You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@dubbo.apache.org by Huxing Zhang <hu...@apache.org> on 2019/04/01 10:14:57 UTC
Incompatible license for dependency nacos-client
Hi,
When I am looking at this issue[1], I realized that Dubbo may have the
same issue.
From Dubbo 2.7.1 and 2.6.6 onwards the Nacos support has been added,
where the following dependency has been added:
<dependency>
<groupId>com.alibaba.nacos</groupId>
<artifactId>nacos-client</artifactId>
<version>${nacos.version}</version>
<optional>true</optional>
</dependency>
which depend on the following dependencies:
<dependency>
<groupId>org.codehaus.jackson</groupId>
<artifactId>jackson-mapper-lgpl</artifactId>
</dependency>
<dependency>
<groupId>com.github.spotbugs</groupId>
<artifactId>spotbugs-annotations</artifactId>
<optional>true</optional>
</dependency>
which is LGPL v2.1 licensed.
This means nacos-client should not be Apache Licensed as claimed, and
Dubbo could not depend on nacos-client.
I have contacted the Nacos team they are addressing this issue.
My question is how to avoid this kind of issue?
Should we check every newly added dependency for license compatibility?
Is there any tools which can do automatic scanning?
[1] https://github.com/apache/incubator-skywalking/pull/2422
--
Best Regards!
Huxing
Re: Incompatible license for dependency nacos-client
Posted by Huxing Zhang <hu...@apache.org>.
Hi,
Thanks for the suggestion. I tried the following commands:
`mvn license:add-third-party -Dlicense.useMissingFile`
The command outputs all the 3rd party licenses for the module. I did a
further investigation with the following commands:
find . -name THIRD-PARTY.txt | xargs grep GPL | grep -v Apache | grep
-v MIT | grep -v CDDL
./dubbo-registry/dubbo-registry-nacos/target/generated-sources/license/THIRD-PARTY.txt:
(GNU Lesser General Public License (LGPL), Version 2.1) Jackson
(org.codehaus.jackson:jackson-core-lgpl:1.9.6 -
http://jackson.codehaus.org)
./dubbo-registry/dubbo-registry-nacos/target/generated-sources/license/THIRD-PARTY.txt:
(GNU Lesser General Public License (LGPL), Version 2.1) Data
Mapper for Jackson (org.codehaus.jackson:jackson-mapper-lgpl:1.9.6 -
http://jackson.codehaus.org)
I think the dependency issue could be found for:
<dependency>
<groupId>org.codehaus.jackson</groupId>
<artifactId>jackson-mapper-lgpl</artifactId>
</dependency>
But for optional dependencies, there is no output.
<dependency>
<groupId>com.github.spotbugs</groupId>
<artifactId>spotbugs-annotations</artifactId>
<optional>true</optional>
</dependency>
I checked for the documentation [1], there is an option
"<includeOptional>" to include the optional dependency, and the
default value is true. But I don't know why it is not included.
[1] https://www.mojohaus.org/license-maven-plugin/add-third-party-mojo.html
On Mon, Apr 1, 2019 at 7:26 PM YunKun Huang <hy...@apache.org> wrote:
>
> Sorry, I copy wrong one for second one
>
> Second one should be `mvn license:add-third-party -Dlicense.useMissingFile`
>
> On 2019/04/01 11:22:03, YunKun Huang <hy...@apache.org> wrote:
> > I guess those two plugin can help:
> >
> > 1. mvn project-info-reports:dependencies
> > it will generate a html file in target/site folder, and list all dependencies license
> >
> > 2.mvn project-info-reports:licenses
> > it will generate a license report (plain text) in src/license and allow you to fill license info if some library can't receive license info by default.
> >
> > I suggest we use second one to generate license info with travis ci and throw exception when some license is not allow by project
> >
> > Regards,
> > Yunkun
> >
> > On 2019/04/01 10:14:57, Huxing Zhang <hu...@apache.org> wrote:
> > > Hi,
> > >
> > > When I am looking at this issue[1], I realized that Dubbo may have the
> > > same issue.
> > > From Dubbo 2.7.1 and 2.6.6 onwards the Nacos support has been added,
> > > where the following dependency has been added:
> > >
> > > <dependency>
> > > <groupId>com.alibaba.nacos</groupId>
> > > <artifactId>nacos-client</artifactId>
> > > <version>${nacos.version}</version>
> > > <optional>true</optional>
> > > </dependency>
> > >
> > > which depend on the following dependencies:
> > >
> > > <dependency>
> > > <groupId>org.codehaus.jackson</groupId>
> > > <artifactId>jackson-mapper-lgpl</artifactId>
> > > </dependency>
> > >
> > > <dependency>
> > > <groupId>com.github.spotbugs</groupId>
> > > <artifactId>spotbugs-annotations</artifactId>
> > > <optional>true</optional>
> > > </dependency>
> > >
> > > which is LGPL v2.1 licensed.
> > >
> > > This means nacos-client should not be Apache Licensed as claimed, and
> > > Dubbo could not depend on nacos-client.
> > >
> > > I have contacted the Nacos team they are addressing this issue.
> > >
> > > My question is how to avoid this kind of issue?
> > > Should we check every newly added dependency for license compatibility?
> > > Is there any tools which can do automatic scanning?
> > >
> > > [1] https://github.com/apache/incubator-skywalking/pull/2422
> > >
> > > --
> > > Best Regards!
> > > Huxing
> > >
> >
--
Best Regards!
Huxing
Re: Incompatible license for dependency nacos-client
Posted by YunKun Huang <hy...@apache.org>.
Sorry, I copy wrong one for second one
Second one should be `mvn license:add-third-party -Dlicense.useMissingFile`
On 2019/04/01 11:22:03, YunKun Huang <hy...@apache.org> wrote:
> I guess those two plugin can help:
>
> 1. mvn project-info-reports:dependencies
> it will generate a html file in target/site folder, and list all dependencies license
>
> 2.mvn project-info-reports:licenses
> it will generate a license report (plain text) in src/license and allow you to fill license info if some library can't receive license info by default.
>
> I suggest we use second one to generate license info with travis ci and throw exception when some license is not allow by project
>
> Regards,
> Yunkun
>
> On 2019/04/01 10:14:57, Huxing Zhang <hu...@apache.org> wrote:
> > Hi,
> >
> > When I am looking at this issue[1], I realized that Dubbo may have the
> > same issue.
