By the letter of the law, you don't have to resolve license conflicts
until you graduate from the Incubator.
However, the process of identifying bad licensing, finding suitable
replacements, and implementing such changes shows a _lot_ of maturity
from the community (as this is a very real problem that comes up as
projects grow!).
At the end of the day, it really comes down to how the voters cast their
vote and I expect it would require some "fighting" over email.
For the specifics:
* HSQLDB, afaik, is ALv2. Maybe it's dual-licensed? That one should be
no-problem.
* re: org.json, our Ted Dunning has made which other projects have
successfully adopted. The barrier to switch is reportedly quite low
https://github.com/tdunning/open-json
* Making the benchmarks module optional, like was done with the
geoindexing module, is the most straightforward path. Google Caliper is
more permissively licensed and could be leveraged as an alternatively in
the future https://github.com/google/caliper
I would suggest to bite the bullet now.
On 9/14/17 1:15 PM, David Lotts wrote:
​Here is my completed analysis of our third party licenses.
Result: We have two Licenses not allowed for Apache projects. See the
bottom.
The question is, is this a blocker for the release? Can we make a Jira
task to fix for the next version? One of them: JSON, just switched to
category X after our last release.
Using this history as a guide:
https://www.mail-archive.com/[email protected]/msg00969.html
and this :
https://issues.apache.org/jira/browse/RYA-177
in order: the good, the bad:
### BSD good from: http://asm.ow2.org/license.html
(Unknown license) ASM Core (asm:asm:3.1 - http://asm.objectweb.org/asm/
)
### Good already excluded, see RYA-200 Remove findbugs:jsr305 Dependency
(GNU Lesser Public License) FindBugs-Annotations
(com.google.code.findbugs:annotations:2.0.2 - http://findbugs.sourceforge.
net/)
### Apache project -- Good
(Unknown license) commons-beanutils (commons-beanutils:commons-bea
nutils:1.7.0
- no url defined)
### Already exclusion from another library, its Good
(HSQLDB License) HSQLDB (hsqldb:hsqldb:1.8.0.10 - http://hsqldb.org/)
### used by many Apache projects -- Good
(Unknown license) servlet-api (javax.servlet:servlet-api:2.5 - no url
defined)
(Unknown license) jsp-api (javax.servlet.jsp:jsp-api:2.1 - no url
defined)
(Common Public License Version 1.0) JUnit (junit:junit:4.8.2 -
http://junit.org)
### BSD license -- good from http://www.antlr.org/about.html
(Unknown license) Antlr 3.4 Runtime (org.antlr:antlr-runtime:3.4 -
http://www.antlr.org)
### Apache -- Good
(Unknown license) Jettison (org.codehaus.jettison:jettison:1.1 - no
url defined)
### Apache licensed -- Good, all spring stuff
(Unknown license) spring-aop (org.springframework:spring-ao
p:3.0.5.RELEASE)
(Unknown license) spring-asm (org.springframework:spring-as
m:3.0.5.RELEASE)
(Unknown license) spring-beans (org.springframework:spring-be
ans:3.0.5.RELEASE)
(Unknown license) spring-context (org.springframework:spring-co
ntext:3.0.5.RELEASE)
(Unknown license) spring-context-support (org.springframework:spring-co
ntext-support:3.0.7.RELEASE
(Unknown license) spring-core (org.springframework:spring-co
re:3.0.5.RELEASE
(Unknown license) spring-expression (org.springframework:spring-ex
pression:3.0.5.RELEASE
(Unknown license) spring-tx (org.springframework:spring-tx
:3.0.5.RELEASE
### Apache project -- Good, BTW: As of 2010-09-01, the ORO project is
retired.
(Unknown license) oro (oro:oro:2.0.8 - no url defined)
### Apache project -- Good, by looking at the source code
(Unknown license) regexp (regexp:regexp:1.3 - no url defined)
### Apache licensed -- Good,
https://mvnrepository.com/artifact/org.osgi/org.osgi.compendium
(Unknown license) org.osgi.compendium (org.osgi:org.osgi.compendium:
4.2.0)
(Unknown license) org.osgi.core (org.osgi:org.osgi.core:4.2.0 )
### Python license is compat, -- Good, similar to
http://www.jython.org/license.html
(Jython Software License) Jython (org.python:jython:2.5.3 -
http://www.jython.org/)
############## end of good.
### BAD: JSON: MIT- with evil clause
### As of 2016-11-03 this has been moved to the 'Category X' license list
### ( "The Software shall be used for Good, not Evil." from
http://www.json.org/license.html )
### Consider replacing with this drop in replacement:
### https://mvnrepository.com/artifact/com.tdunning/json
### from: https://stackoverflow.com/questions/10396176/org-
json-jar-provisioning
### other alternatives:
### https://wiki.debian.org/qa.debian.org/jsonevil
(provided without support or warranty) JSON (JavaScript Object Notation)
(org.json:json:20090211 - http://www.json.org/java/index.html)
### BAD: GPL with classpath exception is explicitly not compatible
(GNU General Public License (GPL), version 2, with the Classpath
exception) JMH Core (org.openjdk.jmh:jmh-core:1.13 -
http://openjdk.java.net/projects/code-tools/jmh/jmh-core/)
(GNU General Public License (GPL), version 2, with the Classpath
exception) JMH Generators: Annotation Processors
(org.openjdk.jmh:jmh-generator-annprocess:1.13
- http://openjdk.java.net/projects/code-tools/jmh/jmh-generator-annprocess/)
