I meant "fluo has a transitive dependency on findbugs:jsr305". I agree
that findbugs-annotations
is good and jsr305 is bad.

On Mon, Oct 17, 2016 at 2:51 PM Puja Valiyil <puja...@gmail.com> wrote:

> Yea findbugs-annotations is not LGPL:
> https://github.com/stephenc/findbugs-annotations
> It appears to be apache 2, though aaron you should verify.
>
> On Mon, Oct 17, 2016 at 11:19 AM, Aaron D. Mihalik <
> aaron.miha...@gmail.com>
> wrote:
>
> > fluo has a transitive dependency on findbugs-annotations, not direct.
> >
> > My issue is that
> com.github.stephenc.findbugs:findbugs-annotations:3.0.1-1
> > isn't in maven central.  I think it would be straightforward for us to
> > exclude and replace with c.g.s.f:findbugs-annotations:3.0.1-1, but it's
> > going to be difficult with earlier versions of
> > c.g.s.f:findbugs-annotations.
> >
> > I'll take a closer look at it today, though.
> >
> > --Aaron
> >
> >
> > On Sun, Oct 16, 2016 at 5:51 PM Josh Elser <josh.el...@gmail.com> wrote:
> >
> > > Also, over in Apache Phoenix, we're using
> > > com.github.stephenc.findbugs:findbugs-annotations:1.3.9-1. Maybe I gave
> > > some bad advice on the GAV to use the first time around :)
> > >
> > > Josh Elser wrote:
> > > > A (Maven) repo? It's published central -- you shouldn't have to do
> > > > anything extra to get it. Sonatype is automatically mirrored to
> central
> > > > (like Apache is).
> > > >
> > > > Also, Fluo is depending on this directly? Or just transitively? I am
> > > > hoping I did not miss it directly depending...
> > > >
> > > > No, it's not ok :). You're bundling code whose license is dodgy.
> Either
> > > > way you need to exclude the Findbugs' findbugs-annotations from these
> > > > dependencies. Whether or not you replace in
> > c.g.s.f:findbugs-annotations
> > > > instead is up to you (not sure if you would run into problems)
> > > >
> > > > Aaron D. Mihalik wrote:
> > > >> Anyone know where I can find a repo for this artifact:
> > > >>
> > > >> com.github.stephenc.findbugs:findbugs-annotations:3.0.1-1
> > > >>
> > > >> stephenc lists the Repositories here [1] but I can't find the latest
> > > >> release in those mentioned repos (i.e. here [2] or here [3])
> > > >>
> > > >> I don't think we'll have this resolved for RC2, but I'm hoping
> that's
> > > >> okay
> > > >> because other projects depend on findbugs:jsr305 (i.e. hadoop and
> > fluo).
> > > >>
> > > >> --Aaron
> > > >>
> > > >>
> > > >> [1]
> > > >>
> > > http://stephenc.github.io/findbugs-annotations/
> > distribution-management.html
> > > >>
> > > >> [2]
> > > >>
> > > https://oss.sonatype.org/content/repositories/releases/
> > com/github/stephenc/findbugs/findbugs-annotations/
> > > >>
> > > >> [3]
> > > >>
> > > https://repo.maven.apache.org/maven2/com/github/stephenc/
> > findbugs/findbugs-annotations/
> > > >>
> > > >>
> > >
> >
>

Reply via email to