I think I have the dependencies cleaned up. I did discover that JSR-305 is GPL, so those annotations are off the table which is unfortunate.
I also took all of the example projects out and put them in another project. That's where the hibernate dependencies were coming from. There is one pull request being review, but the develop branch at https://github.com/PennState/SCIMple-Identity is the most current code. Please advise on any additional steps we should take. Cheers, Shawn [https://avatars0.githubusercontent.com/u/6545549?s=400&v=4]<https://github.com/PennState/SCIMple-Identity> GitHub - PennState/SCIMple-Identity: Penn State's Open ...<https://github.com/PennState/SCIMple-Identity> github.com GitHub is where people build software. More than 28 million people use GitHub to discover, fork, and contribute to over 85 million projects. ________________________________ From: Stefan Seelmann <[email protected]> Sent: Thursday, June 14, 2018 2:59:27 PM To: [email protected] Subject: Re: PSU SCIMple donation Hi Shawn, yes, that is totally fine. Thanks, Stefan On 06/14/2018 07:14 PM, Smith, Shawn E wrote: > Is an exclusion sufficient from a license perspective? > > > For instance if I change the pom in scim-spec-protocol to have > > > <dependency> > <groupId>io.swagger</groupId> > <artifactId>swagger-jaxrs</artifactId> > <version>1.5.0</version> > <exclusions> > <exclusion> > <groupId>com.fasterxml.jackson.dataformat</groupId> > <artifactId>jackson-dataformat-xml</artifactId> > </exclusion> > <exclusion> > <groupId>com.fasterxml.jackson.core</groupId> > <artifactId>jackson-core</artifactId> > </exclusion> > <exclusion> > <groupId>com.fasterxml.jackson.core</groupId> > <artifactId>jackson-annotations</artifactId> > </exclusion> > <exclusion> > <groupId>com.google.code.findbugs</groupId> > <artifactId>annotations</artifactId> > </exclusion> > <exclusion> > <groupId>com.fasterxml.jackson.core</groupId> > <artifactId>jackson-databind</artifactId> > </exclusion> > <exclusion> > <artifactId>jsr311-api</artifactId> > <groupId>javax.ws.rs</groupId> > </exclusion> > </exclusions> > </dependency> > > findbugs is no longer represented in the dependency tree > > [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ > scim-spec-protocol --- > [INFO] edu.psu.swe.scim:scim-spec-protocol:jar:2.23-SNAPSHOT > [INFO] +- javax:javaee-api:jar:7.0:provided > [INFO] | \- com.sun.mail:javax.mail:jar:1.5.0:provided > [INFO] | \- javax.activation:activation:jar:1.1.1:compile > [INFO] +- io.swagger:swagger-jaxrs:jar:1.5.0:compile > [INFO] | +- > com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:jar:2.8.8:compile > [INFO] | | \- org.yaml:snakeyaml:jar:1.15:compile > [INFO] | +- io.swagger:swagger-core:jar:1.5.0:compile > [INFO] | | +- > com.fasterxml.jackson.datatype:jackson-datatype-joda:jar:2.8.8:compile > [INFO] | | | \- joda-time:joda-time:jar:2.7:compile > [INFO] | | \- io.swagger:swagger-models:jar:1.5.0:compile > [INFO] | | \- io.swagger:swagger-annotations:jar:1.5.0:compile > [INFO] | +- org.reflections:reflections:jar:0.9.10:compile > [INFO] | | +- com.google.guava:guava:jar:20.0:compile > [INFO] | | \- org.javassist:javassist:jar:3.18.2-GA:compile > [INFO] | \- > com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider:jar:2.8.8:compile > [INFO] | +- > com.fasterxml.jackson.jaxrs:jackson-jaxrs-base:jar:2.8.8:compile > [INFO] | \- > com.fasterxml.jackson.module:jackson-module-jaxb-annotations:jar:2.8.8:compile > [INFO] +- edu.psu.swe.scim:scim-spec-schema:jar:2.23-SNAPSHOT:compile > [INFO] | +- javax.xml.bind:jaxb-api:jar:2.1:compile > [INFO] | | \- javax.xml.stream:stax-api:jar:1.0-2:compile > [INFO] | +- javax.validation:validation-api:jar:1.1.0.Final:compile > [INFO] | +- org.slf4j:slf4j-api:jar:1.7.12:compile > [INFO] | +- com.fasterxml.jackson.core:jackson-annotations:jar:2.8.0:compile > [INFO] | \- org.apache.commons:commons-lang3:jar:3.1:compile > [INFO] +- org.projectlombok:lombok:jar:1.16.14:provided > [INFO] +- junit:junit:jar:4.12:test > [INFO] | \- org.hamcrest:hamcrest-core:jar:1.3:test > [INFO] +- pl.pragmatists:JUnitParams:jar:1.0.4:test > [INFO] +- org.slf4j:slf4j-simple:jar:1.7.12:test > [INFO] \- org.antlr:antlr4-runtime:jar:4.5.3:compile > > Shanw > > ________________________________ > From: Smith, Shawn E <[email protected]> > Sent: Saturday, June 9, 2018 1:20:25 PM > To: [email protected]; Apache Directory Developers List > Subject: Re: PSU SCIMple donation > > The dependency problem should be pretty easy to address, they're mostly in > example projects. I'll look at it tomorrow. > > By the way, is anyone on the list going to Dockercon? > > Get Outlook for > Android<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Faka.ms%2Fghei36&data=02%7C01%7Cses44%40psu.edu%7C92c37f4f451c419e1f1908d5ce2d54f3%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C636641616466043478&sdata=BSjhJ6N2DnBtFLtIATcELb0DgLxIvZTfMgaGJyb5mdg%3D&reserved=0> > > ________________________________ > From: Stefan Seelmann <[email protected]> > Sent: Saturday, June 9, 2018 10:01:16 AM > To: [email protected] > Subject: Re: PSU SCIMple donation > > On 06/03/2018 10:39 AM, Stefan Seelmann wrote: >> Next steps: >> * Identify the codebase: What I see [2] is the latest commit, correct? >> * Decide on a name: which name should we use? SCIMple, eSCIMo, something >> else? We just make to be sure the name is not trademarked yet. > > Any thoughts on this? > >> * Check source and dependencies for Apache License compatibility (I do, >> but more eyes are welcomed :-) > > I found the following problematic dependencies which are LGPL licensed > and must not be included in an Apache release artifact. > > com.google.code.findbugs:annotations:2.0.1 > * LGPL > * scim-server-rdbms, scim-spec-protocol, scim-server-couchdb, etc. > * Transitive dependency of swagger-jaxrs > * Fix: try to exclude? > > org.hibernate:hibernate-jpamodelgen:5.2.0.Final > * LGPL > * scim-server-rdbms > * Fix: Change scope to provided as it is only used at build time > > org.hibernate:hibernate-core:5.0.9.Final > org.hibernate:hibernate-entitymanager:5.0.9.Final > * LGPL > * scim-errai > * Fix: switch to another JPA implementation (Apache OpenJPA), but I > don't know deep Hibernate is wired into Errai. > * Note: this is only an issue if it's planned to publish a WAR file that > includes Hibernate. The current scim-errai seems to only be a showcase app. > >> * Wait for secretary confirmation that CCLA is recorded > > This is done > > >
