> On Jul 6, 2021, at 10:12 AM, Emmanuel Lécharny <[email protected]> wrote: > > This is irrelevant. > > Whatever due diligence CXF did, as soon as we know that there is a GPL/LGPL > dependency, we can't cut a release with it in our packages. > > The simple fact it's a transitive dependency is not protecting us here. > > The question is: do we *need* this dependency?
The answer’s ‘no’. The jar can be excluded from both CXF dependencies in enmasse: cxf-core and cxf-rt-frontend-jaxrs. No problems that I’m aware of. So, let’s cancel this vote. I’ll rebuild the artifacts and we’ll try again. Good catch Stefan. > If so, then do we have a way to release a package that does not contain it, > and explain the user they have to add it themselves would they need it ? > > FTR, in Mina, we release a package that optionally would require a dependency > on the rxtx library, which is GPL. Obviously, we can't add this dependency in > our package, so we tell the user that they can compile the code using a > -Pserial flag to incorporate the lib, which is *not* packaged by us otherwise. > > This way, what we release cannot 'contaminate' the user without their > knowledge. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