> > From Dubbo 2.7.1 and 2.6.6 onwards the Nacos support has been added,
> > where the following dependency has been added:
> >
> > <dependency>
> > <groupId>com.alibaba.nacos</groupId>
> > <artifactId>nacos-client</artifactId>
> > <version>${nacos.version}</version>
> > <optional>true</optional>
> > </dependency>
> >
> > which depend on the following dependencies:
> >
> > <dependency>
> > <groupId>org.codehaus.jackson</groupId>
> > <artifactId>jackson-mapper-lgpl</artifactId>
> > </dependency>
> >
> > <dependency>
> > <groupId>com.github.spotbugs</groupId>
> > <artifactId>spotbugs-annotations</artifactId>
> > <optional>true</optional>
> > </dependency>
> >
> > which is LGPL v2.1 licensed.
> >
> > This means nacos-client should not be Apache Licensed as claimed, and
> > Dubbo could not depend on nacos-client.
> >
> > I have contacted the Nacos team they are addressing this issue.
> >
> > My question is how to avoid this kind of issue?
> > Should we check every newly added dependency for license compatibility?
> > Is there any tools which can do automatic scanning?
> >
> > [1] https://github.com/apache/incubator-skywalking/pull/2422
> >
> > --
> > Best Regards!
> > Huxing
> >
>
Re: Incompatible license for dependency nacos-client
Posted by YunKun Huang <hy...@apache.org>.
I guess those two plugin can help:
1. mvn project-info-reports:dependencies
it will generate a html file in target/site folder, and list all dependencies license
2.mvn project-info-reports:licenses
it will generate a license report (plain text) in src/license and allow you to fill license info if some library can't receive license info by default.
I suggest we use second one to generate license info with travis ci and throw exception when some license is not allow by project
Regards,
Yunkun
On 2019/04/01 10:14:57, Huxing Zhang <hu...@apache.org> wrote:
> Hi,
>
> When I am looking at this issue[1], I realized that Dubbo may have the
> same issue.
> From Dubbo 2.7.1 and 2.6.6 onwards the Nacos support has been added,
> where the following dependency has been added:
>
> <dependency>
> <groupId>com.alibaba.nacos</groupId>
> <artifactId>nacos-client</artifactId>
> <version>${nacos.version}</version>
> <optional>true</optional>
> </dependency>
>
> which depend on the following dependencies:
>
> <dependency>
> <groupId>org.codehaus.jackson</groupId>
> <artifactId>jackson-mapper-lgpl</artifactId>
> </dependency>
>
> <dependency>
> <groupId>com.github.spotbugs</groupId>
> <artifactId>spotbugs-annotations</artifactId>
> <optional>true</optional>
> </dependency>
>
> which is LGPL v2.1 licensed.
>
> This means nacos-client should not be Apache Licensed as claimed, and
> Dubbo could not depend on nacos-client.
>
> I have contacted the Nacos team they are addressing this issue.
>
> My question is how to avoid this kind of issue?
> Should we check every newly added dependency for license compatibility?
> Is there any tools which can do automatic scanning?
>
> [1] https://github.com/apache/incubator-skywalking/pull/2422
>
> --
> Best Regards!
> Huxing
>
Re: Incompatible license for dependency nacos-client
Posted by Huxing Zhang <hu...@apache.org>.
Hi,
On Mon, Apr 8, 2019 at 2:35 PM Ian Luo <ia...@gmail.com> wrote:
>
> Merged, but we still need to bump up nacos's version when it gets official.
Thanks and agreed.
>
> -Ian.
>
> On Mon, Apr 8, 2019 at 2:17 PM Huxing Zhang <hu...@apache.org> wrote:
>
> > Hi,
> >
> > I've send a pull request:
> > https://github.com/apache/incubator-dubbo/pull/3810
> > It would be appreciated if someone could help to review it.
> >
> > On Wed, Apr 3, 2019 at 11:20 PM Huxing Zhang <hu...@apache.org> wrote:
> > >
> > > Hi,
> > >
> > > The latest nacos client 1.0.0-RC3 has been rolled out. I will follow
> > > up tomorrow.
> > >
> > > [1]
> > https://mvnrepository.com/artifact/com.alibaba.nacos/nacos-client/1.0.0-RC3
> > >
> > > On Tue, Apr 2, 2019 at 5:59 PM Huxing Zhang <hu...@apache.org> wrote:
> > > >
> > > > Hi,
> > > >
> > > > It looks like the dependencies with incompatible licenses have been
> > > > removed on the Nacos side.
> > > > So I think Dubbo should upgrade to the latest version once there is a
> > release.
> > > >
> > > > On Tue, Apr 2, 2019 at 10:28 AM Ian Luo <ia...@gmail.com> wrote:
> > > > >
> > > > > We should contact nacos's developer to fix this dependency issue.
> > > > >
> > > > > -Ian.
> > > > >
> > > > > On Mon, Apr 1, 2019 at 6:15 PM Huxing Zhang <hu...@apache.org>
> > wrote:
> > > > >
> > > > > > Hi,
> > > > > >
> > > > > > When I am looking at this issue[1], I realized that Dubbo may have
> > the
> > > > > > same issue.
> > > > > > From Dubbo 2.7.1 and 2.6.6 onwards the Nacos support has been
> > added,
> > > > > > where the following dependency has been added:
> > > > > >
> > > > > > <dependency>
> > > > > > <groupId>com.alibaba.nacos</groupId>
> > > > > > <artifactId>nacos-client</artifactId>
> > > > > > <version>${nacos.version}</version>
> > > > > > <optional>true</optional>
> > > > > > </dependency>
> > > > > >
> > > > > > which depend on the following dependencies:
> > > > > >
> > > > > > <dependency>
> > > > > > <groupId>org.codehaus.jackson</groupId>
> > > > > > <artifactId>jackson-mapper-lgpl</artifactId>
> > > > > > </dependency>
> > > > > >
> > > > > > <dependency>
> > > > > > <groupId>com.github.spotbugs</groupId>
> > > > > > <artifactId>spotbugs-annotations</artifactId>
> > > > > > <optional>true</optional>
> > > > > > </dependency>
> > > > > >
> > > > > > which is LGPL v2.1 licensed.
> > > > > >
> > > > > > This means nacos-client should not be Apache Licensed as claimed,
> > and
> > > > > > Dubbo could not depend on nacos-client.
> > > > > >
> > > > > > I have contacted the Nacos team they are addressing this issue.
