jsr305/1.3.8/jsr305-1.3.8.pom
> [6]: https://github.com/findbugsproject/findbugs/issues/128
> [7]: http://www.apache.org/legal/resolved.html#prohibited
> [8]: http://www.apache.org/legal/resolved.html#optional
>
> On Fri, Oct 21, 2016 at 6:37 PM Josh Elser<elserj@apache.org>  wrote:
>
>> +1
>>
>> * Sigs/xsums OK
>> * No binaries in release
>> * KEYS is accurate
>> * Can build from source
>> * Direct dependencies OK (beware that you are transitively bringing in
>> com.google.code.findbugs:jsr305:jar:3.0.0 which is not compatibly
>> licensed -- this should be fixed in the future)
>> * No Copyright notices
>> * apache-rat:check passes
>> * Can run all tests
>> * Artifacts built from release appear to be appropriately licensed.
>> * Commit is contained in repository
>> * Would prefer to see apache-fluo-recipes as the name instead.
>>
>> - Josh
>>
>> Keith Turner wrote:
>>> Fluo Developers,
>>>
>>> Please consider the following candidate for Fluo Recipes
>> 1.0.0-incubating.
>>> Git Commit:
>>>       682eff983f1fe6e60b75c36d3b2f782c6a93b155
>>> Branch:
>>>       1.0.0-incubating-rc1
>>>
>>> If this vote passes, a gpg-signed tag will be created using:
>>>       git tag -f -m 'Apache Fluo Recipes 1.0.0-incubating' -s
>>> rel/fluo-recipes-1.0.0-incubating \
>>>       682eff983f1fe6e60b75c36d3b2f782c6a93b155
>>> Staging repo:
>>> https://repository.apache.org/content/repositories/orgapachefluo-1016
>>> Source (official release artifact):
>>>
>> https://repository.apache.org/content/repositories/orgapachefluo-1016/org/apache/fluo/fluo-recipes/1.0.0-incubating/fluo-recipes-1.0.0-incubating-source-release.tar.gz
>>> (Append ".sha1", ".md5", or ".asc" to download the signature/hash for a
>>> given artifact.)
>>>
>>> All artifacts were built and staged with:
>>>       mvn release:prepare&&   mvn release:perform
>>>
>>> Signing keys are available at
>>> https://www.apache.org/dist/incubator/fluo/KEYS
>>> (Expected fingerprint: CF72CA07C8BC86A1C862765F9AACFB56352ACF76)
>>>
>>> Release notes (in progress) can be found at:
>>> https://fluo.apache.org/.../1.0.0-incubating
>>>
>>> Please vote one of:
>>> [ ] +1 - I have verified and accept...
>>> [ ] +0 - I have reservations, but not strong enough to vote against...
>>> [ ] -1 - Because..., I do not accept...
>>> ... these artifacts as the 1.0.0-incubating release of Apache Fluo
>> Recipes.
>>> This vote will end on Sun Oct 23 22:30:00 UTC 2016
>>> (Sun Oct 23 18:30:00 EDT 2016 / Sun Oct 23 15:30:00 PDT 2016)
>>>
>>> Thanks!
>>>
>>> P.S. Hint: download the whole staging repo with
>>>       wget -erobots=off -r -l inf -np -nH \
>>>
>> https://repository.apache.org/content/repositories/orgapachefluo-1016/
>>>       # note the trailing slash is needed
>>>
>

Mime
View raw message