On Mon, Apr 22, 2019 at 4:08 PM Minxuan Zhuang <[email protected]> wrote:
> Hi, this LGPL License issue has been fixed, thanks kezhenxu94, I'll > cancel this vote and start a new one > > On Mon, Apr 22, 2019 at 3:09 PM Huxing Zhang <[email protected]> wrote: > >> Hi, >> >> On Mon, Apr 22, 2019 at 1:38 PM kezhenxu94 <[email protected]> wrote: >> > >> > Hi All, >> > I've excluded the `hibernate-core` dependency and verified as follows: >> > >> > >> > $ mvn license:add-third-party -Dlicense.useMissingFile >> > $ cat >> dubbo-admin-server/target/generated-sources/license/THIRD-PARTY.txt | grep >> "General Public License" >> > >> > >> > here is the output >> > >> > >> > (Eclipse Public License - v 1.0) (GNU Lesser General Public >> License) Logback Classic Module (ch.qos.logback:logback-classic:1.2.3 - >> http://logback.qos.ch/logback-classic) >> > (Eclipse Public License - v 1.0) (GNU Lesser General Public >> License) Logback Core Module (ch.qos.logback:logback-core:1.2.3 - >> http://logback.qos.ch/logback-core) >> > >> >> These are dual licensed dependencies, so we can choose the most >> permissive one. In this case EPL is compatible with Apache so no issue >> here. >> Be aware that General Public License is just on of the keyword, other >> keywords might also be check like GPL. >> >> > >> > also, I've tested that the functionality introduced together with this >> dependency[1] works well. >> > >> > >> > I'll check the license next time when I need to introduce new >> dependencies. >> > [1] https://github.com/apache/incubator-dubbo-admin/pull/324 >> > >> > >> > Thanks >> > >> > >> > At 2019-04-22 10:17:43, "Huxing Zhang" <[email protected]> wrote: >> > >Hi, >> > > >> > >On Sun, Apr 21, 2019 at 11:11 PM Sheng Wu <[email protected]> >> wrote: >> > >> >> > >> Hi. >> > >> >> > >> > 1. Stop distribute the binary of incubator-dubbo-admin >> > >> >> > >> I think "stop distribute the binary" would NOT change the fact the >> source >> > >> release could lead users to use `hiberante-core`. I doubt this is an >> option. >> > > >> > >That option is based on my understanding that linking to >> > >"hibernate-core" does not create a derivative work of >> > >"hibernate-core". >> > >Yes, when compiling the source code and run the incubator-dubbo-admin >> > >code, the hibernate-core binary will be included, this >> > >will create a derivative work of "hibernate-core". As long as user do >> > >not distribute it, I think it is fine to use it. >> > >This is the same case as using "spring-boot-starter-data-jpa". >> > >However, it becomes a problem when user want to distributed the >> > >incubator-dubbo-admin binary, it must not be licensed as Apache >> > >license, but should only be GPL/LGPL licensed. >> > >This creates a risk that some user won't use this software because of >> > >the potential license issue, which is not what we want. >> > >So as long as an Apache project does not distribute the binary, IMO it >> is fine. >> > >That is my understanding of why this is an option. It is not a good >> > >option, but I think it is an option. >> > > >> > >> >> > >> Also based on the license issue, you should consider canceling this >> vote, >> > >> and move the further discussion to dev ml. >> > > >> > >I agree that cancel this vote is the safest way for now, before >> > >everything is cleared. >> > > >> > >> >> > >> >> > >> Sheng Wu 吴晟 >> > >> >> > >> Apache SkyWalking, ShardingSphere, Zipkin >> > >> Twitter, wusheng1108 >> > >> >> > >> >> > >> Huxing Zhang <[email protected]> 于2019年4月21日周日 下午11:02写道: >> > >> >> > >> > Hi, >> > >> > >> > >> > I am thinking why spring-boot-starter-data-jpa depends on LGPL >> > >> > licensed library "hibernate-core", and can still be Apache 2.0 >> > >> > licensed. >> > >> > I am reading [1]. In section 5 it says: >> > >> > >> > >> > A program