Re: dependencies and licensing

Wed, 31 Jan 2018 07:37:08 -0800

re: #3, it's been hashed out many times (here in Calcite and elsewhere in the ASF). The result of which is that there is misleading licensing information, but this dependency is of no concern. 

On 1/29/18 10:00 AM, Michael Mior wrote:

1. Since we don't publish the dependencies HTML, fixing it isn't really a
priority. Although if you have a reasonable fix, we'd be happy to accept it.

2. When building myself, I see the license listed as EPL with a correct
link.

3. I don't see any way that Calcite could be considered as derived from
jsr305. Furthermore, it has been used by many Apache projects for years
without issue so I don't think there's a practical concern there.

4. As long as the update doesn't break compatibility and all tests pass, we
generally accept updates to the latest versions of dependencies. But
someone needs to take the initiative. Dependencies are often not updated
unless a committer is actively working on that part of the code or there's
a request for it.

--
Michael Mior
[email protected]

2018-01-28 7:43 GMT-05:00 Alexey Roytman <[email protected]>:


Hello, gurus!
When I do in my project (separate tree from Calcite, but calcite-core in
dependencies):
     mvn clean site -U -Dhttp.proxyHost=... -Dhttp.proxyPort=...
-Dhttps.proxyHost=... -Dhttps.proxyPort=...
And then, I look at the target/site/dependencies.html file...

And here are my 4 questions:

1. The following are interesting ones:
     https://calcite.apache.org/calcite-core
     https://calcite.apache.org/calcite-linq4j
     https://calcite.apache.org/avatica/avatica-core
     https://calcite.apache.org/avatica/avatica-metrics
     http://hc.apache.org/httpcomponents-client
     https://datasketches.github.io/memory/
     https://datasketches.github.io/sketches-core/
     https://github.com/julianhyde/aggdesigner/aggdesigner-algorithm
     http://docs.codehaus.org/display/JANINO/Home/commons-compiler
     http://docs.codehaus.org/display/JANINO/Home/janino
     https://github.com/hamcrest/JavaHamcrest/hamcrest-core
     https://developers.google.com/protocol-buffers/protobuf-java/
     https://github.com/google/guava/guava
They are inaccessible.
Is there any way for me (or us) to fix that? Or only Maven component owner
can do that?

2. The JUnit shows CPLv1 license (with broken URL of:
https://opensource.org/licenses/cpl1.0.txt)
     But the actual license (http://junit.org/junit4/license.html) is EPL
(Eclipse Public License).
     Anyway to fix that?

3. The calcite-core depends on a findbugs/jsr305. I hope a lot that
Calcite is not defined "derived work" in this case. Because for findbugs
there is some unexplained mix (https://github.com/findbugspr
oject/findbugs/issues/128) of LGPLv2 and NewBSD (for JSR305)... Any
comments?

4. What are the policies of Calcite to update dependencies to newer
version?

- Alexey.

Reply via email to