Hey Stamatis! Makes sense to me; I think we already have all of the jdbc drivers in the test scope - but adding runtime is a great idea!
I had some memories about some letter that we are using Cat-X stuff in Hive and we should remove it - I think HIVE-23284 was opened in response to that. However...if that comes back after these changes we may ask to update the scanner because we only use it in test runtime. cheers, Zoltan On 11/10/21 11:59 AM, Stamatis Zampetakis wrote:
Hi all, Currently, we have some (MariadDB, MySQL, Oracle) Category-X [1] JDBC drivers in some parts of the project. Sometimes they are included using the dependency section with <scope>test</scope> and some others by relying on download-maven-plugin [2]. Using test scope is kind of OK but it comes with the risk that we may write code which needs JDBC driver classes in order to compile and this could be seen as a violation of the AL2 when the Hive source code is released. From my understanding, the use of download-maven-plugin, first introduced in HIVE-23284 [3], was an attempt to remedy this problem. Now it comes back since we started using the test scope again. We have a few other drivers, namely Postgres, MSSQL, in test scope but are less important since they have BSD-2 and MIT licenses which are not problematic. I would expect that in the context of Hive *all* the JDBC drivers should be declared using the <scope>runtime</scope>. This would remove the need to use the download-maven-plugin and would simplify the inclusion of drivers in the build. We are not risking to create derivatives of GPL work since the dependency is not present at compilation so we cannot really use the respective classes in our code. Moreover, driver dependencies could be marked optional, which is actually true, and that would solve any potential licensing issues [4]. I would like to propose to use the following declaration for all JDBC drivers no matter the license. <dependency> <groupId>org.mariadb.jdbc</groupId> <artifactId>mariadb-java-client</artifactId> <version>${mariadb.version}</version> <scope>runtime</scope> <optional>true</optional> </dependency> This will make things more uniform, solve any potential licensing issues, and when in the future someone copy-pastes dependencies to include new drivers there will be no violation of AL2. What do you think? Best, Stamatis [1] https://www.apache.org/legal/resolved.html#category-x [2] https://search.maven.org/artifact/com.googlecode.maven-download-plugin/download-maven-plugin/1.6.1/jar [3] https://issues.apache.org/jira/browse/HIVE-23284 [4] https://www.apache.org/legal/resolved.html#optional