fluo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher <ctubb...@apache.org>
Subject Re: On Findbugs jsr305 (was Re: [VOTE] Apache Fluo Recipes 1.0.0-incubating-rc1)
Date Sun, 23 Oct 2016 21:21:20 GMT
Aside from the reporter of that issue's understandable confusion about the
difference between FindBugs license itself and of something bundled with
FindBugs, the evidence seems overwhelming that the artifact is BSD:

- Original developers agreed to BSD on Google Groups forum
- Original repo (as archived on code.google.com) contains BSD LICENSE
- FindBugs repo where it's bundled declares it BSD
- RHEL/CentOS and Fedora RPMs all delcare it BSD
- LICENSE in the current maintainer's repo is BSD (relocated from
code.google.com)
- The current maintainer has acknowledged the incorrect AL2 license in the
Maven Central artifact and is willing to accept a PR to fix[1].

Even if it were LGPL, I still don't think there'd be an issue, because of
how we're using it as a build-dep and transitive-dep for an optional
feature.
If you still think there's an issue, let's please escalate to LEGAL for
resolution.

[1]: https://github.com/amaembo/jsr-305/issues/27


On Sun, Oct 23, 2016 at 2:47 PM Josh Elser <elserj@apache.org> wrote:

> The ambiguity of the conversation you provided in [6] is exactly why I
> have this opinion. Unless one of the devs can definitively say "it is
> BSD", there's way too much mis-information for me to feel comfortable
> with it.
>
> Given the availability of
> https://stephenc.github.com/findbugs-annotations, it's a no-brainer to
> use that instead, IMO.
>
> Specifically to Fluo, I did not inspect its usage that closely. If it's
> only used at build time, then, as you point out, it's a non-issue.
>
> Christopher wrote:
> > What makes you think that jsr305 is not compatibly licensed? I spent some
> > time investigating this and the following is what I found. Unless I've
> > missed something, it looks like there's no issue with jsr305 as a
> > dependency.
> >
> > * It looks to me like it's licensed under BSD. This is according to the
> > findbugs project[1], which has been redistributing the artifact after it
> > effectively went dormant[2]. The Google Groups set up for developing
> jsr305
> > seems to confirm the developers had agreed to distribute it under
> this[3].
> > * It looks like jsr305 is often incorrectly uploaded to Maven Central (by
> > findbugs?) under AL2, which is the license in the POM for our dependency
> > (version 3.0.0) [4]. It was once uploaded (again, seemingly incorrectly)
> as
> > LGPL, but we're not using that version [5].
> > * There is an outstanding GitHub issue for findbugs to clarify the
> > license[6], because it looks like they've been mislabeling it when they
> > redistribute. But, it's also possible that they've been able to relicense
> > under AL2, and forgot to update their docs which still say it's BSD.
> > * jsr305 is used by us during the build, as a test dependency. it looks
> > like that's okay, since we're not bundling it[7].
> > * It is also used as a compile and/or runtime transitive dependency via
> > Apache Spark. Even if we did depend on it directly, it seems like it
> should
> > be fine because it's an optional part of the project[8], as long as we're
> > not bundling it, and we're not.
> > * Is it a problem for Apache Spark to depend on this directly? If it's
> not,
> > I can't imagine it would be for us to depend on it transitively, through
> > them.
> >
> > [1]:
> >
> https://github.com/findbugsproject/findbugs/blob/3.0.1/findbugs/licenses/LICENSE-jsr305.txt
> > [2]: https://jcp.org/en/jsr/detail?id=305
> > [3]: https://groups.google.com/forum/#!topic/jsr-305/gQWGmiWMjE8
> > [4]:
> >
> https://repo1.maven.org/maven2/com/google/code/findbugs/jsr305/3.0.0/jsr305-3.0.0.pom
> > [5]:
> >
> https://repo1.maven.org/maven2/com/google/code/findbugs/jsr305/1.3.8/jsr305-1.3.8.pom
> > [6]: https://github.com/findbugsproject/findbugs/issues/128
> > [7]: http://www.apache.org/legal/resolved.html#prohibited
> > [8]: http://www.apache.org/legal/resolved.html#optional
> >
> > On Fri, Oct 21, 2016 at 6:37 PM Josh Elser<elserj@apache.org>  wrote:
> >
> >> +1
> >>
> >> * Sigs/xsums OK
> >> * No binaries in release
> >> * KEYS is accurate
> >> * Can build from source
> >> * Direct dependencies OK (beware that you are transitively bringing in
> >> com.google.code.findbugs:jsr305:jar:3.0.0 which is not compatibly
> >> licensed -- this should be fixed in the future)
> >> * No Copyright notices
> >> * apache-rat:check passes
> >> * Can run all tests
> >> * Artifacts built from release appear to be appropriately licensed.
> >> * Commit is contained in repository
> >> * Would prefer to see apache-fluo-recipes as the name instead.
> >>
> >> - Josh
> >>
> >> Keith Turner wrote:
> >>> Fluo Developers,
> >>>
> >>> Please consider the following candidate for Fluo Recipes
> >> 1.0.0-incubating.
> >>> Git Commit:
> >>>       682eff983f1fe6e60b75c36d3b2f782c6a93b155
> >>> Branch:
> >>>       1.0.0-incubating-rc1
> >>>
> >>> If this vote passes, a gpg-signed tag will be created using:
> >>>       git tag -f -m 'Apache Fluo Recipes 1.0.0-incubating' -s
> >>> rel/fluo-recipes-1.0.0-incubating \
> >>>       682eff983f1fe6e60b75c36d3b2f782c6a93b155
> >>> Staging repo:
> >>> https://repository.apache.org/content/repositories/orgapachefluo-1016
> >>> Source (official release artifact):
> >>>
> >>
> https://repository.apache.org/content/repositories/orgapachefluo-1016/org/apache/fluo/fluo-recipes/1.0.0-incubating/fluo-recipes-1.0.0-incubating-source-release.tar.gz
> >>> (Append ".sha1", ".md5", or ".asc" to download the signature/hash for a
> >>> given artifact.)
> >>>
> >>> All artifacts were built and staged with:
> >>>       mvn release:prepare&&   mvn release:perform
> >>>
> >>> Signing keys are available at
> >>> https://www.apache.org/dist/incubator/fluo/KEYS
> >>> (Expected fingerprint: CF72CA07C8BC86A1C862765F9AACFB56352ACF76)
> >>>
> >>> Release notes (in progress) can be found at:
> >>> https://fluo.apache.org/.../1.0.0-incubating
> >>>
> >>> Please vote one of:
> >>> [ ] +1 - I have verified and accept...
> >>> [ ] +0 - I have reservations, but not strong enough to vote against...
> >>> [ ] -1 - Because..., I do not accept...
> >>> ... these artifacts as the 1.0.0-incubating release of Apache Fluo
> >> Recipes.
> >>> This vote will end on Sun Oct 23 22:30:00 UTC 2016
> >>> (Sun Oct 23 18:30:00 EDT 2016 / Sun Oct 23 15:30:00 PDT 2016)
> >>>
> >>> Thanks!
> >>>
> >>> P.S. Hint: download the whole staging repo with
> >>>       wget -erobots=off -r -l inf -np -nH \
> >>>
> >> https://repository.apache.org/content/repositories/orgapachefluo-1016/
> >>>       # note the trailing slash is needed
> >>>
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message