Hi Thomas, yes, the two libraries are Apache 2.0 licensed and only the first one ( jackson-datatype-json-org) depends on org.apache.geronimo.bundles:json:jar:20090211_1, which is a wrapper of the offending library (BTW we are still Java 6 compatible). The second one has indeed no transient / compile time dependency at all to org.json packages (no wrapper, no JSON lib), but runtime dependency. The org.jabsorb library on the other side has the org.json classes included (!) with the offending license (2002 JSON.org, 2006 JSON org). All three libraries are optional and thus not automatically included. --- Nothing seems to be done for the Fulcrum modules. As the org.jabsorb package does include the x-cat files we have probably to do something there, at least if being an optional dependendy is not enough. Could we release a clean one or may be adopt the code without this package? May be as (repackaged) part of Fulcrum JSON? As a result just including a fresh package would not suffice here, I am afraid... I´ll check legal-discuss also...
Best regards, Georg Von: Thomas Vandahl <[email protected]> An: Turbine Developers List <[email protected]> Datum: 26.11.2016 19:58 Betreff: Re: Fwd: JSON License and Apache Projects Hi Georg, On 25.11.16 12:52, Georg Kallidis wrote: > Fulcrum Jackson2 1.1.1-SNAPSHOT dependency > - <groupId>com.fasterxml.jackson.datatype</groupId> > <artifactId>jackson-datatype-json-org</artifactId> > > Fulcrum Gson 1.1.1-SNAPSHOT dependency > - <groupId>com.jayway.jsonpath</groupId> > <artifactId>json-path</artifactId> Are these actually JSON-licensed? I thought the directly dependent libraries have AL 2.0 licenses? > > Turbine 4 class > org.apache.turbine.services.jsonrpc.JSONProcessor > > - dependency > + <groupId>org.jabsorb</groupId> > <artifactId>jabsorb</artifactId> > <version>1.3.2</version> According to the POM, this one is AL 2.0 licensed. However I don't know about transient dependencies. > The snapshots could just switch to an alternative, e.g. > > <groupId>com.vaadin.external.google</groupId> > <artifactId>android-json</artifactId> > <version>0.0.20131108.vaadin1</version> > > or https://code.google.com/archive/p/json-simple/? > > The latter one has the disadvantage having a different package - using it > with a new turbine version and a released fulcrum or a new fulcrum and an > old turbine version might result in problems. As a result the former > alternative seems to be best, or isn´t it? Somehow, I don't like the idea of having Vaadin and/or Android stuff as a dependency to Turbine. Do you believe that anyone else besides you and me actually used this? > > How could we handle the released versions? > Released versions are *released* after all. We cannot call them back. I don't know what is meant by the "temporary exclusion" but this is generally what is accepted as a law of nature. I'll ask back on board@ Bye, Thomas --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
