You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@rya.apache.org by David Lotts <dl...@gmail.com> on 2017/09/13 21:29:33 UTC
third party licenses examined for 3.2.11 RC2
Here is my analysis of our third party licenses.
Using this history as a guide:
https://www.mail-archive.com/dev@rya.incubator.apache.org/msg00969.html
and this :
https://issues.apache.org/jira/browse/RYA-177
in order: the good, the bad, the to-do:
### BSD good from: http://asm.ow2.org/license.html
(Unknown license) ASM Core (asm:asm:3.1 - http://asm.objectweb.org/asm/
)
### already excluded, see RYA-200 Remove findbugs:jsr305 Dependency
(GNU Lesser Public License) FindBugs-Annotations
(com.google.code.findbugs:annotations:2.0.2 - http://findbugs.sourceforge
.net/)
### apache project
(Unknown license) commons-beanutils (commons-beanutils:commons-
beanutils:1.7.0
- no url defined)
### Already exclusion from another library, its OKAY
(HSQLDB License) HSQLDB (hsqldb:hsqldb:1.8.0.10 - http://hsqldb.org/)
### used by many Apache projects
(Unknown license) servlet-api (javax.servlet:servlet-api:2.5 - no url
defined)
(Unknown license) jsp-api (javax.servlet.jsp:jsp-api:2.1 - no url
defined)
(Common Public License Version 1.0) JUnit (junit:junit:4.8.2 -
http://junit.org)
### BSD license good from http://www.antlr.org/about.html
(Unknown license) Antlr 3.4 Runtime (org.antlr:antlr-runtime:3.4 -
http://www.antlr.org)
### apache
(Unknown license) Jettison (org.codehaus.jettison:jettison:1.1 - no
url defined)
### Apache licenced, all spring stuff
(Unknown license) spring-aop (org.springframework:spring-
aop:3.0.5.RELEASE)
(Unknown license) spring-asm (org.springframework:spring-
asm:3.0.5.RELEASE)
(Unknown license) spring-beans (org.springframework:spring-
beans:3.0.5.RELEASE)
(Unknown license) spring-context (org.springframework:spring-
context:3.0.5.RELEASE)
(Unknown license) spring-context-support (org.springframework:spring-
context-support:3.0.7.RELEASE
(Unknown license) spring-core (org.springframework:spring-
core:3.0.5.RELEASE
(Unknown license) spring-expression (org.springframework:spring-
expression:3.0.5.RELEASE
(Unknown license) spring-tx (org.springframework:spring-
tx:3.0.5.RELEASE
############## end of good.
### MIT- with evil clause ( "The Software shall be used for Good, not Evil."
from http://www.json.org/license.html ) Consider replaceing with this
drop in replacement:
https://mvnrepository.com/artifact/com.tdunning/json
from: https://stackoverflow.com/questions/10396176/org-json-jar-provisioning
(provided without support or warranty) JSON (JavaScript Object Notation)
(org.json:json:20090211 - http://www.json.org/java/index.html)
### BAD I don't know about JMH libs:
(GNU General Public License (GPL), version 2, with the Classpath
exception) JMH Core (org.openjdk.jmh:jmh-core:1.13 -
http://openjdk.java.net/projects/code-tools/jmh/jmh-core/)
(GNU General Public License (GPL), version 2, with the Classpath
exception) JMH Generators: Annotation Processors
(org.openjdk.jmh:jmh-generator-annprocess:1.13
- http://openjdk.java.net/projects/code-tools/jmh/jmh-generator-annprocess/)
############That is as far as I got. TODO:
(Unknown license) oro (oro:oro:2.0.8 - no url defined)
(Unknown license) regexp (regexp:regexp:1.3 - no url defined)
(Unknown license) org.osgi.compendium (org.osgi:org.osgi.compendium:
4.2.0)
(Unknown license) org.osgi.core (org.osgi:org.osgi.core:4.2.0 )
(Jython Software License) Jython (org.python:jython:2.5.3 -
http://www.jython.org/)
Re: third party licenses examined for 3.2.11 RC2
Posted by David Lotts <dl...@gmail.com>.
We have a Jira for these:
RYA-373 - Benchmarks: JMH library cannot be distributed, make optional or
replace <https://issues.apache.org/jira/browse/RYA-373>
RYA-372 - Replace org.json:json library with a compatibly licensed
alternative <https://issues.apache.org/jira/browse/RYA-372>
HSQLDB is already excluded in a Rya pom. I suppose the utility reports it
anyway.