> > > > > >
> > > > > > My question is how to avoid this kind of issue?
> > > > > > Should we check every newly added dependency for license
> > compatibility?
> > > > > > Is there any tools which can do automatic scanning?
> > > > > >
> > > > > > [1] https://github.com/apache/incubator-skywalking/pull/2422
> > > > > >
> > > > > > --
> > > > > > Best Regards!
> > > > > > Huxing
> > > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Best Regards!
> > > > Huxing
> > >
> > >
> > >
> > > --
> > > Best Regards!
> > > Huxing
> >
> >
> >
> > --
> > Best Regards!
> > Huxing
> >
--
Best Regards!
Huxing
Re: Incompatible license for dependency nacos-client
Posted by Ian Luo <ia...@gmail.com>.
Merged, but we still need to bump up nacos's version when it gets official.
-Ian.
On Mon, Apr 8, 2019 at 2:17 PM Huxing Zhang <hu...@apache.org> wrote:
> Hi,
>
> I've send a pull request:
> https://github.com/apache/incubator-dubbo/pull/3810
> It would be appreciated if someone could help to review it.
>
> On Wed, Apr 3, 2019 at 11:20 PM Huxing Zhang <hu...@apache.org> wrote:
> >
> > Hi,
> >
> > The latest nacos client 1.0.0-RC3 has been rolled out. I will follow
> > up tomorrow.
> >
> > [1]
> https://mvnrepository.com/artifact/com.alibaba.nacos/nacos-client/1.0.0-RC3
> >
> > On Tue, Apr 2, 2019 at 5:59 PM Huxing Zhang <hu...@apache.org> wrote:
> > >
> > > Hi,
> > >
> > > It looks like the dependencies with incompatible licenses have been
> > > removed on the Nacos side.
> > > So I think Dubbo should upgrade to the latest version once there is a
> release.
> > >
> > > On Tue, Apr 2, 2019 at 10:28 AM Ian Luo <ia...@gmail.com> wrote:
> > > >
> > > > We should contact nacos's developer to fix this dependency issue.
> > > >
> > > > -Ian.
> > > >
> > > > On Mon, Apr 1, 2019 at 6:15 PM Huxing Zhang <hu...@apache.org>
> wrote:
> > > >
> > > > > Hi,
> > > > >
> > > > > When I am looking at this issue[1], I realized that Dubbo may have
> the
> > > > > same issue.
> > > > > From Dubbo 2.7.1 and 2.6.6 onwards the Nacos support has been
> added,
> > > > > where the following dependency has been added:
> > > > >
> > > > > <dependency>
> > > > > <groupId>com.alibaba.nacos</groupId>
> > > > > <artifactId>nacos-client</artifactId>
> > > > > <version>${nacos.version}</version>
> > > > > <optional>true</optional>
> > > > > </dependency>
> > > > >
> > > > > which depend on the following dependencies:
> > > > >
> > > > > <dependency>
> > > > > <groupId>org.codehaus.jackson</groupId>
> > > > > <artifactId>jackson-mapper-lgpl</artifactId>
> > > > > </dependency>
> > > > >
> > > > > <dependency>
> > > > > <groupId>com.github.spotbugs</groupId>
> > > > > <artifactId>spotbugs-annotations</artifactId>
> > > > > <optional>true</optional>
> > > > > </dependency>
> > > > >
> > > > > which is LGPL v2.1 licensed.
> > > > >
> > > > > This means nacos-client should not be Apache Licensed as claimed,
> and
> > > > > Dubbo could not depend on nacos-client.
> > > > >
> > > > > I have contacted the Nacos team they are addressing this issue.
> > > > >
> > > > > My question is how to avoid this kind of issue?
> > > > > Should we check every newly added dependency for license
> compatibility?
> > > > > Is there any tools which can do automatic scanning?
> > > > >
> > > > > [1] https://github.com/apache/incubator-skywalking/pull/2422
> > > > >
> > > > > --
> > > > > Best Regards!
> > > > > Huxing
> > > > >
> > >
> > >
> > >
> > > --
> > > Best Regards!
> > > Huxing
> >
> >
> >
> > --
> > Best Regards!
> > Huxing
>
>
>
> --
> Best Regards!
> Huxing
>
Re: Incompatible license for dependency nacos-client
Posted by Huxing Zhang <hu...@apache.org>.
Hi,
I've send a pull request: https://github.com/apache/incubator-dubbo/pull/3810
It would be appreciated if someone could help to review it.
On Wed, Apr 3, 2019 at 11:20 PM Huxing Zhang <hu...@apache.org> wrote:
>
> Hi,
>
> The latest nacos client 1.0.0-RC3 has been rolled out. I will follow
> up tomorrow.
>
> [1] https://mvnrepository.com/artifact/com.alibaba.nacos/nacos-client/1.0.0-RC3
>
> On Tue, Apr 2, 2019 at 5:59 PM Huxing Zhang <hu...@apache.org> wrote:
> >
> > Hi,
> >
> > It looks like the dependencies with incompatible licenses have been
> > removed on the Nacos side.
> > So I think Dubbo should upgrade to the latest version once there is a release.
> >
> > On Tue, Apr 2, 2019 at 10:28 AM Ian Luo <ia...@gmail.com> wrote:
> > >
> > > We should contact nacos's developer to fix this dependency issue.
> > >
> > > -Ian.
> > >
> > > On Mon, Apr 1, 2019 at 6:15 PM Huxing Zhang <hu...@apache.org> wrote:
> > >
> > > > Hi,
> > > >
> > > > When I am looking at this issue[1], I realized that Dubbo may have the
> > > > same issue.
> > > > From Dubbo 2.7.1 and 2.6.6 onwards the Nacos support has been added,
> > > > where the following dependency has been added:
> > > >
> > > > <dependency>
> > > > <groupId>com.alibaba.nacos</groupId>
> > > > <artifactId>nacos-client</artifactId>
> > > > <version>${nacos.version}</version>
> > > > <optional>true</optional>
> > > > </dependency>
> > > >
> > > > which depend on the following dependencies:
> > > >
> > > > <dependency>
> > > > <groupId>org.codehaus.jackson</groupId>
> > > > <artifactId>jackson-mapper-lgpl</artifactId>
> > > > </dependency>
> > > >
> > > > <dependency>
> > > > <groupId>com.github.spotbugs</groupId>
> > > > <artifactId>spotbugs-annotations</artifactId>
> > > > <optional>true</optional>
> > > > </dependency>
> > > >
> > > > which is LGPL v2.1 licensed.
