​Here is my completed analysis of our third party licenses. Result: We have two Licenses not allowed for Apache projects. See the bottom. The question is, is this a blocker for the release? Can we make a Jira task to fix for the next version? One of them: JSON, just switched to category X after our last release.
Using this history as a guide: https://www.mail-archive.com/dev@rya.incubator.apache.org/msg00969.html and this : https://issues.apache.org/jira/browse/RYA-177 in order: the good, the bad: ### BSD good from: http://asm.ow2.org/license.html (Unknown license) ASM Core (asm:asm:3.1 - http://asm.objectweb.org/asm/ ) ### Good already excluded, see RYA-200 Remove findbugs:jsr305 Dependency (GNU Lesser Public License) FindBugs-Annotations (com.google.code.findbugs:annotations:2.0.2 - http://findbugs.sourceforge. net/) ### Apache project -- Good (Unknown license) commons-beanutils (commons-beanutils:commons-bea nutils:1.7.0 - no url defined) ### Already exclusion from another library, its Good (HSQLDB License) HSQLDB (hsqldb:hsqldb:1.8.0.10 - http://hsqldb.org/) ### used by many Apache projects -- Good (Unknown license) servlet-api (javax.servlet:servlet-api:2.5 - no url defined) (Unknown license) jsp-api (javax.servlet.jsp:jsp-api:2.1 - no url defined) (Common Public License Version 1.0) JUnit (junit:junit:4.8.2 - http://junit.org) ### BSD license -- good from http://www.antlr.org/about.html (Unknown license) Antlr 3.4 Runtime (org.antlr:antlr-runtime:3.4 - http://www.antlr.org) ### Apache -- Good (Unknown license) Jettison (org.codehaus.jettison:jettison:1.1 - no url defined) ### Apache licensed -- Good, all spring stuff (Unknown license) spring-aop (org.springframework:spring-ao p:3.0.5.RELEASE) (Unknown license) spring-asm (org.springframework:spring-as m:3.0.5.RELEASE) (Unknown license) spring-beans (org.springframework:spring-be ans:3.0.5.RELEASE) (Unknown license) spring-context (org.springframework:spring-co ntext:3.0.5.RELEASE) (Unknown license) spring-context-support (org.springframework:spring-co ntext-support:3.0.7.RELEASE (Unknown license) spring-core (org.springframework:spring-co re:3.0.5.RELEASE (Unknown license) spring-expression (org.springframework:spring-ex pression:3.0.5.RELEASE (Unknown license) spring-tx (org.springframework:spring-tx :3.0.5.RELEASE ### Apache project -- Good, BTW: As of 2010-09-01, the ORO project is retired. (Unknown license) oro (oro:oro:2.0.8 - no url defined) ### Apache project -- Good, by looking at the source code (Unknown license) regexp (regexp:regexp:1.3 - no url defined) ### Apache licensed -- Good, https://mvnrepository.com/artifact/org.osgi/org.osgi.compendium (Unknown license) org.osgi.compendium (org.osgi:org.osgi.compendium: 4.2.0) (Unknown license) org.osgi.core (org.osgi:org.osgi.core:4.2.0 ) ### Python license is compat, -- Good, similar to http://www.jython.org/license.html (Jython Software License) Jython (org.python:jython:2.5.3 - http://www.jython.org/) ############## end of good. ### BAD: JSON: MIT- with evil clause ### As of 2016-11-03 this has been moved to the 'Category X' license list ### ( "The Software shall be used for Good, not Evil." from http://www.json.org/license.html ) ### Consider replacing with this drop in replacement: ### https://mvnrepository.com/artifact/com.tdunning/json ### from: https://stackoverflow.com/questions/10396176/org- json-jar-provisioning ### other alternatives: ### https://wiki.debian.org/qa.debian.org/jsonevil (provided without support or warranty) JSON (JavaScript Object Notation) (org.json:json:20090211 - http://www.json.org/java/index.html) ### BAD: GPL with classpath exception is explicitly not compatible (GNU General Public License (GPL), version 2, with the Classpath exception) JMH Core (org.openjdk.jmh:jmh-core:1.13 - http://openjdk.java.net/projects/code-tools/jmh/jmh-core/) (GNU General Public License (GPL), version 2, with the Classpath exception) JMH Generators: Annotation Processors (org.openjdk.jmh:jmh-generator-annprocess:1.13 - http://openjdk.java.net/projects/code-tools/jmh/jmh-generator-annprocess/) >>