> I vote to make benchmarks optional.
When? The question: are either of these blockers to the new 3.2.11
release.
david.
Re: third party licenses examined for 3.2.11 RC2
Posted by Puja Valiyil <pu...@gmail.com>.
I vote to make benchmarks optional.
Sent from my iPhone
> On Sep 14, 2017, at 3:03 PM, Josh Elser <el...@apache.org> wrote:
>
> By the letter of the law, you don't have to resolve license conflicts until you graduate from the Incubator.
>
> However, the process of identifying bad licensing, finding suitable replacements, and implementing such changes shows a _lot_ of maturity from the community (as this is a very real problem that comes up as projects grow!).
>
> At the end of the day, it really comes down to how the voters cast their vote and I expect it would require some "fighting" over email.
>
> For the specifics:
>
> * HSQLDB, afaik, is ALv2. Maybe it's dual-licensed? That one should be no-problem.
> * re: org.json, our Ted Dunning has made which other projects have successfully adopted. The barrier to switch is reportedly quite low https://github.com/tdunning/open-json
> * Making the benchmarks module optional, like was done with the geoindexing module, is the most straightforward path. Google Caliper is more permissively licensed and could be leveraged as an alternatively in the future https://github.com/google/caliper
>
> I would suggest to bite the bullet now.
>
>> On 9/14/17 1:15 PM, David Lotts wrote:
>> Here is my completed analysis of our third party licenses.
>> Result: We have two Licenses not allowed for Apache projects. See the
>> bottom.
>> The question is, is this a blocker for the release? Can we make a Jira
>> task to fix for the next version? One of them: JSON, just switched to
>> category X after our last release.
>> Using this history as a guide:
>> https://www.mail-archive.com/dev@rya.incubator.apache.org/msg00969.html
>> and this :
>> https://issues.apache.org/jira/browse/RYA-177
>> in order: the good, the bad:
>> ### BSD good from: http://asm.ow2.org/license.html
>> (Unknown license) ASM Core (asm:asm:3.1 - http://asm.objectweb.org/asm/
>> )
>> ### Good already excluded, see RYA-200 Remove findbugs:jsr305 Dependency
>> (GNU Lesser Public License) FindBugs-Annotations
>> (com.google.code.findbugs:annotations:2.0.2 - http://findbugs.sourceforge.
>> net/)
>> ### Apache project -- Good
>> (Unknown license) commons-beanutils (commons-beanutils:commons-bea
>> nutils:1.7.0
>> - no url defined)
>> ### Already exclusion from another library, its Good
>> (HSQLDB License) HSQLDB (hsqldb:hsqldb:1.8.0.10 - http://hsqldb.org/)
>> ### used by many Apache projects -- Good
>> (Unknown license) servlet-api (javax.servlet:servlet-api:2.5 - no url
>> defined)
>> (Unknown license) jsp-api (javax.servlet.jsp:jsp-api:2.1 - no url
>> defined)
>> (Common Public License Version 1.0) JUnit (junit:junit:4.8.2 -
>> http://junit.org)
>> ### BSD license -- good from http://www.antlr.org/about.html
>> (Unknown license) Antlr 3.4 Runtime (org.antlr:antlr-runtime:3.4 -
>> http://www.antlr.org)
>> ### Apache -- Good
>> (Unknown license) Jettison (org.codehaus.jettison:jettison:1.1 - no
>> url defined)
>> ### Apache licensed -- Good, all spring stuff
>> (Unknown license) spring-aop (org.springframework:spring-ao
>> p:3.0.5.RELEASE)
>> (Unknown license) spring-asm (org.springframework:spring-as
>> m:3.0.5.RELEASE)
>> (Unknown license) spring-beans (org.springframework:spring-be
>> ans:3.0.5.RELEASE)
>> (Unknown license) spring-context (org.springframework:spring-co
>> ntext:3.0.5.RELEASE)
>> (Unknown license) spring-context-support (org.springframework:spring-co
>> ntext-support:3.0.7.RELEASE
>> (Unknown license) spring-core (org.springframework:spring-co
>> re:3.0.5.RELEASE
>> (Unknown license) spring-expression (org.springframework:spring-ex
>> pression:3.0.5.RELEASE
>> (Unknown license) spring-tx (org.springframework:spring-tx
>> :3.0.5.RELEASE
>> ### Apache project -- Good, BTW: As of 2010-09-01, the ORO project is
>> retired.