> > > >
> > > > This means nacos-client should not be Apache Licensed as claimed, and
> > > > Dubbo could not depend on nacos-client.
> > > >
> > > > I have contacted the Nacos team they are addressing this issue.
> > > >
> > > > My question is how to avoid this kind of issue?
> > > > Should we check every newly added dependency for license compatibility?
> > > > Is there any tools which can do automatic scanning?
> > > >
> > > > [1] https://github.com/apache/incubator-skywalking/pull/2422
> > > >
> > > > --
> > > > Best Regards!
> > > > Huxing
> > > >
> >
> >
> >
> > --
> > Best Regards!
> > Huxing
>
>
>
> --
> Best Regards!
> Huxing
--
Best Regards!
Huxing
Re: Incompatible license for dependency nacos-client
Posted by Huxing Zhang <hu...@apache.org>.
Hi,
The latest nacos client 1.0.0-RC3 has been rolled out. I will follow
up tomorrow.
[1] https://mvnrepository.com/artifact/com.alibaba.nacos/nacos-client/1.0.0-RC3
On Tue, Apr 2, 2019 at 5:59 PM Huxing Zhang <hu...@apache.org> wrote:
>
> Hi,
>
> It looks like the dependencies with incompatible licenses have been
> removed on the Nacos side.
> So I think Dubbo should upgrade to the latest version once there is a release.
>
> On Tue, Apr 2, 2019 at 10:28 AM Ian Luo <ia...@gmail.com> wrote:
> >
> > We should contact nacos's developer to fix this dependency issue.
> >
> > -Ian.
> >
> > On Mon, Apr 1, 2019 at 6:15 PM Huxing Zhang <hu...@apache.org> wrote:
> >
> > > Hi,
> > >
> > > When I am looking at this issue[1], I realized that Dubbo may have the
> > > same issue.
> > > From Dubbo 2.7.1 and 2.6.6 onwards the Nacos support has been added,
> > > where the following dependency has been added:
> > >
> > > <dependency>
> > > <groupId>com.alibaba.nacos</groupId>
> > > <artifactId>nacos-client</artifactId>
> > > <version>${nacos.version}</version>
> > > <optional>true</optional>
> > > </dependency>
> > >
> > > which depend on the following dependencies:
> > >
> > > <dependency>
> > > <groupId>org.codehaus.jackson</groupId>
> > > <artifactId>jackson-mapper-lgpl</artifactId>
> > > </dependency>
> > >
> > > <dependency>
> > > <groupId>com.github.spotbugs</groupId>
> > > <artifactId>spotbugs-annotations</artifactId>
> > > <optional>true</optional>
> > > </dependency>
> > >
> > > which is LGPL v2.1 licensed.
> > >
> > > This means nacos-client should not be Apache Licensed as claimed, and
> > > Dubbo could not depend on nacos-client.
> > >
> > > I have contacted the Nacos team they are addressing this issue.
> > >
> > > My question is how to avoid this kind of issue?
> > > Should we check every newly added dependency for license compatibility?
> > > Is there any tools which can do automatic scanning?
> > >
> > > [1] https://github.com/apache/incubator-skywalking/pull/2422
> > >
> > > --
> > > Best Regards!
> > > Huxing
> > >
>
>
>
> --
> Best Regards!
> Huxing
--
Best Regards!
Huxing
Re: Incompatible license for dependency nacos-client
Posted by YunKun Huang <hy...@apache.org>.
yeah. I can take this one and prepare a script
On 2019/04/10 02:30:16, Ian Luo <ia...@gmail.com> wrote:
> Let's introduce a convenient script first and put it in the root directory.
> YuKun, would you mind to take this?
>
> Thanks,
> -Ian.
>
> On Tue, Apr 9, 2019 at 5:47 PM YunKun Huang <hy...@apache.org> wrote:
>
> > Yeah. this check process is slow in my local machine.
> > I agree with doing it manually
> >
> > On 2019/04/09 03:29:35, Huxing Zhang <hu...@apache.org> wrote:
> > > Hi,
> > >
> > > On Tue, Apr 9, 2019 at 11:14 AM YunKun Huang <hy...@apache.org> wrote:
> > > >
> > > > Should we add this check in travis CI or do this check each time for a
> > new dependency added
> > >
> > > The problem is that not every time a new dependency will be added, and
> > > the process will take too much time in my local test. My concerns is
> > > that UT will take much longer to finish.
> > > So I suggest to check it manually when new dependency is added (the
> > > reviewer should check the dependencies when doing code review) and
> > > when doing release vote.
> > > How do you think?
> > >
> > > >
> > > > On 2019/04/08 06:09:56, Ian Luo <ia...@gmail.com> wrote:
> > > > > Great, let's target it to 2.7.2. I have moved the issue [1] into
> > 2.7.2's
> > > > > bucket.
> > > > >
> > > > > -Ian.
> > > > >
> > > > > 1. https://github.com/apache/incubator-dubbo/issues/3804
> > > > >
> > > > > On Tue, Apr 2, 2019 at 5:59 PM Huxing Zhang <hu...@apache.org>
> > wrote:
> > > > >
> > > > > > Hi,
> > > > > >
> > > > > > It looks like the dependencies with incompatible licenses have been
> > > > > > removed on the Nacos side.
> > > > > > So I think Dubbo should upgrade to the latest version once there
> > is a
> > > > > > release.
> > > > > >
> > > > > > On Tue, Apr 2, 2019 at 10:28 AM Ian Luo <ia...@gmail.com> wrote:
> > > > > > >
> > > > > > > We should contact nacos's developer to fix this dependency issue.
> > > > > > >
> > > > > > > -Ian.
> > > > > > >
> > > > > > > On Mon, Apr 1, 2019 at 6:15 PM Huxing Zhang <hu...@apache.org>
> > wrote:
> > > > > > >
> > > > > > > > Hi,
> > > > > > > >
> > > > > > > > When I am looking at this issue[1], I realized that Dubbo may
> > have the
> > > > > > > > same issue.
