Joseph Witt created NIFI-1419:
---------------------------------
Summary: Use of Snappy-Java questionable according to ASF
licensing guidelines
Key: NIFI-1419
URL: https://issues.apache.org/jira/browse/NIFI-1419
Project: Apache NiFi
Issue Type: Bug
Reporter: Joseph Witt
Apache NiFi presently uses (by transitive dependency) Xerial Snappy which is
ASLv2 https://github.com/xerial/snappy-java/blob/develop/LICENSE
NiFi uses Snappy in at least the following places
{quote}
./nar/extensions/nifi-avro-nar-0.4.2-SNAPSHOT.nar-unpacked/META-INF/bundled-dependencies/snappy-java-1.0.5.jar
./nar/extensions/nifi-hadoop-libraries-nar-0.4.2-SNAPSHOT.nar-unpacked/META-INF/bundled-dependencies/snappy-java-1.0.5.jar
./nar/extensions/nifi-hbase_1_1_2-client-service-nar-0.4.2-SNAPSHOT.nar-unpacked/META-INF/bundled-dependencies/snappy-java-1.0.5.jar
./nar/extensions/nifi-kafka-nar-0.4.2-SNAPSHOT.nar-unpacked/META-INF/bundled-dependencies/snappy-java-1.1.1.7.jar
./nar/extensions/nifi-standard-nar-0.4.2-SNAPSHOT.nar-unpacked/META-INF/bundled-dependencies/snappy-java-1.0.5.jar
{quote}
But the concern is that Java-Snappy's NOTICE
https://github.com/xerial/snappy-java/blob/develop/NOTICE indicates that it is
comprised of statically linked software made available under the GNU Runtime
Library Exception
{quote}
This library containd statically linked libstdc++. This inclusion is allowed by
"GCC RUntime Library Exception"
http://gcc.gnu.org/onlinedocs/libstdc++/manual/license.html
{quote}
In reviewing the allowable licensing for Apache projects (which is an ASL
interpretation of the valid ASLv2 licensing terms) found here
http://www.apache.org/legal/resolved.html#category-x Specifically the language
that suggests this is disallowed is
{quote}
Special exceptions to the GNU GPL
Some copyright holders have licensed their works under the GPL with special
exceptions. Although these exceptions may appear to be addressing the
restrictions disallowed by the ASF's first and second license criteria, the
exceptions may only apply to software not "derived from or based on" the
covered work. This references terms defined in the GPL that include works that
"use" or "contain" the work.
{quote}
It appears that this library, as it is coming in via transitive dependencies,
is used by many ASF projects including Spark, Kafka, Hadoop, and Cassandra.
We need to find out whether this is a problem which we must remedy and if so
how best to do so given the connection it has to so many projects. There is a
pure Java alternative which we will move to for one of our new interests in a
direct support for Snappy compression but for these other libraries that use
Xerials we should verify the situation.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
