Hi, It looks like the dependencies with incompatible licenses have been removed on the Nacos side. So I think Dubbo should upgrade to the latest version once there is a release.
On Tue, Apr 2, 2019 at 10:28 AM Ian Luo <[email protected]> wrote: > > We should contact nacos's developer to fix this dependency issue. > > -Ian. > > On Mon, Apr 1, 2019 at 6:15 PM Huxing Zhang <[email protected]> wrote: > > > Hi, > > > > When I am looking at this issue[1], I realized that Dubbo may have the > > same issue. > > From Dubbo 2.7.1 and 2.6.6 onwards the Nacos support has been added, > > where the following dependency has been added: > > > > <dependency> > > <groupId>com.alibaba.nacos</groupId> > > <artifactId>nacos-client</artifactId> > > <version>${nacos.version}</version> > > <optional>true</optional> > > </dependency> > > > > which depend on the following dependencies: > > > > <dependency> > > <groupId>org.codehaus.jackson</groupId> > > <artifactId>jackson-mapper-lgpl</artifactId> > > </dependency> > > > > <dependency> > > <groupId>com.github.spotbugs</groupId> > > <artifactId>spotbugs-annotations</artifactId> > > <optional>true</optional> > > </dependency> > > > > which is LGPL v2.1 licensed. > > > > This means nacos-client should not be Apache Licensed as claimed, and > > Dubbo could not depend on nacos-client. > > > > I have contacted the Nacos team they are addressing this issue. > > > > My question is how to avoid this kind of issue? > > Should we check every newly added dependency for license compatibility? > > Is there any tools which can do automatic scanning? > > > > [1] https://github.com/apache/incubator-skywalking/pull/2422 > > > > -- > > Best Regards! > > Huxing > > -- Best Regards! Huxing