> > > > > > > > From Dubbo 2.7.1 and 2.6.6 onwards the Nacos support has been
> > added,
> > > > > > > > where the following dependency has been added:
> > > > > > > >
> > > > > > > > <dependency>
> > > > > > > > <groupId>com.alibaba.nacos</groupId>
> > > > > > > > <artifactId>nacos-client</artifactId>
> > > > > > > > <version>${nacos.version}</version>
> > > > > > > > <optional>true</optional>
> > > > > > > > </dependency>
> > > > > > > >
> > > > > > > > which depend on the following dependencies:
> > > > > > > >
> > > > > > > > <dependency>
> > > > > > > > <groupId>org.codehaus.jackson</groupId>
> > > > > > > > <artifactId>jackson-mapper-lgpl</artifactId>
> > > > > > > > </dependency>
> > > > > > > >
> > > > > > > > <dependency>
> > > > > > > > <groupId>com.github.spotbugs</groupId>
> > > > > > > > <artifactId>spotbugs-annotations</artifactId>
> > > > > > > > <optional>true</optional>
> > > > > > > > </dependency>
> > > > > > > >
> > > > > > > > which is LGPL v2.1 licensed.
> > > > > > > >
> > > > > > > > This means nacos-client should not be Apache Licensed as
> > claimed, and
> > > > > > > > Dubbo could not depend on nacos-client.
> > > > > > > >
> > > > > > > > I have contacted the Nacos team they are addressing this issue.
> > > > > > > >
> > > > > > > > My question is how to avoid this kind of issue?
> > > > > > > > Should we check every newly added dependency for license
> > compatibility?
> > > > > > > > Is there any tools which can do automatic scanning?
> > > > > > > >
> > > > > > > > [1] https://github.com/apache/incubator-skywalking/pull/2422
> > > > > > > >
> > > > > > > > --
> > > > > > > > Best Regards!
> > > > > > > > Huxing
> > > > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > Best Regards!
> > > > > > Huxing
> > > > > >
> > > > >
> > >
> > >
> > >
> > > --
> > > Best Regards!
> > > Huxing
> > >
> >
>
Re: Incompatible license for dependency nacos-client
Posted by Ian Luo <ia...@gmail.com>.
Let's introduce a convenient script first and put it in the root directory.
YuKun, would you mind to take this?
Thanks,
-Ian.
On Tue, Apr 9, 2019 at 5:47 PM YunKun Huang <hy...@apache.org> wrote:
> Yeah. this check process is slow in my local machine.
> I agree with doing it manually
>
> On 2019/04/09 03:29:35, Huxing Zhang <hu...@apache.org> wrote:
> > Hi,
> >
> > On Tue, Apr 9, 2019 at 11:14 AM YunKun Huang <hy...@apache.org> wrote:
> > >
> > > Should we add this check in travis CI or do this check each time for a
> new dependency added
> >
> > The problem is that not every time a new dependency will be added, and
> > the process will take too much time in my local test. My concerns is
> > that UT will take much longer to finish.
> > So I suggest to check it manually when new dependency is added (the
> > reviewer should check the dependencies when doing code review) and
> > when doing release vote.
> > How do you think?
> >
> > >
> > > On 2019/04/08 06:09:56, Ian Luo <ia...@gmail.com> wrote:
> > > > Great, let's target it to 2.7.2. I have moved the issue [1] into
> 2.7.2's
> > > > bucket.
> > > >
> > > > -Ian.
> > > >
> > > > 1. https://github.com/apache/incubator-dubbo/issues/3804
> > > >
> > > > On Tue, Apr 2, 2019 at 5:59 PM Huxing Zhang <hu...@apache.org>
> wrote:
> > > >
> > > > > Hi,
> > > > >
> > > > > It looks like the dependencies with incompatible licenses have been
> > > > > removed on the Nacos side.
> > > > > So I think Dubbo should upgrade to the latest version once there
> is a
> > > > > release.
> > > > >
> > > > > On Tue, Apr 2, 2019 at 10:28 AM Ian Luo <ia...@gmail.com> wrote:
> > > > > >
> > > > > > We should contact nacos's developer to fix this dependency issue.
> > > > > >
> > > > > > -Ian.
> > > > > >
> > > > > > On Mon, Apr 1, 2019 at 6:15 PM Huxing Zhang <hu...@apache.org>
> wrote:
> > > > > >
> > > > > > > Hi,
> > > > > > >
> > > > > > > When I am looking at this issue[1], I realized that Dubbo may
> have the
> > > > > > > same issue.
> > > > > > > From Dubbo 2.7.1 and 2.6.6 onwards the Nacos support has been
> added,
> > > > > > > where the following dependency has been added:
> > > > > > >
> > > > > > > <dependency>
> > > > > > > <groupId>com.alibaba.nacos</groupId>
> > > > > > > <artifactId>nacos-client</artifactId>
> > > > > > > <version>${nacos.version}</version>
> > > > > > > <optional>true</optional>
> > > > > > > </dependency>
> > > > > > >
> > > > > > > which depend on the following dependencies:
> > > > > > >
> > > > > > > <dependency>
> > > > > > > <groupId>org.codehaus.jackson</groupId>
> > > > > > > <artifactId>jackson-mapper-lgpl</artifactId>
> > > > > > > </dependency>
> > > > > > >
> > > > > > > <dependency>
> > > > > > > <groupId>com.github.spotbugs</groupId>
> > > > > > > <artifactId>spotbugs-annotations</artifactId>
> > > > > > > <optional>true</optional>
> > > > > > > </dependency>
> > > > > > >
> > > > > > > which is LGPL v2.1 licensed.
> > > > > > >
> > > > > > > This means nacos-client should not be Apache Licensed as
> claimed, and
> > > > > > > Dubbo could not depend on nacos-client.
> > > > > > >
> > > > > > > I have contacted the Nacos team they are addressing this issue.
> > > > > > >
> > > > > > > My question is how to avoid this kind of issue?
> > > > > > > Should we check every newly added dependency for license
> compatibility?
> > > > > > > Is there any tools which can do automatic scanning?
> > > > > > >
> > > > > > > [1] https://github.com/apache/incubator-skywalking/pull/2422
> > > > > > >
> > > > > > > --
> > > > > > > Best Regards!
> > > > > > > Huxing
> > > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Best Regards!
> > > > > Huxing
> > > > >
> > > >
> >
> >
> >
> > --
> > Best Regards!
> > Huxing
> >
>
Re: Incompatible license for dependency nacos-client
Posted by YunKun Huang <hy...@apache.org>.
Yeah. this check process is slow in my local machine.