>> (Unknown license) oro (oro:oro:2.0.8 - no url defined)
>> ### Apache project -- Good, by looking at the source code
>> (Unknown license) regexp (regexp:regexp:1.3 - no url defined)
>> ### Apache licensed -- Good,
>> https://mvnrepository.com/artifact/org.osgi/org.osgi.compendium
>> (Unknown license) org.osgi.compendium (org.osgi:org.osgi.compendium:
>> 4.2.0)
>> (Unknown license) org.osgi.core (org.osgi:org.osgi.core:4.2.0 )
>> ### Python license is compat, -- Good, similar to
>> http://www.jython.org/license.html
>> (Jython Software License) Jython (org.python:jython:2.5.3 -
>> http://www.jython.org/)
>> ############## end of good.
>> ### BAD: JSON: MIT- with evil clause
>> ### As of 2016-11-03 this has been moved to the 'Category X' license list
>> ### ( "The Software shall be used for Good, not Evil." from
>> http://www.json.org/license.html )
>> ### Consider replacing with this drop in replacement:
>> ### https://mvnrepository.com/artifact/com.tdunning/json
>> ### from: https://stackoverflow.com/questions/10396176/org-
>> json-jar-provisioning
>> ### other alternatives:
>> ### https://wiki.debian.org/qa.debian.org/jsonevil
>> (provided without support or warranty) JSON (JavaScript Object Notation)
>> (org.json:json:20090211 - http://www.json.org/java/index.html)
>> ### BAD: GPL with classpath exception is explicitly not compatible
>> (GNU General Public License (GPL), version 2, with the Classpath
>> exception) JMH Core (org.openjdk.jmh:jmh-core:1.13 -
>> http://openjdk.java.net/projects/code-tools/jmh/jmh-core/)
>> (GNU General Public License (GPL), version 2, with the Classpath
>> exception) JMH Generators: Annotation Processors
>> (org.openjdk.jmh:jmh-generator-annprocess:1.13
>> - http://openjdk.java.net/projects/code-tools/jmh/jmh-generator-annprocess/)
>>>>
Re: third party licenses examined for 3.2.11 RC2
Posted by Josh Elser <el...@apache.org>.
By the letter of the law, you don't have to resolve license conflicts
until you graduate from the Incubator.
However, the process of identifying bad licensing, finding suitable
replacements, and implementing such changes shows a _lot_ of maturity
from the community (as this is a very real problem that comes up as
projects grow!).
At the end of the day, it really comes down to how the voters cast their
vote and I expect it would require some "fighting" over email.
For the specifics:
* HSQLDB, afaik, is ALv2. Maybe it's dual-licensed? That one should be
no-problem.
* re: org.json, our Ted Dunning has made which other projects have
successfully adopted. The barrier to switch is reportedly quite low
https://github.com/tdunning/open-json
* Making the benchmarks module optional, like was done with the
geoindexing module, is the most straightforward path. Google Caliper is
more permissively licensed and could be leveraged as an alternatively in
the future https://github.com/google/caliper
I would suggest to bite the bullet now.
On 9/14/17 1:15 PM, David Lotts wrote:
> Here is my completed analysis of our third party licenses.
>
> Result: We have two Licenses not allowed for Apache projects. See the
> bottom.
> The question is, is this a blocker for the release? Can we make a Jira
> task to fix for the next version? One of them: JSON, just switched to
> category X after our last release.
>
> Using this history as a guide:
> https://www.mail-archive.com/dev@rya.incubator.apache.org/msg00969.html
> and this :
> https://issues.apache.org/jira/browse/RYA-177
>
> in order: the good, the bad:
>
> ### BSD good from: http://asm.ow2.org/license.html
> (Unknown license) ASM Core (asm:asm:3.1 - http://asm.objectweb.org/asm/
> )
>
> ### Good already excluded, see RYA-200 Remove findbugs:jsr305 Dependency
> (GNU Lesser Public License) FindBugs-Annotations
> (com.google.code.findbugs:annotations:2.0.2 - http://findbugs.sourceforge.
