rya-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Josh Elser <els...@apache.org>
Subject Re: third party licenses examined for 3.2.11 RC2
Date Thu, 14 Sep 2017 19:03:00 GMT
By the letter of the law, you don't have to resolve license conflicts 
until you graduate from the Incubator.

However, the process of identifying bad licensing, finding suitable 
replacements, and implementing such changes shows a _lot_ of maturity 
from the community (as this is a very real problem that comes up as 
projects grow!).

At the end of the day, it really comes down to how the voters cast their 
vote and I expect it would require some "fighting" over email.

For the specifics:

* HSQLDB, afaik, is ALv2. Maybe it's dual-licensed? That one should be 
no-problem.
* re: org.json, our Ted Dunning has made which other projects have 
successfully adopted. The barrier to switch is reportedly quite low 
https://github.com/tdunning/open-json
* Making the benchmarks module optional, like was done with the 
geoindexing module, is the most straightforward path. Google Caliper is 
more permissively licensed and could be leveraged as an alternatively in 
the future https://github.com/google/caliper

I would suggest to bite the bullet now.

On 9/14/17 1:15 PM, David Lotts wrote:
> ​Here is my completed analysis of our third party licenses.
> 
> Result: We have two Licenses not allowed for Apache projects.  See the
> bottom.
> The question is, is this a blocker for the release?  Can we make a Jira
> task to fix for the next version?  One of them: JSON,  just  switched to
> category X after our last release.
> 
> Using this history as a guide:
> https://www.mail-archive.com/dev@rya.incubator.apache.org/msg00969.html
> and this :
> https://issues.apache.org/jira/browse/RYA-177
> 
> in order: the good, the bad:
> 
> ### BSD  good  from:  http://asm.ow2.org/license.html
>       (Unknown license) ASM Core (asm:asm:3.1 - http://asm.objectweb.org/asm/
> )
> 
> ### Good already excluded, see RYA-200 Remove findbugs:jsr305 Dependency
>       (GNU Lesser Public License) FindBugs-Annotations
> (com.google.code.findbugs:annotations:2.0.2 - http://findbugs.sourceforge.
> net/)
> 
> ### Apache project -- Good
>       (Unknown license) commons-beanutils (commons-beanutils:commons-bea
> nutils:1.7.0
> - no url defined)
> 
> ### Already exclusion from another library, its Good
>       (HSQLDB License) HSQLDB (hsqldb:hsqldb:1.8.0.10 - http://hsqldb.org/)
> 
> ### used by many Apache projects -- Good
>       (Unknown license) servlet-api (javax.servlet:servlet-api:2.5 - no url
> defined)
>       (Unknown license) jsp-api (javax.servlet.jsp:jsp-api:2.1 - no url
> defined)
>       (Common Public License Version 1.0) JUnit (junit:junit:4.8.2 -
> http://junit.org)
> 
> ### BSD license -- good from http://www.antlr.org/about.html
>       (Unknown license) Antlr 3.4 Runtime (org.antlr:antlr-runtime:3.4 -
> http://www.antlr.org)
> 
> ### Apache -- Good
>       (Unknown license) Jettison (org.codehaus.jettison:jettison:1.1 - no
> url defined)
> 
> ### Apache licensed -- Good, all spring stuff
>       (Unknown license) spring-aop (org.springframework:spring-ao
> p:3.0.5.RELEASE)
>       (Unknown license) spring-asm (org.springframework:spring-as
> m:3.0.5.RELEASE)
>       (Unknown license) spring-beans (org.springframework:spring-be
> ans:3.0.5.RELEASE)
>       (Unknown license) spring-context (org.springframework:spring-co
> ntext:3.0.5.RELEASE)
>       (Unknown license) spring-context-support (org.springframework:spring-co
> ntext-support:3.0.7.RELEASE
>       (Unknown license) spring-core (org.springframework:spring-co
> re:3.0.5.RELEASE
>       (Unknown license) spring-expression (org.springframework:spring-ex
> pression:3.0.5.RELEASE
>       (Unknown license) spring-tx (org.springframework:spring-tx
> :3.0.5.RELEASE
> 
> ### Apache project -- Good, BTW: As of 2010-09-01, the ORO project is
> retired.
>       (Unknown license) oro (oro:oro:2.0.8 - no url defined)
> ### Apache project -- Good, by looking at the source code
>       (Unknown license) regexp (regexp:regexp:1.3 - no url defined)
> ### Apache licensed -- Good,
> https://mvnrepository.com/artifact/org.osgi/org.osgi.compendium
>       (Unknown license) org.osgi.compendium (org.osgi:org.osgi.compendium:
> 4.2.0)
>       (Unknown license) org.osgi.core (org.osgi:org.osgi.core:4.2.0 )
> ### Python license is compat,  -- Good, similar to
> http://www.jython.org/license.html
>       (Jython Software License) Jython (org.python:jython:2.5.3 -
> http://www.jython.org/)
> 
> ############## end of good.
> 
> ### BAD: JSON: MIT- with evil clause
> ### As of 2016-11-03 this has been moved to the 'Category X' license list
> ### ( "The Software shall be used for Good, not Evil."  from
> http://www.json.org/license.html   )
> ###  Consider replacing with this drop in replacement:
> ### https://mvnrepository.com/artifact/com.tdunning/json
> ### from: https://stackoverflow.com/questions/10396176/org-
> json-jar-provisioning
> ### other alternatives:
> ### https://wiki.debian.org/qa.debian.org/jsonevil
>    (provided without support or warranty) JSON (JavaScript Object Notation)
> (org.json:json:20090211 - http://www.json.org/java/index.html)
> 
> 
> ### BAD: GPL with classpath exception is explicitly not compatible
> 
>       (GNU General Public License (GPL), version 2, with the Classpath
> exception) JMH Core (org.openjdk.jmh:jmh-core:1.13 -
> http://openjdk.java.net/projects/code-tools/jmh/jmh-core/)
> 
>       (GNU General Public License (GPL), version 2, with the Classpath
> exception) JMH Generators: Annotation Processors
> (org.openjdk.jmh:jmh-generator-annprocess:1.13
> - http://openjdk.java.net/projects/code-tools/jmh/jmh-generator-annprocess/)
> 
> 
> 
>>>
> 

Mime
View raw message