My understanding is that you would still use javax.annotation.Nullable (or any defined in JSR-305) in the code and then the implementation you provide on the classpath would satisfy the implementation. Have you tried out removing the findbugs version for the stephenc version at runtime to see if things explode?

re: Phoenix, looks like I need to bash more heads. I had a multi-day event recently fixing their licensing, but it appears that you found something I had missed. Thanks for pointing it out. I think maybe the findbugs dependency was just not removed...

Aaron D. Mihalik wrote:

I put up a PR to move Rya to findbugs-annotations [1]. Besides removing
some annotations, the biggest change was to go from "import
javax.annotation.Nullable" to "import
edu.umd.cs.findbugs.annotations.Nullable".  Does that look correct?

I went over to Apache Phoenix to see how they deal with the package names
for the findbugs-annotations, and it appears that Phoenix still uses
"javax.annotation.Nullable" and has a direct dependency on findbugs:jsr305



On Mon, Oct 17, 2016 at 2:58 PM Aaron D. Mihalik<>

I meant "fluo has a transitive dependency on findbugs:jsr305". I agree
that findbugs-annotations is good and jsr305 is bad.

On Mon, Oct 17, 2016 at 2:51 PM Puja Valiyil<>  wrote:

Yea findbugs-annotations is not LGPL:
It appears to be apache 2, though aaron you should verify.

On Mon, Oct 17, 2016 at 11:19 AM, Aaron D. Mihalik<>

fluo has a transitive dependency on findbugs-annotations, not direct.

My issue is that
isn't in maven central.  I think it would be straightforward for us to
exclude and replace with c.g.s.f:findbugs-annotations:3.0.1-1, but it's
going to be difficult with earlier versions of

I'll take a closer look at it today, though.


On Sun, Oct 16, 2016 at 5:51 PM Josh Elser<>  wrote:

Also, over in Apache Phoenix, we're using
com.github.stephenc.findbugs:findbugs-annotations:1.3.9-1. Maybe I gave
some bad advice on the GAV to use the first time around :)

Josh Elser wrote:
A (Maven) repo? It's published central -- you shouldn't have to do
anything extra to get it. Sonatype is automatically mirrored to
(like Apache is).

Also, Fluo is depending on this directly? Or just transitively? I am
hoping I did not miss it directly depending...

No, it's not ok :). You're bundling code whose license is dodgy.
way you need to exclude the Findbugs' findbugs-annotations from these
dependencies. Whether or not you replace in
instead is up to you (not sure if you would run into problems)

Aaron D. Mihalik wrote:
Anyone know where I can find a repo for this artifact:


stephenc lists the Repositories here [1] but I can't find the latest
release in those mentioned repos (i.e. here [2] or here [3])

I don't think we'll have this resolved for RC2, but I'm hoping
because other projects depend on findbugs:jsr305 (i.e. hadoop and


Reply via email to