I agree with doing it manually
On 2019/04/09 03:29:35, Huxing Zhang <hu...@apache.org> wrote:
> Hi,
>
> On Tue, Apr 9, 2019 at 11:14 AM YunKun Huang <hy...@apache.org> wrote:
> >
> > Should we add this check in travis CI or do this check each time for a new dependency added
>
> The problem is that not every time a new dependency will be added, and
> the process will take too much time in my local test. My concerns is
> that UT will take much longer to finish.
> So I suggest to check it manually when new dependency is added (the
> reviewer should check the dependencies when doing code review) and
> when doing release vote.
> How do you think?
>
> >
> > On 2019/04/08 06:09:56, Ian Luo <ia...@gmail.com> wrote:
> > > Great, let's target it to 2.7.2. I have moved the issue [1] into 2.7.2's
> > > bucket.
> > >
> > > -Ian.
> > >
> > > 1. https://github.com/apache/incubator-dubbo/issues/3804
> > >
> > > On Tue, Apr 2, 2019 at 5:59 PM Huxing Zhang <hu...@apache.org> wrote:
> > >
> > > > Hi,
> > > >
> > > > It looks like the dependencies with incompatible licenses have been
> > > > removed on the Nacos side.
> > > > So I think Dubbo should upgrade to the latest version once there is a
> > > > release.
> > > >
> > > > On Tue, Apr 2, 2019 at 10:28 AM Ian Luo <ia...@gmail.com> wrote:
> > > > >
> > > > > We should contact nacos's developer to fix this dependency issue.
> > > > >
> > > > > -Ian.
> > > > >
> > > > > On Mon, Apr 1, 2019 at 6:15 PM Huxing Zhang <hu...@apache.org> wrote:
> > > > >
> > > > > > Hi,
> > > > > >
> > > > > > When I am looking at this issue[1], I realized that Dubbo may have the
> > > > > > same issue.
> > > > > > From Dubbo 2.7.1 and 2.6.6 onwards the Nacos support has been added,
> > > > > > where the following dependency has been added:
> > > > > >
> > > > > > <dependency>
> > > > > > <groupId>com.alibaba.nacos</groupId>
> > > > > > <artifactId>nacos-client</artifactId>
> > > > > > <version>${nacos.version}</version>
> > > > > > <optional>true</optional>
> > > > > > </dependency>
> > > > > >
> > > > > > which depend on the following dependencies:
> > > > > >
> > > > > > <dependency>
> > > > > > <groupId>org.codehaus.jackson</groupId>
> > > > > > <artifactId>jackson-mapper-lgpl</artifactId>
> > > > > > </dependency>
> > > > > >
> > > > > > <dependency>
> > > > > > <groupId>com.github.spotbugs</groupId>
> > > > > > <artifactId>spotbugs-annotations</artifactId>
> > > > > > <optional>true</optional>
> > > > > > </dependency>
> > > > > >
> > > > > > which is LGPL v2.1 licensed.
> > > > > >
> > > > > > This means nacos-client should not be Apache Licensed as claimed, and
> > > > > > Dubbo could not depend on nacos-client.
> > > > > >
> > > > > > I have contacted the Nacos team they are addressing this issue.
> > > > > >
> > > > > > My question is how to avoid this kind of issue?
> > > > > > Should we check every newly added dependency for license compatibility?
> > > > > > Is there any tools which can do automatic scanning?
> > > > > >
> > > > > > [1] https://github.com/apache/incubator-skywalking/pull/2422
> > > > > >
> > > > > > --
> > > > > > Best Regards!
> > > > > > Huxing
> > > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Best Regards!
> > > > Huxing
> > > >
> > >
>
>
>
> --
> Best Regards!
> Huxing
>
Re: Incompatible license for dependency nacos-client
Posted by Huxing Zhang <hu...@apache.org>.
Hi,
On Tue, Apr 9, 2019 at 11:14 AM YunKun Huang <hy...@apache.org> wrote:
>
> Should we add this check in travis CI or do this check each time for a new dependency added
The problem is that not every time a new dependency will be added, and
the process will take too much time in my local test. My concerns is
that UT will take much longer to finish.
So I suggest to check it manually when new dependency is added (the
reviewer should check the dependencies when doing code review) and
when doing release vote.
How do you think?
>
> On 2019/04/08 06:09:56, Ian Luo <ia...@gmail.com> wrote:
> > Great, let's target it to 2.7.2. I have moved the issue [1] into 2.7.2's
> > bucket.
> >
> > -Ian.
> >
> > 1. https://github.com/apache/incubator-dubbo/issues/3804
> >
> > On Tue, Apr 2, 2019 at 5:59 PM Huxing Zhang <hu...@apache.org> wrote:
> >
> > > Hi,
> > >
> > > It looks like the dependencies with incompatible licenses have been
> > > removed on the Nacos side.
> > > So I think Dubbo should upgrade to the latest version once there is a
> > > release.
> > >
> > > On Tue, Apr 2, 2019 at 10:28 AM Ian Luo <ia...@gmail.com> wrote:
> > > >
> > > > We should contact nacos's developer to fix this dependency issue.
> > > >
> > > > -Ian.
> > > >
> > > > On Mon, Apr 1, 2019 at 6:15 PM Huxing Zhang <hu...@apache.org> wrote:
> > > >
> > > > > Hi,
> > > > >
> > > > > When I am looking at this issue[1], I realized that Dubbo may have the
> > > > > same issue.
> > > > > From Dubbo 2.7.1 and 2.6.6 onwards the Nacos support has been added,
> > > > > where the following dependency has been added:
> > > > >
> > > > > <dependency>
> > > > > <groupId>com.alibaba.nacos</groupId>
> > > > > <artifactId>nacos-client</artifactId>
> > > > > <version>${nacos.version}</version>
> > > > > <optional>true</optional>
> > > > > </dependency>
> > > > >
> > > > > which depend on the following dependencies:
> > > > >
> > > > > <dependency>
> > > > > <groupId>org.codehaus.jackson</groupId>
> > > > > <artifactId>jackson-mapper-lgpl</artifactId>
> > > > > </dependency>
> > > > >
> > > > > <dependency>
> > > > > <groupId>com.github.spotbugs</groupId>
> > > > > <artifactId>spotbugs-annotations</artifactId>
> > > > > <optional>true</optional>
> > > > > </dependency>
> > > > >
> > > > > which is LGPL v2.1 licensed.
> > > > >
> > > > > This means nacos-client should not be Apache Licensed as claimed, and
> > > > > Dubbo could not depend on nacos-client.
