[
https://issues.apache.org/jira/browse/TIKA-3204?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17201625#comment-17201625
]
Tim Allison edited comment on TIKA-3204 at 9/24/20, 4:28 PM:
-------------------------------------------------------------
See attached image...Ugh, looks like 6.1.x defends against a DoS with oodles of
items under {{photoshop:DocumentAncestors}}.
was (Author: [email protected]):
Ugh, looks like 6.1.x defends against a DoS with oodles of items under
{{photoshop:DocumentAncestors}}.
> License incompliance with xmp-core 6.1.10
> -----------------------------------------
>
> Key: TIKA-3204
> URL: https://issues.apache.org/jira/browse/TIKA-3204
> Project: Tika
> Issue Type: Improvement
> Reporter: Christian Seipel
> Priority: Major
> Attachments: Screenshot from 2020-09-24 12-16-26.png
>
>
> Apache Tika 1.24.1 (and probably also oder versions) has a dependency to
> xmp-core 6.1.10. Usage of this dependency is incompliant with its license,
> because distribution of xmp-core is strictly forbidden by Adobe unless you
> have written permission to do so.
> *\xmpcore-6.1.10.jar\META-INF\LICENSE*
> ADOBE CONFIDENTIAL
> __________________
> Copyright 2011-2016 Adobe Systems Incorporated
> All Rights Reserved.
> NOTICE: All information contained herein is, and remains
> the property of Adobe Systems Incorporated and its suppliers,
> if any. The intellectual and technical concepts contained
> herein are proprietary to Adobe Systems Incorporated and its
> suppliers and may be covered by U.S. and Foreign Patents,
> patents in process, and are protected by trade secret or copyright law.
> Dissemination of this information or reproduction of this material
> is strictly forbidden unless prior written permission is obtained
> from Adobe Systems Incorporated.
>
> *Here is how it comes into tika:*
> \tika-1.24.1-src.zip\tika-1.24.1\tika-xmp\pom.xml
> <dependency>
> <groupId>org.tallison.xmp</groupId>
> <artifactId>xmpcore-shaded</artifactId>
> <version>6.1.10</version>
> </dependency>
>
> \xmpcore-shaded-6.1.10-sources.jar\META-INF\maven\org.tallison.xmp\xmpcore-shaded\pom.xml
> <dependency>
> <groupId>com.adobe.xmp</groupId>
> <artifactId>xmpcore</artifactId>
> <version>6.1.10</version>
> </dependency>
>
> *In the header of the java files in the sources of xmp-core 6.1.10 is the
> following statement:*
> //
> =================================================================================================
> // ADOBE SYSTEMS INCORPORATED
> // Copyright 2006 Adobe Systems Incorporated
> // All Rights Reserved
> //
> // NOTICE: Adobe permits you to use, modify, and distribute this file in
> accordance with the terms
> // of the Adobe license agreement accompanying it.
> //
> =================================================================================================
> This statement in the header refers to the ADOBE CONFIDENTIAL license
> agreement shown above.
> There is a reference to a BSD license in mavenrepository.com, but when you
> follow this link, you get directed to a website where the BSD license is
> shown together with a link to the source code of xmp-core 5.1.3 only.
> [https://mvnrepository.com/artifact/com.adobe.xmp/xmpcore/6.1.10]
> [https://www.adobe.com/devnet/xmp/library/eula-xmp-library-java.html]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
