You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@daffodil.apache.org by GitBox <gi...@apache.org> on 2020/11/06 17:10:17 UTC

[GitHub] [incubator-daffodil] stevedlawrence commented on pull request #452: Schematron Validation

stevedlawrence commented on pull request #452:
URL: https://github.com/apache/incubator-daffodil/pull/452#issuecomment-723194622


   Haven't looked at the code yet, just wanted to first verify new dependencies and make sure their licenses allow them to be used/distributed with Daffodil. The new dependencies, including transitive depenencies, and license appear to be:
   
   * ``com.google.code.findbugs:jsr305:3.0.2 (ALv2)``
   * ``com.helger:ph-collection:9.5.1 (ALv2)``
   * ``com.helger:ph-commons:9.5.1 (ALv2)``
   * ``com.helger:ph-jaxb-pom:1.1.0 (ALv2)``
   * ``com.helger:ph-jaxb:9.5.1 (ALv2)``
   * ``com.helger:ph-schematron:5.6.3 (ALv2)``
   * ``com.helger:ph-xml:9.5.1 (ALv2)``
   * ``com.sun.activation:jakarta.activation:1.2.2 (EDL 1.0)``
   * ``com.sun.xml.bind:jaxb-impl:2.3.3 (EDL 1.0)``
   * ``jakarta.xml.bind:jakarta.xml.bind-api:2.3.3 (EDL 1.0)``
   * ``net.sf.saxon:Saxon-HE:10.2 (MPL 2.0)``
   * ``org.slf4j:slf4j-api:1.7.30 (MIT)``
   
   ALv2 is obviously fine to use with Daffodil. EDL and MIT are [category A](https://www.apache.org/legal/resolved.html#category-a), so not a problem to include in both source or binary form. Though, as depedencies, we would only distribute them as a binary.
   
   MPL is [category B](https://www.apache.org/legal/resolved.html#category-b), which is allowed to be distributed, but only in binary form, which should be fine since that's how we would distribute it. Though there are caveats that we include a prominent notice in a README or something.
   
   So from a purely licesning point of view, I think this should all be fine. We will need to inspect all these dependencies to see if they have NOTICE files, and include them in our daffodil-cli/bin.NOTICE. We also need to update the daffodil-cli/bin.LICENSE file with the files that are not Apache license. So there's a decent amount of work to ensure the licensing meetgs Apache standards.
   
   Also, it kindof feels like a lot of extra dependencies that we might not necessarily use, for example slf4j seems maybe unnecessary. It about doubles the size of our dependencies. Daffodil jars are about 24MB, existing deps ware 8.9MB, new deps are 9.1MB (half of that is Saxon-HE). It sort of feels unfortunate to double the size of deps just for schematron. Not sure that's a blocker, but maybe some of these dependencies aren't needed and can be excluded?
   
   Or perhaps there are alternativ implementations that provide the functionality/performance we need? Also, I believe schematron is usually just implemented via XSLT, so could perhaps just be implemented via an XSLT library?


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org