> > > > >
> > > > > I have contacted the Nacos team they are addressing this issue.
> > > > >
> > > > > My question is how to avoid this kind of issue?
> > > > > Should we check every newly added dependency for license compatibility?
> > > > > Is there any tools which can do automatic scanning?
> > > > >
> > > > > [1] https://github.com/apache/incubator-skywalking/pull/2422
> > > > >
> > > > > --
> > > > > Best Regards!
> > > > > Huxing
> > > > >
> > >
> > >
> > >
> > > --
> > > Best Regards!
> > > Huxing
> > >
> >
--
Best Regards!
Huxing
Re: Incompatible license for dependency nacos-client
Posted by Ian Luo <ia...@gmail.com>.
Good idea. Should we introduce a script to guard against this first?
Thanks,
-Ian.
On Tue, Apr 9, 2019 at 11:14 AM YunKun Huang <hy...@apache.org> wrote:
> Should we add this check in travis CI or do this check each time for a new
> dependency added
>
> On 2019/04/08 06:09:56, Ian Luo <ia...@gmail.com> wrote:
> > Great, let's target it to 2.7.2. I have moved the issue [1] into 2.7.2's
> > bucket.
> >
> > -Ian.
> >
> > 1. https://github.com/apache/incubator-dubbo/issues/3804
> >
> > On Tue, Apr 2, 2019 at 5:59 PM Huxing Zhang <hu...@apache.org> wrote:
> >
> > > Hi,
> > >
> > > It looks like the dependencies with incompatible licenses have been
> > > removed on the Nacos side.
> > > So I think Dubbo should upgrade to the latest version once there is a
> > > release.
> > >
> > > On Tue, Apr 2, 2019 at 10:28 AM Ian Luo <ia...@gmail.com> wrote:
> > > >
> > > > We should contact nacos's developer to fix this dependency issue.
> > > >
> > > > -Ian.
> > > >
> > > > On Mon, Apr 1, 2019 at 6:15 PM Huxing Zhang <hu...@apache.org>
> wrote:
> > > >
> > > > > Hi,
> > > > >
> > > > > When I am looking at this issue[1], I realized that Dubbo may have
> the
> > > > > same issue.
> > > > > From Dubbo 2.7.1 and 2.6.6 onwards the Nacos support has been
> added,
> > > > > where the following dependency has been added:
> > > > >
> > > > > <dependency>
> > > > > <groupId>com.alibaba.nacos</groupId>
> > > > > <artifactId>nacos-client</artifactId>
> > > > > <version>${nacos.version}</version>
> > > > > <optional>true</optional>
> > > > > </dependency>
> > > > >
> > > > > which depend on the following dependencies:
> > > > >
> > > > > <dependency>
> > > > > <groupId>org.codehaus.jackson</groupId>
> > > > > <artifactId>jackson-mapper-lgpl</artifactId>
> > > > > </dependency>
> > > > >
> > > > > <dependency>
> > > > > <groupId>com.github.spotbugs</groupId>
> > > > > <artifactId>spotbugs-annotations</artifactId>
> > > > > <optional>true</optional>
> > > > > </dependency>
> > > > >
> > > > > which is LGPL v2.1 licensed.
> > > > >
> > > > > This means nacos-client should not be Apache Licensed as claimed,
> and
> > > > > Dubbo could not depend on nacos-client.
> > > > >
> > > > > I have contacted the Nacos team they are addressing this issue.
> > > > >
> > > > > My question is how to avoid this kind of issue?
> > > > > Should we check every newly added dependency for license
> compatibility?
> > > > > Is there any tools which can do automatic scanning?
> > > > >
> > > > > [1] https://github.com/apache/incubator-skywalking/pull/2422
> > > > >
> > > > > --
> > > > > Best Regards!
> > > > > Huxing
> > > > >
> > >
> > >
> > >
> > > --
> > > Best Regards!
> > > Huxing
> > >
> >
>
Re: Incompatible license for dependency nacos-client
Posted by YunKun Huang <hy...@apache.org>.
Should we add this check in travis CI or do this check each time for a new dependency added
On 2019/04/08 06:09:56, Ian Luo <ia...@gmail.com> wrote:
> Great, let's target it to 2.7.2. I have moved the issue [1] into 2.7.2's
> bucket.
>
> -Ian.
>
> 1. https://github.com/apache/incubator-dubbo/issues/3804
>
> On Tue, Apr 2, 2019 at 5:59 PM Huxing Zhang <hu...@apache.org> wrote:
>
> > Hi,
> >
> > It looks like the dependencies with incompatible licenses have been
> > removed on the Nacos side.
> > So I think Dubbo should upgrade to the latest version once there is a
> > release.
> >
> > On Tue, Apr 2, 2019 at 10:28 AM Ian Luo <ia...@gmail.com> wrote:
> > >
> > > We should contact nacos's developer to fix this dependency issue.
> > >
> > > -Ian.
> > >
> > > On Mon, Apr 1, 2019 at 6:15 PM Huxing Zhang <hu...@apache.org> wrote:
> > >
> > > > Hi,
> > > >
> > > > When I am looking at this issue[1], I realized that Dubbo may have the
> > > > same issue.
> > > > From Dubbo 2.7.1 and 2.6.6 onwards the Nacos support has been added,
> > > > where the following dependency has been added:
> > > >
> > > > <dependency>
> > > > <groupId>com.alibaba.nacos</groupId>
> > > > <artifactId>nacos-client</artifactId>
> > > > <version>${nacos.version}</version>
> > > > <optional>true</optional>
> > > > </dependency>
> > > >
> > > > which depend on the following dependencies:
> > > >
> > > > <dependency>
> > > > <groupId>org.codehaus.jackson</groupId>
> > > > <artifactId>jackson-mapper-lgpl</artifactId>
> > > > </dependency>
> > > >
> > > > <dependency>
> > > > <groupId>com.github.spotbugs</groupId>
> > > > <artifactId>spotbugs-annotations</artifactId>
> > > > <optional>true</optional>
> > > > </dependency>
> > > >
> > > > which is LGPL v2.1 licensed.
> > > >
> > > > This means nacos-client should not be Apache Licensed as claimed, and
> > > > Dubbo could not depend on nacos-client.
> > > >
> > > > I have contacted the Nacos team they are addressing this issue.
> > > >
> > > > My question is how to avoid this kind of issue?
> > > > Should we check every newly added dependency for license compatibility?
