Le 03/09/2018 à 09:56, Kiran Ayyagari a écrit : > On Mon, Sep 3, 2018 at 1:09 PM, Emmanuel Lécharny <[email protected]> > wrote: > >> Hi ! >> >> I have checked all the LDAP API dependencies this week-end. We don't >> have many being used in the resulting package, most of them are just >> used for tests. >> >> Here are the 'compile' scope dependencies : >> >> org.slf4j:slf4j-api:jar:1.7.25 >> org.slf4j:slf4j-log4j12:jar:1.7.25 >> log4j:log4j:jar:1.2.17 >> antlr:antlr:jar:2.7.7 >> org.apache.servicemix.bundles:org.apache.servicemix.bundles. >> antlr:jar:2.7.7_5 >> org.apache.servicemix.bundles:org.apache.servicemix.bundles. >> dom4j:jar:1.6.1_5 >> org.apache.servicemix.bundles:org.apache.servicemix.bundles. >> xpp3:jar:1.1.4c_7 >> xml-apis:xml-apis:jar:1.0.b2 >> >> That means the licenses for those dependencies must be present and >> up-todate in our N&L. >> >> o slf4j 1.7.25 : we are still referencing the slf4j 1.7.10 license. I >> changed that (note that the current version's license [1] date stops at >> 2017, I have contacted Ceki about it) >> >> o log4j 1.2.17: this is an apache project, and version 1.X has reached >> EOL in 2015 It's about time to upgrade to 2.11.1, the latest version >> >> I noticed so delay in startup time when log4j 2.x is used, I suspect that > latest log4j version takes a bit more > time to initialize, I have never encountered this with lg4j1.x. > In either case I think it is a good idea to limit the scope of log4j > dependency to tests and let the API users > decide on the logging implementation to plug. > > It won't be an incompatible change because API code uses sl4j.
Currently, the log4j dependency is only required by the LDAP API distribution module that generates a standalone library. In this very case, the log4j library is necessary. Nevertheless, we need to investigate what would be the pro and con of switching to log4j2. Regarding servicemix bundles, it appears they are just wrappers around libraries that export and import packages for OSGi usage. Now, those packages are used in our software, so we must include them in our N&L files; Typcally the xpp3 license [4] must be included, so is the dom4j updated license. Otherwise, regarding the distribution/src/main/release/NOTICE file, I do think there are many useless packages listed there : o we don't use ant anymore o Maven does not need to be listed in a distribution package o Junit does not belong to distribution either [4] https://github.com/nicksieger/jrexml/blob/master/lib/xpp3.LICENSE.txt -- Emmanuel Lecharny Symas.com directory.apache.org
pEpkey.asc
Description: application/pgp-keys
