Hey Stamatis!
Makes sense to me; I think we already have all of the jdbc drivers in the test
scope - but adding runtime is a great idea!
I had some memories about some letter that we are using Cat-X stuff in Hive and
we should remove it - I think HIVE-23284 was opened in response to that.
However...if that comes back after these changes we may ask to update the
scanner because we only use it in test runtime.
cheers,
Zoltan
On 11/10/21 11:59 AM, Stamatis Zampetakis wrote:
Hi all,
Currently, we have some (MariadDB, MySQL, Oracle) Category-X [1] JDBC
drivers in some parts of the project. Sometimes they are included using the
dependency section with <scope>test</scope> and some others by relying on
download-maven-plugin [2].
Using test scope is kind of OK but it comes with the risk that we may write
code which needs JDBC driver classes in order to compile and this could be
seen as a violation of the AL2 when the Hive source code is released. From
my understanding, the use of download-maven-plugin, first introduced in
HIVE-23284 [3], was an attempt to remedy this problem. Now it comes back
since we started using the test scope again.
We have a few other drivers, namely Postgres, MSSQL, in test scope but are
less important since they have BSD-2 and MIT licenses which are not
problematic.
I would expect that in the context of Hive *all* the JDBC drivers should be
declared using the <scope>runtime</scope>. This would remove the need to
use the download-maven-plugin and would simplify the inclusion of drivers
in the build. We are not risking to create derivatives of GPL work since
the dependency is not present at compilation so we cannot really use the
respective classes in our code.
Moreover, driver dependencies could be marked optional, which is actually
true, and that would solve any potential licensing issues [4].
I would like to propose to use the following declaration for all JDBC
drivers no matter the license.
<dependency>
<groupId>org.mariadb.jdbc</groupId>
<artifactId>mariadb-java-client</artifactId>
<version>${mariadb.version}</version>
<scope>runtime</scope>
<optional>true</optional>
</dependency>
This will make things more uniform, solve any potential licensing issues,
and when in the future someone copy-pastes dependencies to include new
drivers there will be no violation of AL2.
What do you think?
Best,
Stamatis
[1] https://www.apache.org/legal/resolved.html#category-x
[2]
https://search.maven.org/artifact/com.googlecode.maven-download-plugin/download-maven-plugin/1.6.1/jar
[3] https://issues.apache.org/jira/browse/HIVE-23284
[4] https://www.apache.org/legal/resolved.html#optional
