I vote to make benchmarks optional. Sent from my iPhone
> On Sep 14, 2017, at 3:03 PM, Josh Elser <[email protected]> wrote: > > By the letter of the law, you don't have to resolve license conflicts until > you graduate from the Incubator. > > However, the process of identifying bad licensing, finding suitable > replacements, and implementing such changes shows a _lot_ of maturity from > the community (as this is a very real problem that comes up as projects > grow!). > > At the end of the day, it really comes down to how the voters cast their vote > and I expect it would require some "fighting" over email. > > For the specifics: > > * HSQLDB, afaik, is ALv2. Maybe it's dual-licensed? That one should be > no-problem. > * re: org.json, our Ted Dunning has made which other projects have > successfully adopted. The barrier to switch is reportedly quite low > https://github.com/tdunning/open-json > * Making the benchmarks module optional, like was done with the geoindexing > module, is the most straightforward path. Google Caliper is more permissively > licensed and could be leveraged as an alternatively in the future > https://github.com/google/caliper > > I would suggest to bite the bullet now. > >> On 9/14/17 1:15 PM, David Lotts wrote: >> ​Here is my completed analysis of our third party licenses. >> Result: We have two Licenses not allowed for Apache projects. See the >> bottom. >> The question is, is this a blocker for the release? Can we make a Jira >> task to fix for the next version? One of them: JSON, just switched to >> category X after our last release. >> Using this history as a guide: >> https://www.mail-archive.com/[email protected]/msg00969.html >> and this : >> https://issues.apache.org/jira/browse/RYA-177 >> in order: the good, the bad: >> ### BSD good from: http://asm.ow2.org/license.html >> (Unknown license) ASM Core (asm:asm:3.1 - http://asm.objectweb.org/asm/ >> ) >> ### Good already excluded, see RYA-200 Remove findbugs:jsr305 Dependency >> (GNU Lesser Public License) FindBugs-Annotations >> (com.google.code.findbugs:annotations:2.0.2 - http://findbugs.sourceforge. >> net/) >> ### Apache project -- Good >> (Unknown license) commons-beanutils (commons-beanutils:commons-bea >> nutils:1.7.0 >> - no url defined) >> ### Already exclusion from another library, its Good >> (HSQLDB License) HSQLDB (hsqldb:hsqldb:1.8.0.10 - http://hsqldb.org/) >> ### used by many Apache projects -- Good >> (Unknown license) servlet-api (javax.servlet:servlet-api:2.5 - no url >> defined) >> (Unknown license) jsp-api (javax.servlet.jsp:jsp-api:2.1 - no url >> defined) >> (Common Public License Version 1.0) JUnit (junit:junit:4.8.2 - >> http://junit.org) >> ### BSD license -- good from http://www.antlr.org/about.html >> (Unknown license) Antlr 3.4 Runtime (org.antlr:antlr-runtime:3.4 - >> http://www.antlr.org) >> ### Apache -- Good >> (Unknown license) Jettison (org.codehaus.jettison:jettison:1.1 - no >> url defined) >> ### Apache licensed -- Good, all spring stuff >> (Unknown license) spring-aop (org.springframework:spring-ao >> p:3.0.5.RELEASE) >> (Unknown license) spring-asm (org.springframework:spring-as >> m:3.0.5.RELEASE) >> (Unknown license) spring-beans (org.springframework:spring-be >> ans:3.0.5.RELEASE) >> (Unknown license) spring-context (org.springframework:spring-co >> ntext:3.0.5.RELEASE) >> (Unknown license) spring-context-support (org.springframework:spring-co >> ntext-support:3.0.7.RELEASE >> (Unknown license) spring-core (org.springframework:spring-co >> re:3.0.5.RELEASE >> (Unknown license) spring-expression (org.springframework:spring-ex >> pression:3.0.5.RELEASE >> (Unknown license) spring-tx (org.springframework:spring-tx >> :3.0.5.RELEASE >> ### Apache project -- Good, BTW: As of 2010-09-01, the ORO project is >> retired. >> (Unknown license) oro (oro:oro:2.0.8 - no url defined) >> ### Apache project -- Good, by looking at the source code >> (Unknown license) regexp (regexp:regexp:1.3 - no url defined) >> ### Apache licensed -- Good, >> https://mvnrepository.com/artifact/org.osgi/org.osgi.compendium >> (Unknown license) org.osgi.compendium (org.osgi:org.osgi.compendium: >> 4.2.0) >> (Unknown license) org.osgi.core (org.osgi:org.osgi.core:4.2.0 ) >> ### Python license is compat, -- Good, similar to >> http://www.jython.org/license.html >> (Jython Software License) Jython (org.python:jython:2.5.3 - >> http://www.jython.org/) >> ############## end of good. >> ### BAD: JSON: MIT- with evil clause >> ### As of 2016-11-03 this has been moved to the 'Category X' license list >> ### ( "The Software shall be used for Good, not Evil." from >> http://www.json.org/license.html ) >> ### Consider replacing with this drop in replacement: >> ### https://mvnrepository.com/artifact/com.tdunning/json >> ### from: https://stackoverflow.com/questions/10396176/org- >> json-jar-provisioning >> ### other alternatives: >> ### https://wiki.debian.org/qa.debian.org/jsonevil >> (provided without support or warranty) JSON (JavaScript Object Notation) >> (org.json:json:20090211 - http://www.json.org/java/index.html) >> ### BAD: GPL with classpath exception is explicitly not compatible >> (GNU General Public License (GPL), version 2, with the Classpath >> exception) JMH Core (org.openjdk.jmh:jmh-core:1.13 - >> http://openjdk.java.net/projects/code-tools/jmh/jmh-core/) >> (GNU General Public License (GPL), version 2, with the Classpath >> exception) JMH Generators: Annotation Processors >> (org.openjdk.jmh:jmh-generator-annprocess:1.13 >> - http://openjdk.java.net/projects/code-tools/jmh/jmh-generator-annprocess/) >>>>
