We should contact nacos's developer to fix this dependency issue. -Ian.
On Mon, Apr 1, 2019 at 6:15 PM Huxing Zhang <[email protected]> wrote: > Hi, > > When I am looking at this issue[1], I realized that Dubbo may have the > same issue. > From Dubbo 2.7.1 and 2.6.6 onwards the Nacos support has been added, > where the following dependency has been added: > > <dependency> > <groupId>com.alibaba.nacos</groupId> > <artifactId>nacos-client</artifactId> > <version>${nacos.version}</version> > <optional>true</optional> > </dependency> > > which depend on the following dependencies: > > <dependency> > <groupId>org.codehaus.jackson</groupId> > <artifactId>jackson-mapper-lgpl</artifactId> > </dependency> > > <dependency> > <groupId>com.github.spotbugs</groupId> > <artifactId>spotbugs-annotations</artifactId> > <optional>true</optional> > </dependency> > > which is LGPL v2.1 licensed. > > This means nacos-client should not be Apache Licensed as claimed, and > Dubbo could not depend on nacos-client. > > I have contacted the Nacos team they are addressing this issue. > > My question is how to avoid this kind of issue? > Should we check every newly added dependency for license compatibility? > Is there any tools which can do automatic scanning? > > [1] https://github.com/apache/incubator-skywalking/pull/2422 > > -- > Best Regards! > Huxing >