> > > > Is there any tools which can do automatic scanning?
> > > >
> > > > [1] https://github.com/apache/incubator-skywalking/pull/2422
> > > >
> > > > --
> > > > Best Regards!
> > > > Huxing
> > > >
> >
> >
> >
> > --
> > Best Regards!
> > Huxing
> >
>
Re: Incompatible license for dependency nacos-client
Posted by Ian Luo <ia...@gmail.com>.
Great, let's target it to 2.7.2. I have moved the issue [1] into 2.7.2's
bucket.
-Ian.
1. https://github.com/apache/incubator-dubbo/issues/3804
On Tue, Apr 2, 2019 at 5:59 PM Huxing Zhang <hu...@apache.org> wrote:
> Hi,
>
> It looks like the dependencies with incompatible licenses have been
> removed on the Nacos side.
> So I think Dubbo should upgrade to the latest version once there is a
> release.
>
> On Tue, Apr 2, 2019 at 10:28 AM Ian Luo <ia...@gmail.com> wrote:
> >
> > We should contact nacos's developer to fix this dependency issue.
> >
> > -Ian.
> >
> > On Mon, Apr 1, 2019 at 6:15 PM Huxing Zhang <hu...@apache.org> wrote:
> >
> > > Hi,
> > >
> > > When I am looking at this issue[1], I realized that Dubbo may have the
> > > same issue.
> > > From Dubbo 2.7.1 and 2.6.6 onwards the Nacos support has been added,
> > > where the following dependency has been added:
> > >
> > > <dependency>
> > > <groupId>com.alibaba.nacos</groupId>
> > > <artifactId>nacos-client</artifactId>
> > > <version>${nacos.version}</version>
> > > <optional>true</optional>
> > > </dependency>
> > >
> > > which depend on the following dependencies:
> > >
> > > <dependency>
> > > <groupId>org.codehaus.jackson</groupId>
> > > <artifactId>jackson-mapper-lgpl</artifactId>
> > > </dependency>
> > >
> > > <dependency>
> > > <groupId>com.github.spotbugs</groupId>
> > > <artifactId>spotbugs-annotations</artifactId>
> > > <optional>true</optional>
> > > </dependency>
> > >
> > > which is LGPL v2.1 licensed.
> > >
> > > This means nacos-client should not be Apache Licensed as claimed, and
> > > Dubbo could not depend on nacos-client.
> > >
> > > I have contacted the Nacos team they are addressing this issue.
> > >
> > > My question is how to avoid this kind of issue?
> > > Should we check every newly added dependency for license compatibility?
> > > Is there any tools which can do automatic scanning?
> > >
> > > [1] https://github.com/apache/incubator-skywalking/pull/2422
> > >
> > > --
> > > Best Regards!
> > > Huxing
> > >
>
>
>
> --
> Best Regards!
> Huxing
>
Re: Incompatible license for dependency nacos-client
Posted by Huxing Zhang <hu...@apache.org>.
Hi,
It looks like the dependencies with incompatible licenses have been
removed on the Nacos side.
So I think Dubbo should upgrade to the latest version once there is a release.
On Tue, Apr 2, 2019 at 10:28 AM Ian Luo <ia...@gmail.com> wrote:
>
> We should contact nacos's developer to fix this dependency issue.
>
> -Ian.
>
> On Mon, Apr 1, 2019 at 6:15 PM Huxing Zhang <hu...@apache.org> wrote:
>
> > Hi,
> >
> > When I am looking at this issue[1], I realized that Dubbo may have the
> > same issue.
> > From Dubbo 2.7.1 and 2.6.6 onwards the Nacos support has been added,
> > where the following dependency has been added:
> >
> > <dependency>
> > <groupId>com.alibaba.nacos</groupId>
> > <artifactId>nacos-client</artifactId>
> > <version>${nacos.version}</version>
> > <optional>true</optional>
> > </dependency>
> >
> > which depend on the following dependencies:
> >
> > <dependency>
> > <groupId>org.codehaus.jackson</groupId>
> > <artifactId>jackson-mapper-lgpl</artifactId>
> > </dependency>
> >
> > <dependency>
> > <groupId>com.github.spotbugs</groupId>
> > <artifactId>spotbugs-annotations</artifactId>
> > <optional>true</optional>
> > </dependency>
> >
> > which is LGPL v2.1 licensed.
> >
> > This means nacos-client should not be Apache Licensed as claimed, and
> > Dubbo could not depend on nacos-client.
> >
> > I have contacted the Nacos team they are addressing this issue.
> >
> > My question is how to avoid this kind of issue?
> > Should we check every newly added dependency for license compatibility?
> > Is there any tools which can do automatic scanning?
> >
> > [1] https://github.com/apache/incubator-skywalking/pull/2422
> >
> > --
> > Best Regards!
> > Huxing
> >
--
Best Regards!
Huxing
Re: Incompatible license for dependency nacos-client
Posted by Ian Luo <ia...@gmail.com>.
We should contact nacos's developer to fix this dependency issue.
-Ian.
On Mon, Apr 1, 2019 at 6:15 PM Huxing Zhang <hu...@apache.org> wrote:
> Hi,
>
> When I am looking at this issue[1], I realized that Dubbo may have the
> same issue.
> From Dubbo 2.7.1 and 2.6.6 onwards the Nacos support has been added,
> where the following dependency has been added:
>
> <dependency>
> <groupId>com.alibaba.nacos</groupId>
> <artifactId>nacos-client</artifactId>
> <version>${nacos.version}</version>
> <optional>true</optional>
> </dependency>
>
> which depend on the following dependencies:
>
> <dependency>
> <groupId>org.codehaus.jackson</groupId>
> <artifactId>jackson-mapper-lgpl</artifactId>
> </dependency>
>
> <dependency>
> <groupId>com.github.spotbugs</groupId>
> <artifactId>spotbugs-annotations</artifactId>
> <optional>true</optional>
> </dependency>
>
> which is LGPL v2.1 licensed.
>
> This means nacos-client should not be Apache Licensed as claimed, and
> Dubbo could not depend on nacos-client.
>
> I have contacted the Nacos team they are addressing this issue.
>
> My question is how to avoid this kind of issue?
> Should we check every newly added dependency for license compatibility?
> Is there any tools which can do automatic scanning?
>
> [1] https://github.com/apache/incubator-skywalking/pull/2422
>
> --
> Best Regards!
> Huxing
>