hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sean Busbey (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-16321) Ensure findbugs jsr305 jar isn't present
Date Thu, 04 Aug 2016 04:32:20 GMT

    [ https://issues.apache.org/jira/browse/HBASE-16321?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15407118#comment-15407118

Sean Busbey commented on HBASE-16321:

the jsr305 jar claims to be from the findbugs project. I can't find any reference on the findbugs
project to them having things licensed under anything other than LGPL. I don't know the provenance
of the pom present in central, so I have no reason to believe that its license metadata is

Additionally, jsr305 is dormant ([ref jsr305|https://jcp.org/en/jsr/detail?id=305]) so using
implementations of it is suspect. it also creates classes in the javax package, which means
downstream folks can't combine it with a JRE under the terms of [the oracle binary license
section F|http://www.oracle.com/technetwork/java/javase/terms/license/index.html] (I don't
think this is a problem under ASF policy, it's just something we can easily avoid by using
the cleanroom implementation we're already using across the project).

> Ensure findbugs jsr305 jar isn't present
> ----------------------------------------
>                 Key: HBASE-16321
>                 URL: https://issues.apache.org/jira/browse/HBASE-16321
>             Project: HBase
>          Issue Type: Sub-task
>          Components: dependencies
>            Reporter: Sean Busbey
>            Assignee: Sean Busbey
>            Priority: Blocker
>             Fix For: 2.0.0, 1.3.0, 1.4.0, 1.1.6, 1.2.3
>         Attachments: HBASE-16321.1.patch, HBASE-16321.2.patch
> we should be using
> {code}
> <dependencies>
>     <dependency>
>       <groupId>com.github.stephenc.findbugs</groupId>
>       <artifactId>findbugs-annotations</artifactId>
>       <version>${findbugs-annotations}</version>
>       <scope>compile</scope>
>     </dependency>
> {code}
>  to ensure we don't have a prohibited dependency, but it looks like we're still bringing
> {code}
> <dependency>
>          <groupId>com.google.code.findbugs</groupId>
>          <artifactId>jsr305</artifactId>
>          <version>${jsr305.version}</version>
>       </dependency>
> {code}
> remove the findbugs version (even though the maven central pom claims the license is
ALv2, that doesn't line up with the referenced project sites).

This message was sent by Atlassian JIRA

View raw message