hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sean Busbey (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-16321) Ensure findbugs jsr305 jar isn't present
Date Thu, 04 Aug 2016 04:32:20 GMT

    [ https://issues.apache.org/jira/browse/HBASE-16321?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15407118#comment-15407118
] 

Sean Busbey commented on HBASE-16321:
-------------------------------------

the jsr305 jar claims to be from the findbugs project. I can't find any reference on the findbugs
project to them having things licensed under anything other than LGPL. I don't know the provenance
of the pom present in central, so I have no reason to believe that its license metadata is
correct.

Additionally, jsr305 is dormant ([ref jsr305|https://jcp.org/en/jsr/detail?id=305]) so using
implementations of it is suspect. it also creates classes in the javax package, which means
downstream folks can't combine it with a JRE under the terms of [the oracle binary license
section F|http://www.oracle.com/technetwork/java/javase/terms/license/index.html] (I don't
think this is a problem under ASF policy, it's just something we can easily avoid by using
the cleanroom implementation we're already using across the project).

> Ensure findbugs jsr305 jar isn't present
> ----------------------------------------
>
>                 Key: HBASE-16321
>                 URL: https://issues.apache.org/jira/browse/HBASE-16321
>             Project: HBase
>          Issue Type: Sub-task
>          Components: dependencies
>            Reporter: Sean Busbey
>            Assignee: Sean Busbey
>            Priority: Blocker
>             Fix For: 2.0.0, 1.3.0, 1.4.0, 1.1.6, 1.2.3
>
>         Attachments: HBASE-16321.1.patch, HBASE-16321.2.patch
>
>
> we should be using
> {code}
> <dependencies>
>     <dependency>
>       <groupId>com.github.stephenc.findbugs</groupId>
>       <artifactId>findbugs-annotations</artifactId>
>       <version>${findbugs-annotations}</version>
>       <scope>compile</scope>
>     </dependency>
> {code}
>  to ensure we don't have a prohibited dependency, but it looks like we're still bringing
in
> {code}
> <dependency>
>          <groupId>com.google.code.findbugs</groupId>
>          <artifactId>jsr305</artifactId>
>          <version>${jsr305.version}</version>
>       </dependency>
> {code}
> remove the findbugs version (even though the maven central pom claims the license is
ALv2, that doesn't line up with the referenced project sites).



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message