> net/)
>
> ### Apache project -- Good
> (Unknown license) commons-beanutils (commons-beanutils:commons-bea
> nutils:1.7.0
> - no url defined)
>
> ### Already exclusion from another library, its Good
> (HSQLDB License) HSQLDB (hsqldb:hsqldb:1.8.0.10 - http://hsqldb.org/)
>
> ### used by many Apache projects -- Good
> (Unknown license) servlet-api (javax.servlet:servlet-api:2.5 - no url
> defined)
> (Unknown license) jsp-api (javax.servlet.jsp:jsp-api:2.1 - no url
> defined)
> (Common Public License Version 1.0) JUnit (junit:junit:4.8.2 -
> http://junit.org)
>
> ### BSD license -- good from http://www.antlr.org/about.html
> (Unknown license) Antlr 3.4 Runtime (org.antlr:antlr-runtime:3.4 -
> http://www.antlr.org)
>
> ### Apache -- Good
> (Unknown license) Jettison (org.codehaus.jettison:jettison:1.1 - no
> url defined)
>
> ### Apache licensed -- Good, all spring stuff
> (Unknown license) spring-aop (org.springframework:spring-ao
> p:3.0.5.RELEASE)
> (Unknown license) spring-asm (org.springframework:spring-as
> m:3.0.5.RELEASE)
> (Unknown license) spring-beans (org.springframework:spring-be
> ans:3.0.5.RELEASE)
> (Unknown license) spring-context (org.springframework:spring-co
> ntext:3.0.5.RELEASE)
> (Unknown license) spring-context-support (org.springframework:spring-co
> ntext-support:3.0.7.RELEASE
> (Unknown license) spring-core (org.springframework:spring-co
> re:3.0.5.RELEASE
> (Unknown license) spring-expression (org.springframework:spring-ex
> pression:3.0.5.RELEASE
> (Unknown license) spring-tx (org.springframework:spring-tx
> :3.0.5.RELEASE
>
> ### Apache project -- Good, BTW: As of 2010-09-01, the ORO project is
> retired.
> (Unknown license) oro (oro:oro:2.0.8 - no url defined)
> ### Apache project -- Good, by looking at the source code
> (Unknown license) regexp (regexp:regexp:1.3 - no url defined)
> ### Apache licensed -- Good,
> https://mvnrepository.com/artifact/org.osgi/org.osgi.compendium
> (Unknown license) org.osgi.compendium (org.osgi:org.osgi.compendium:
> 4.2.0)
> (Unknown license) org.osgi.core (org.osgi:org.osgi.core:4.2.0 )
> ### Python license is compat, -- Good, similar to
> http://www.jython.org/license.html
> (Jython Software License) Jython (org.python:jython:2.5.3 -
> http://www.jython.org/)
>
> ############## end of good.
>
> ### BAD: JSON: MIT- with evil clause
> ### As of 2016-11-03 this has been moved to the 'Category X' license list
> ### ( "The Software shall be used for Good, not Evil." from
> http://www.json.org/license.html )
> ### Consider replacing with this drop in replacement:
> ### https://mvnrepository.com/artifact/com.tdunning/json
> ### from: https://stackoverflow.com/questions/10396176/org-
> json-jar-provisioning
> ### other alternatives:
> ### https://wiki.debian.org/qa.debian.org/jsonevil
> (provided without support or warranty) JSON (JavaScript Object Notation)
> (org.json:json:20090211 - http://www.json.org/java/index.html)
>
>
> ### BAD: GPL with classpath exception is explicitly not compatible
>
> (GNU General Public License (GPL), version 2, with the Classpath
> exception) JMH Core (org.openjdk.jmh:jmh-core:1.13 -
> http://openjdk.java.net/projects/code-tools/jmh/jmh-core/)
>
> (GNU General Public License (GPL), version 2, with the Classpath
> exception) JMH Generators: Annotation Processors
> (org.openjdk.jmh:jmh-generator-annprocess:1.13
> - http://openjdk.java.net/projects/code-tools/jmh/jmh-generator-annprocess/)
>
>
>
>>>
>
Re: third party licenses examined for 3.2.11 RC2
Posted by David Lotts <dl...@gmail.com>.
Here is my completed analysis of our third party licenses.
Result: We have two Licenses not allowed for Apache projects. See the
bottom.
The question is, is this a blocker for the release? Can we make a Jira
task to fix for the next version? One of them: JSON, just switched to
category X after our last release.
