fluo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher <ctubb...@apache.org>
Subject Re: [VOTE] Apache Fluo Recipes 1.0.0-incubating-rc1
Date Sat, 22 Oct 2016 04:39:02 GMT
What makes you think that jsr305 is not compatibly licensed? I spent some
time investigating this and the following is what I found. Unless I've
missed something, it looks like there's no issue with jsr305 as a
dependency.

* It looks to me like it's licensed under BSD. This is according to the
findbugs project[1], which has been redistributing the artifact after it
effectively went dormant[2]. The Google Groups set up for developing jsr305
seems to confirm the developers had agreed to distribute it under this[3].
* It looks like jsr305 is often incorrectly uploaded to Maven Central (by
findbugs?) under AL2, which is the license in the POM for our dependency
(version 3.0.0) [4]. It was once uploaded (again, seemingly incorrectly) as
LGPL, but we're not using that version [5].
* There is an outstanding GitHub issue for findbugs to clarify the
license[6], because it looks like they've been mislabeling it when they
redistribute. But, it's also possible that they've been able to relicense
under AL2, and forgot to update their docs which still say it's BSD.
* jsr305 is used by us during the build, as a test dependency. it looks
like that's okay, since we're not bundling it[7].
* It is also used as a compile and/or runtime transitive dependency via
Apache Spark. Even if we did depend on it directly, it seems like it should
be fine because it's an optional part of the project[8], as long as we're
not bundling it, and we're not.
* Is it a problem for Apache Spark to depend on this directly? If it's not,
I can't imagine it would be for us to depend on it transitively, through
them.

[1]:
https://github.com/findbugsproject/findbugs/blob/3.0.1/findbugs/licenses/LICENSE-jsr305.txt
[2]: https://jcp.org/en/jsr/detail?id=305
[3]: https://groups.google.com/forum/#!topic/jsr-305/gQWGmiWMjE8
[4]:
https://repo1.maven.org/maven2/com/google/code/findbugs/jsr305/3.0.0/jsr305-3.0.0.pom
[5]:
https://repo1.maven.org/maven2/com/google/code/findbugs/jsr305/1.3.8/jsr305-1.3.8.pom
[6]: https://github.com/findbugsproject/findbugs/issues/128
[7]: http://www.apache.org/legal/resolved.html#prohibited
[8]: http://www.apache.org/legal/resolved.html#optional

On Fri, Oct 21, 2016 at 6:37 PM Josh Elser <elserj@apache.org> wrote:

> +1
>
> * Sigs/xsums OK
> * No binaries in release
> * KEYS is accurate
> * Can build from source
> * Direct dependencies OK (beware that you are transitively bringing in
> com.google.code.findbugs:jsr305:jar:3.0.0 which is not compatibly
> licensed -- this should be fixed in the future)
> * No Copyright notices
> * apache-rat:check passes
> * Can run all tests
> * Artifacts built from release appear to be appropriately licensed.
> * Commit is contained in repository
> * Would prefer to see apache-fluo-recipes as the name instead.
>
> - Josh
>
> Keith Turner wrote:
> > Fluo Developers,
> >
> > Please consider the following candidate for Fluo Recipes
> 1.0.0-incubating.
> >
> > Git Commit:
> >      682eff983f1fe6e60b75c36d3b2f782c6a93b155
> > Branch:
> >      1.0.0-incubating-rc1
> >
> > If this vote passes, a gpg-signed tag will be created using:
> >      git tag -f -m 'Apache Fluo Recipes 1.0.0-incubating' -s
> > rel/fluo-recipes-1.0.0-incubating \
> >      682eff983f1fe6e60b75c36d3b2f782c6a93b155
> > Staging repo:
> > https://repository.apache.org/content/repositories/orgapachefluo-1016
> > Source (official release artifact):
> >
> https://repository.apache.org/content/repositories/orgapachefluo-1016/org/apache/fluo/fluo-recipes/1.0.0-incubating/fluo-recipes-1.0.0-incubating-source-release.tar.gz
> > (Append ".sha1", ".md5", or ".asc" to download the signature/hash for a
> > given artifact.)
> >
> > All artifacts were built and staged with:
> >      mvn release:prepare&&  mvn release:perform
> >
> > Signing keys are available at
> > https://www.apache.org/dist/incubator/fluo/KEYS
> > (Expected fingerprint: CF72CA07C8BC86A1C862765F9AACFB56352ACF76)
> >
> > Release notes (in progress) can be found at:
> > https://fluo.apache.org/.../1.0.0-incubating
> >
> > Please vote one of:
> > [ ] +1 - I have verified and accept...
> > [ ] +0 - I have reservations, but not strong enough to vote against...
> > [ ] -1 - Because..., I do not accept...
> > ... these artifacts as the 1.0.0-incubating release of Apache Fluo
> Recipes.
> >
> > This vote will end on Sun Oct 23 22:30:00 UTC 2016
> > (Sun Oct 23 18:30:00 EDT 2016 / Sun Oct 23 15:30:00 PDT 2016)
> >
> > Thanks!
> >
> > P.S. Hint: download the whole staging repo with
> >      wget -erobots=off -r -l inf -np -nH \
> >
> https://repository.apache.org/content/repositories/orgapachefluo-1016/
> >      # note the trailing slash is needed
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message