that contains no derivative of any portion of the >> Library, >> > >> > but is designed to work with the Library by being compiled or >> linked >> > >> > with it, is called a "work that uses the Library". Such a work, in >> > >> > isolation, is not a derivative work of the Library, and therefore >> > >> > falls outside the scope of this License. >> > >> > >> > >> > I think spring-boot-starter-data-jpa falls in to this case. It is a >> > >> > "work that uses the Library". >> > >> > >> > >> > The source code of incubator-dubbo-admin should also falls into >> this >> > >> > case, because it does not contain any portion of the >> hibernate-core. >> > >> > Based on it and explanation here[2], I think the source code can be >> > >> > released anyway. Is my understanding correct? >> > >> > >> > >> > Next, the LGPL license says: >> > >> > >> > >> > However, linking a "work that uses the Library" with the Library >> > >> > creates an executable that is a derivative of the Library (because >> it >> > >> > contains portions of the Library), rather than a "work that uses >> the >> > >> > library". The executable is therefore covered by this License. >> > >> > >> > >> > The binary distribution of incuabator-dubbo-admin falls into this >> case >> > >> > because it creates an executable that contains binary of >> > >> > hibernate-core. Therefore it is a "work based on the library". As a >> > >> > derivative of hibernate-core, it must be licensed with LGPL/GPL, >> which >> > >> > is not allowed as an Apache product, and eventually causes the >> > >> > incompatibility. >> > >> > >> > >> > If my understanding is correct, there are at least 4 ways to solve >> this >> > >> > issue: >> > >> > 1. Stop distribute the binary of incubator-dubbo-admin >> > >> > 2. Make the feature optional, as explained here[3] >> > >> > 3. Stop depending on hiberante-core >> > >> > 4. Choose other Apache compatible equivalent >> > >> > >> > >> > I recommend to go with number 3 in my last thread. >> > >> > >> > >> > >> > >> > [1] https://opensource.org/licenses/LGPL-2.1 >> > >> > [2] https://www.apache.org/legal/resolved.html#prohibited >> > >> > [3] https://www.apache.org/legal/resolved.html#optional >> > >> > >> > >> > On Sun, Apr 21, 2019 at 10:40 AM Huxing Zhang <[email protected]> >> wrote: >> > >> > > >> > >> > > Hi, >> > >> > > >> > >> > > ccing dev@dubbo >> > >> > > >> > >> > > On Fri, Apr 19, 2019 at 8:24 AM Willem Jiang < >> [email protected]> >> > >> > wrote: >> > >> > > > >> > >> > > > Hi, >> > >> > > > >> > >> > > > I just checked the binary release kit, it has the third party >> > >> > > > dependency of LGPL (Hibernate core) which is belonged to >> Cataloge >> > >> > > > X[1], it cannot be included in Apache Product. >> > >> > > > I had to vote -1 for it. We can change the ORM lib to Eclipse >> Link to >> > >> > > > fix this issue, I just fill an issue here[2]. >> > >> > > >> > >> > > I did some dig for this issue and confirm that this is >> introduced by >> > >> > > this pull request[1]. >> > >> > > The purpose of this pull request is to introduce the pagination >> to >> > >> > > service query. >> > >> > > In this pull request a dependency to >> spring-boot-starter-data-jpa was >> > >> > added, >> > >> > > which introduce the LGPL licensed dependency hibernate-core. >> > >> > > The detailed dependency tree is shown below: >> > >> > > >> > >> > > [INFO] +- >> > >> > >> org.springframework.boot:spring-boot-starter-data-jpa:jar:2.0.2.RELEASE:compile >> > >> > > [INFO] | +- >> > >> > >> org.springframework.boot:spring-boot-starter-aop:jar:2.0.2.RELEASE:compile >> > >> > > [INFO] | | \- org.aspectj:aspectjweaver:jar:1.8.13:compile >> > >> > > [INFO] | +- >> > >> > >> org.springframework.boot:spring-boot-starter-jdbc:jar:2.0.2.RELEASE:compile >> > >> > > [INFO] | | +- com.zaxxer:HikariCP:jar:2.7.9:compile >> > >> > > [INFO] | | \- >> org.springframework:spring-jdbc:jar:5.0.6.RELEASE:compile >> > >> > > [INFO] | +- >> org.hibernate:hibernate-core:jar:5.2.17.Final:compile >> > >> > > [INFO] | | +- >> > >> > > >> > >> > >> org.hibernate.javax.persistence:hibernate-jpa-2.1-api:jar:1.0.0.Final:compile >> > >> > > [INFO] | | +- antlr:antlr:jar:2.7.7:compile >> > >> > > [INFO] | | +- org.jboss:jandex:jar:2.0.3.Final:compile >> > >> > > [INFO] | | +- dom4j:dom4j:jar:1.6.1:compile >> > >> > > [INFO] | | \- >> > >> > > >> > >> > >> org.hibernate.common:hibernate-commons-annotations:jar:5.0.1.Final:compile >> > >> > > [INFO] | +- >> javax.transaction:javax.transaction-api:jar:1.2:compile >> > >> > > [INFO] | +- >> > >> > org.springframework.data:spring-data-jpa:jar:2.0.7.RELEASE:compile >> > >> > > [INFO] | | +- >> > >> > > >> org.springframework.data:spring-data-commons:jar:2.0.7.RELEASE:compile >> > >> > > [INFO] | | +- >> org.springframework:spring-orm:jar:5.0.6.RELEASE:compile >> > >> > > [INFO] | | \- >> org.springframework:spring-tx:jar:5.0.6.RELEASE:compile >> > >> > > [INFO] | \- >> org.springframework:spring-aspects:jar:5.0.6.RELEASE:compile >> > >> > > >> > >> > > Actually the hiberate-core dependency is never used when >> implementing >> > >> > > the feature, >> > >> > > I think it can be excluded quietly. This is the safest way to >> solve this >> > >> > issue. >> > >> > > To dig further, the only dependency that required to be added is >> just >> > >> > > spring-data-commons, >> > >> > > which is Apache 2.0 Licensed[2]. (I just confirm the code can >> compile >> > >> > > and start correctly with spring-data-commons, >> > >> > > it might need to check more at runtime to ensure everything is >> working) >> > >> > > >> > >> > > We need to be very careful when new dependency is added, and >> ensure >> > >> > > all the license (including transitive dependencies) are >> compatible >> > >> > > with Apache. >> > >> > > >> > >> > > The community has identified several similar issues [3][4] for >> > >> > > incubator-dubbo project, and similar actions should be done to >> > >> > > incubator-dubbo-admin as well. >> > >> > > >> > >> > > To identify the issue automatically, I run the following command: >> > >> > > >> > >> > > mvn license:add-third-party -Dlicense.useMissingFile >> > >> > > >> > >> > > and grep the output: >> > >> > > >> > >> > > cat >> dubbo-admin-server/target/generated-sources/license/THIRD-PARTY.txt| >> > >> > > grep "General Public License" >> > >> > > (Eclipse Public License - v 1.0) (GNU Lesser General Public >> > >> > > License) Logback Classic Module >> (ch.qos.logback:logback-classic:1.2.3 >> > >> > > - http://logback.qos.ch/logback-classic) >> > >> > > (Eclipse Public License - v 1.0) (GNU Lesser General Public >> > >> > > License) Logback Core Module (ch.qos.logback:logback-core:1.2.3 - >> > >> > > http://logback.qos.ch/logback-core) >> > >> > > (GNU Lesser General Public License) Core Hibernate O/RM >> > >> > > functionality (org.hibernate:hibernate-core:5.2.17.Final - >> > >> > > http://hibernate.org) >> > >> > > (GNU Lesser General Public License) Hibernate Commons >> Annotations >> > >> > > (org.hibernate.common:hibernate-commons-annotations:5.0.1.Final - >> > >> > > http://hibernate.org) >> > >> > > >> > >> > > The last 2 are both introduced by hibernate-core. A script to >> check >> > >> > > license issue for dependencies was on the way[5]. >> > >> > > >> > >> > > [1] https://github.com/apache/incubator-dubbo-admin/pull/324 >> > >> > > [2] >> > >> > >> https://github.com/spring-projects/spring-data-commons/blob/master/src/main/resources/license.txt >> > >> > > [3] >> > >> > >> https://lists.apache.org/thread.html/2231c58509842fe4069f2091f00ea7fd5c4e6ae4bf8ce1a97b16e9c5@%3Cdev.dubbo.apache.org%3E >> > >> > > [4] >> > >> > >> https://lists.apache.org/thread.html/e3112c832415850779af2fe04aa7325d8d776144f3939cc63f5eab08@%3Cdev.dubbo.apache.org%3E >> > >> > > [5] https://github.com/apache/incubator-dubbo/issues/3840 >> > >> > > >> > >> > > > >> > >> > > > [1]https://www.apache.org/legal/resolved.html#category-x >> > >> > > > [2]https://github.com/apache/incubator-dubbo-admin/issues/366 >> > >> > > > >> > >> > > > Willem Jiang >> > >> > > > >> > >> > > > Twitter: willemjiang >> > >> > > > Weibo: 姜宁willem >> > >> > > > >> > >> > > > On Mon, Apr 15, 2019 at 10:24 AM Minxuan Zhuang < >> [email protected]> >> > >> > wrote: >> > >> > > > > >> > >> > > > > Hello Incubator Community, >> > >> > > > > >> > >> > > > > The Apache Dubbo community has voted on and approved a >> proposal to >> > >> > release >> > >> > > > > Apache Dubbo Admin (Incubating) version 0.2.0. >> > >> > > > > >> > >> > > > > We now kindly request the Incubator PMC members review and >> vote on >> > >> > this >> > >> > > > > incubator release. >> > >> > > > > >> > >> > > > > Apache Dubbo™ (incubating) is a high-performance, java >> based, open >> > >> > source >> > >> > > > > RPC framework. Dubbo offers three key functionalities, which >> include >> > >> > > > > interface based remote call, fault tolerance & load >> balancing, and >> > >> > > > > automatic service registration & discovery. >> > >> > > > > >> > >> > > > > >> > >> > > > > Dubbo community vote and result thread: >> > >> > > > > >> > >> > >> https://lists.apache.org/thread.html/fc71a5f8c93b8c3606338b97a08c044af64ca3165e226aed37295a45@%3Cdev.dubbo.apache.org%3E >> > >> > > > > >> > >> > > > > The release candidates (RC3): >> > >> > > > > * >> > >> > >> https://dist.apache.org/repos/dist/dev/incubator/dubbo/dubbo-admin/0.2.0 >> > >> > > > > < >> > >> > >> https://dist.apache.org/repos/dist/dev/incubator/dubbo/dubbo-admin/0.2.0/ >> > >> > >/* >> > >> > > > > >> > >> > > > > >> > >> > > > > Git tag for the release (RC3): >> > >> > > > > >> https://github.com/apache/incubator-dubbo-admin/releases/tag/0.2.0 >> > >> > > > > >> > >> > > > > Hash for the release tag: >> > >> > > > > 37e23a7354e3da50914e075eb4676c7c2875ffa7 >> > >> > > > > >> > >> > > > > Release Notes: >> > >> > > > > >> https://github.com/apache/incubator-dubbo-admin/releases/tag/0.2.0 >> > >> > > > > >> > >> > > > > >> > >> > > > > The artifacts have been signed with Key : >> > >> > > > > DA2108479B0C1E71, which can be >> > >> > > > > found in the keys file: >> > >> > > > > *https://dist.apache.org/repos/dist/dev/incubator/dubbo/KEYS >> > >> > > > > <https://dist.apache.org/repos/dist/dev/incubator/dubbo/KEYS >> >* >> > >> > > > > >> > >> > > > > The vote will be open for at least 72 hours or until >> necessary >> > >> > number of >> > >> > > > > votes are reached. >> > >> > > > > >> > >> > > > > Please vote accordingly: >> > >> > > > > >> > >> > > > > [ ] +1 approve >> > >> > > > > [ ] +0 no opinion >> > >> > > > > [ ] -1 disapprove with the reason >> > >> > > > > >> > >> > > > > Thanks, >> > >> > > > > The Apache Dubbo (Incubating) Team >> > >> > > > >> > >> > > > >> --------------------------------------------------------------------- >> > >> > > > To unsubscribe, e-mail: >> [email protected] >> > >> > > > For additional commands, e-mail: >> [email protected] >> > >> > > > >> > >> > > >> > >> > > >> > >> > > -- >> > >> > > Best Regards! >> > >> > > Huxing >> > >> > >> > >> > >> > >> > >> > >> > -- >> > >> > Best Regards! >> > >> > Huxing >> > >> > >> > >> > >> --------------------------------------------------------------------- >> > >> > To unsubscribe, e-mail: [email protected] >> > >> > For additional commands, e-mail: [email protected] >> > >> > >> > >> > >> > > >> > > >> > > >> > >-- >> > >Best Regards! >> > >Huxing >> >> >> >> -- >> Best Regards! >> Huxing >> >