Using this history as a guide:
https://www.mail-archive.com/dev@rya.incubator.apache.org/msg00969.html
and this :
https://issues.apache.org/jira/browse/RYA-177
in order: the good, the bad:
### BSD good from: http://asm.ow2.org/license.html
(Unknown license) ASM Core (asm:asm:3.1 - http://asm.objectweb.org/asm/
)
### Good already excluded, see RYA-200 Remove findbugs:jsr305 Dependency
(GNU Lesser Public License) FindBugs-Annotations
(com.google.code.findbugs:annotations:2.0.2 - http://findbugs.sourceforge.
net/)
### Apache project -- Good
(Unknown license) commons-beanutils (commons-beanutils:commons-bea
nutils:1.7.0
- no url defined)
### Already exclusion from another library, its Good
(HSQLDB License) HSQLDB (hsqldb:hsqldb:1.8.0.10 - http://hsqldb.org/)
### used by many Apache projects -- Good
(Unknown license) servlet-api (javax.servlet:servlet-api:2.5 - no url
defined)
(Unknown license) jsp-api (javax.servlet.jsp:jsp-api:2.1 - no url
defined)
(Common Public License Version 1.0) JUnit (junit:junit:4.8.2 -
http://junit.org)
### BSD license -- good from http://www.antlr.org/about.html
(Unknown license) Antlr 3.4 Runtime (org.antlr:antlr-runtime:3.4 -
http://www.antlr.org)
### Apache -- Good
(Unknown license) Jettison (org.codehaus.jettison:jettison:1.1 - no
url defined)
### Apache licensed -- Good, all spring stuff
(Unknown license) spring-aop (org.springframework:spring-ao
p:3.0.5.RELEASE)
(Unknown license) spring-asm (org.springframework:spring-as
m:3.0.5.RELEASE)
(Unknown license) spring-beans (org.springframework:spring-be
ans:3.0.5.RELEASE)
(Unknown license) spring-context (org.springframework:spring-co
ntext:3.0.5.RELEASE)
(Unknown license) spring-context-support (org.springframework:spring-co
ntext-support:3.0.7.RELEASE
(Unknown license) spring-core (org.springframework:spring-co
re:3.0.5.RELEASE
(Unknown license) spring-expression (org.springframework:spring-ex
pression:3.0.5.RELEASE
(Unknown license) spring-tx (org.springframework:spring-tx
:3.0.5.RELEASE
### Apache project -- Good, BTW: As of 2010-09-01, the ORO project is
retired.
(Unknown license) oro (oro:oro:2.0.8 - no url defined)
### Apache project -- Good, by looking at the source code
(Unknown license) regexp (regexp:regexp:1.3 - no url defined)
### Apache licensed -- Good,
https://mvnrepository.com/artifact/org.osgi/org.osgi.compendium
(Unknown license) org.osgi.compendium (org.osgi:org.osgi.compendium:
4.2.0)
(Unknown license) org.osgi.core (org.osgi:org.osgi.core:4.2.0 )
### Python license is compat, -- Good, similar to
http://www.jython.org/license.html
(Jython Software License) Jython (org.python:jython:2.5.3 -
http://www.jython.org/)
############## end of good.
### BAD: JSON: MIT- with evil clause
### As of 2016-11-03 this has been moved to the 'Category X' license list
### ( "The Software shall be used for Good, not Evil." from
http://www.json.org/license.html )
### Consider replacing with this drop in replacement:
### https://mvnrepository.com/artifact/com.tdunning/json
### from: https://stackoverflow.com/questions/10396176/org-
json-jar-provisioning
### other alternatives:
### https://wiki.debian.org/qa.debian.org/jsonevil
(provided without support or warranty) JSON (JavaScript Object Notation)
(org.json:json:20090211 - http://www.json.org/java/index.html)
### BAD: GPL with classpath exception is explicitly not compatible
(GNU General Public License (GPL), version 2, with the Classpath
exception) JMH Core (org.openjdk.jmh:jmh-core:1.13 -
http://openjdk.java.net/projects/code-tools/jmh/jmh-core/)
(GNU General Public License (GPL), version 2, with the Classpath
exception) JMH Generators: Annotation Processors
(org.openjdk.jmh:jmh-generator-annprocess:1.13
- http://openjdk.java.net/projects/code-tools/jmh/jmh-generator-annprocess/)
>>