On Findbugs jsr305 (was Re: [VOTE] Apache Fluo Recipes 1.0.0-incubating-rc1)

[Josh Elser]

The ambiguity of the conversation you provided in [6] is exactly why I 
have this opinion. Unless one of the devs can definitively say "it is 
BSD", there's way too much mis-information for me to feel comfortable 
with it.

Given the availability of 
https://stephenc.github.com/findbugs-annotations, it's a no-brainer to 
use that instead, IMO.

Specifically to Fluo, I did not inspect its usage that closely. If it's 
only used at build time, then, as you point out, it's a non-issue.

Christopher wrote:
What makes you think that jsr305 is not compatibly licensed? I spent some
time investigating this and the following is what I found. Unless I've
missed something, it looks like there's no issue with jsr305 as a
dependency.

* It looks to me like it's licensed under BSD. This is according to the
findbugs project[1], which has been redistributing the artifact after it
effectively went dormant[2]. The Google Groups set up for developing jsr305
seems to confirm the developers had agreed to distribute it under this[3].
* It looks like jsr305 is often incorrectly uploaded to Maven Central (by
findbugs?) under AL2, which is the license in the POM for our dependency
(version 3.0.0) [4]. It was once uploaded (again, seemingly incorrectly) as
LGPL, but we're not using that version [5].
* There is an outstanding GitHub issue for findbugs to clarify the
license[6], because it looks like they've been mislabeling it when they
redistribute. But, it's also possible that they've been able to relicense
under AL2, and forgot to update their docs which still say it's BSD.
* jsr305 is used by us during the build, as a test dependency. it looks
like that's okay, since we're not bundling it[7].
* It is also used as a compile and/or runtime transitive dependency via
Apache Spark. Even if we did depend on it directly, it seems like it should
be fine because it's an optional part of the project[8], as long as we're
not bundling it, and we're not.
* Is it a problem for Apache Spark to depend on this directly? If it's not,
I can't imagine it would be for us to depend on it transitively, through
them.

[1]:
https://github.com/findbugsproject/findbugs/blob/3.0.1/findbugs/licenses/LICENSE-jsr305.txt
[2]: https://jcp.org/en/jsr/detail?id=305
[3]: https://groups.google.com/forum/#!topic/jsr-305/gQWGmiWMjE8
[4]:
https://repo1.maven.org/maven2/com/google/code/findbugs/jsr305/3.0.0/jsr305-3.0.0.pom
[5]:
https://repo1.maven.org/maven2/com/google/code/findbugs/jsr305/1.3.8/jsr305-1.3.8.pom
[6]: https://github.com/findbugsproject/findbugs/issues/128
[7]: http://www.apache.org/legal/resolved.html#prohibited
[8]: http://www.apache.org/legal/resolved.html#optional

On Fri, Oct 21, 2016 at 6:37 PM Josh Elser<els...@apache.org>  wrote:

+1

* Sigs/xsums OK
* No binaries in release
* KEYS is accurate
* Can build from source
* Direct dependencies OK (beware that you are transitively bringing in
com.google.code.findbugs:jsr305:jar:3.0.0 which is not compatibly
licensed -- this should be fixed in the future)
* No Copyright notices
* apache-rat:check passes
* Can run all tests
* Artifacts built from release appear to be appropriately licensed.
* Commit is contained in repository
* Would prefer to see apache-fluo-recipes as the name instead.

- Josh

Keith Turner wrote:
Fluo Developers,

Please consider the following candidate for Fluo Recipes
1.0.0-incubating.
Git Commit:
      682eff983f1fe6e60b75c36d3b2f782c6a93b155
Branch:
      1.0.0-incubating-rc1

If this vote passes, a gpg-signed tag will be created using:
      git tag -f -m 'Apache Fluo Recipes 1.0.0-incubating' -s
rel/fluo-recipes-1.0.0-incubating \
      682eff983f1fe6e60b75c36d3b2f782c6a93b155
Staging repo:
https://repository.apache.org/content/repositories/orgapachefluo-1016
Source (official release artifact):

https://repository.apache.org/content/repositories/orgapachefluo-1016/org/apache/fluo/fluo-recipes/1.0.0-incubating/fluo-recipes-1.0.0-incubating-source-release.tar.gz
(Append ".sha1", ".md5", or ".asc" to download the signature/hash for a
given artifact.)

All artifacts were built and staged with:
      mvn release:prepare&&   mvn release:perform

Signing keys are available at
https://www.apache.org/dist/incubator/fluo/KEYS
(Expected fingerprint: CF72CA07C8BC86A1C862765F9AACFB56352ACF76)

Release notes (in progress) can be found at:
https://fluo.apache.org/.../1.0.0-incubating

Please vote one of:
[ ] +1 - I have verified and accept...
[ ] +0 - I have reservations, but not strong enough to vote against...
[ ] -1 - Because..., I do not accept...
... these artifacts as the 1.0.0-incubating release of Apache Fluo
Recipes.
This vote will end on Sun Oct 23 22:30:00 UTC 2016
(Sun Oct 23 18:30:00 EDT 2016 / Sun Oct 23 15:30:00 PDT 2016)

Thanks!

P.S. Hint: download the whole staging repo with
      wget -erobots=off -r -l inf -np -nH \

https://repository.apache.org/content/repositories/orgapachefluo-1016/
      # note the trailing slash is needed