> On Jul 5, 2021, at 1:18 PM, Stefan Seelmann <[email protected]> wrote: > > I found one weird thing: the fortress-rest-2.0.6.war contains in > WEB-INF/lib the jboss-rmi-api_1.0_spec-1.0.6.Final.jar.
That jar does not appear on a test machine using JDK 8. Reading the ticket, it’s JDK 11 specific, which is what I used to build the release. > This is either > GPL/LGPL licensed, the git repo includes no license file, the pom.xml > mentions LGPL [1], the license file within the JAR states GPL+CPE. > > But this is a transitive dependency from > org.apache.cxf:cxf-core:jar:3.4.4, defined in it's parent pom [2], so if > they include it as dependency it must be ok, right? Depends on if trust is transitive. Do we trust that CXF project did their due diligence? > It's included in fortress-rest since 2.0.5 and was introduced in CXF > 3.3.0 [3] > > Anyone has a clue? Or should we ask legal? I’d say yes. (Trust but verify) — Shawn --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
