Hi,
When I am looking at this issue[1], I realized that Dubbo may have the
same issue.
>From Dubbo 2.7.1 and 2.6.6 onwards the Nacos support has been added,
where the following dependency has been added:
<dependency>
<groupId>com.alibaba.nacos</groupId>
<artifactId>nacos-client</artifactId>
<version>${nacos.version}</version>
<optional>true</optional>
</dependency>
which depend on the following dependencies:
<dependency>
<groupId>org.codehaus.jackson</groupId>
<artifactId>jackson-mapper-lgpl</artifactId>
</dependency>
<dependency>
<groupId>com.github.spotbugs</groupId>
<artifactId>spotbugs-annotations</artifactId>
<optional>true</optional>
</dependency>
which is LGPL v2.1 licensed.
This means nacos-client should not be Apache Licensed as claimed, and
Dubbo could not depend on nacos-client.
I have contacted the Nacos team they are addressing this issue.
My question is how to avoid this kind of issue?
Should we check every newly added dependency for license compatibility?
Is there any tools which can do automatic scanning?
[1] https://github.com/apache/incubator-skywalking/pull/2422
--
Best Regards!
Huxing
