In that case, I think we will be fine, i added a dependency license checker on the pom.xml ( https://github.com/apache/incubator-wayang/blob/main/pom.xml#L1077-L1109) and I did a whitelist license. and If I group the license, we will not have any issue with that.
What do you think? Best, Bertty On Tue, Sep 7, 2021 at 2:27 PM Christofer Dutz <[email protected]> wrote: > Hi All, > > well JUnit 5 is an example for a generally BAD licence that is ok to use. > You don't need it to run the final "product". It's just needed during the > build. > In the PLC4X Project we use JUnit too and that's not a problem. > > Regarding the dependencies pulled in by Spark, Hadoop and Giraph ... I > guess if they are not automatically pulled in and you can generally use > Wayang without them (Just needed for some special features) it should be ok. > > So if the dependencies are there because you depend on Apache Software (I > mean software distributed by Apache). > That should be ok ... if you however actively rely on these dependencies, > then we might be in trouble. > > So please check if these dependencies are also directly used. > > In PLC4X we use enforcer rules, that force you to explicitly add > dependencies for stuff your code directly uses. In this case you can't rely > on transitive dependencies. This way you could simply check if there are > any direct dependencies. > > So if you use them directly it's generally bad, if these references are > only in Test code, then it's not that bad. If you don't reference them at > all and the system works if the user doesn't provide them (except some > special features, that need it) ... then you should be safe. > > Chris > > > > -----Ursprüngliche Nachricht----- > Von: bertty contreras <[email protected]> > Gesendet: Montag, 6. September 2021 18:54 > An: [email protected] > Betreff: Re: Apache Wayang dependencies with other licenses > > Thanks Chris. > > I review the dependencies with the information that you provided and below > you can find the final summary. > > Most of the dependencies are coming from the Third party platform such as > Apache Spark, Apache Hadoop and Apache Giraph, and normally those > dependencies need to be provided by the user at runtime. > > The unique dependencies that wayang is containing is Junit 5 and it have > EPLv2(BAD) > > > - Apache Flink, Apache Spark, glassfish > - (ASF 2.0) (LGPL 2.1) (MPL 1.1) Javassist > (org.javassist:javassist:3.19.0-GA - http://www.javassist.org/) > - (ASF 2.0) (LGPL 2.1) (MPL 1.1) Javassist > (org.javassist:javassist:3.25.0-GA - http://www.javassist.org/) > > > - jUnit 5 > - (Eclipse Public License 1.0) JUnit (junit:junit:4.12 - > http://junit.org) > - (Eclipse Public License v2.0) JUnit Jupiter (Aggregator) > (org.junit.jupiter:junit-jupiter:5.6.1 - https://junit.org/junit5/) > - (Eclipse Public License v2.0) JUnit Jupiter API > (org.junit.jupiter:junit-jupiter-api:5.6.1 - > https://junit.org/junit5/ > ) > - (Eclipse Public License v2.0) JUnit Jupiter Engine > (org.junit.jupiter:junit-jupiter-engine:5.6.1 - > https://junit.org/junit5/) > - (Eclipse Public License v2.0) JUnit Jupiter Params > (org.junit.jupiter:junit-jupiter-params:5.6.1 - > https://junit.org/junit5/) > - (Eclipse Public License v2.0) JUnit Platform Commons > (org.junit.platform:junit-platform-commons:1.6.1 - > https://junit.org/junit5/) > - (Eclipse Public License v2.0) JUnit Platform Engine API > (org.junit.platform:junit-platform-engine:1.6.1 - > https://junit.org/junit5/) > - (Eclipse Public License v2.0) JUnit Vintage Engine > (org.junit.vintage:junit-vintage-engine:5.6.1 - > https://junit.org/junit5/) > > > - Jersey Is inside of Apache Hadoop, Apache Spark > - (CDDL 1.1) (GPL2 w/ CPE) JAXB RI > (com.sun.xml.bind:jaxb-impl:2.2.3-1 - http://jaxb.java.net/) > - (CDDL 1.1) (GPL2 w/ CPE) jersey-client > (com.sun.jersey:jersey-client:1.9 - > https://jersey.java.net/jersey-client/) > - (CDDL 1.1) (GPL2 w/ CPE) jersey-core > (com.sun.jersey:jersey-core:1.9 - > https://jersey.java.net/jersey-core/ > ) > - (CDDL 1.1) (GPL2 w/ CPE) jersey-guice > (com.sun.jersey.contribs:jersey-guice:1.9 - > https://jersey.java.net/jersey-contribs/jersey-guice/) > - (CDDL 1.1) (GPL2 w/ CPE) jersey-json > (com.sun.jersey:jersey-json:1.9 - > https://jersey.java.net/jersey-json/ > ) > - (CDDL 1.1) (GPL2 w/ CPE) jersey-server > (com.sun.jersey:jersey-server:1.9 - > https://jersey.java.net/jersey-server/) > > > - Jakarta y Glassfish are dependencies de apache spark > - (Dual license consisting of the CDDL v1.1 and GPL v2) JSR 353 (JSON > Processing) Default Provider (org.glassfish:javax.json:1.0.4 - > http://jsonp.java.net) > - (EDL 1.0) JavaBeans Activation Framework API jar > (jakarta.activation:jakarta.activation-api:1.2.1 - > https://github.com/eclipse-ee4j/jaf/jakarta.activation-api) > - (EPL 2.0) (GPL2 w/ CPE) HK2 API module > (org.glassfish.hk2:hk2-api:2.6.1 - > https://github.com/eclipse-ee4j/glassfish-hk2/hk2-api) > - (EPL 2.0) (GPL2 w/ CPE) HK2 Implementation Utilities > (org.glassfish.hk2:hk2-utils:2.6.1 - > https://github.com/eclipse-ee4j/glassfish-hk2/hk2-utils) > - (EPL 2.0) (GPL2 w/ CPE) Jakarta Annotations API > (jakarta.annotation:jakarta.annotation-api:1.3.5 - > https://projects.eclipse.org/projects/ee4j.ca) > - (EPL 2.0) (GPL2 w/ CPE) Jakarta Servlet > (jakarta.servlet:jakarta.servlet-api:4.0.3 - > https://projects.eclipse.org/projects/ee4j.servlet) > - (EPL 2.0) (GPL2 w/ CPE) OSGi resource locator > (org.glassfish.hk2:osgi-resource-locator:1.0.3 - > https://projects.eclipse.org/projects/ee4j/osgi-resource-locator) > - (EPL 2.0) (GPL2 w/ CPE) ServiceLocator Default Implementation > (org.glassfish.hk2:hk2-locator:2.6.1 - > https://github.com/eclipse-ee4j/glassfish-hk2/hk2-locator) > - (EPL 2.0) (GPL2 w/ CPE) aopalliance version 1.0 repackaged as a > module (org.glassfish.hk2.external:aopalliance-repackaged:2.6.1 - > > https://github.com/eclipse-ee4j/glassfish-hk2/external/aopalliance-repackaged > ) > - (EPL 2.0) (GPL2 w/ CPE) jakarta.ws.rs-api > (jakarta.ws.rs:jakarta.ws.rs-api:2.1.6 > - https://github.com/eclipse-ee4j/jaxrs-api) > - (EPL 2.0) (GPL2 w/ CPE) javax.inject:1 as OSGi bundle > (org.glassfish.hk2.external:jakarta.inject:2.6.1 - > > https://github.com/eclipse-ee4j/glassfish-hk2/external/jakarta.inject) > - (Eclipse Distribution License - v 1.0) jakarta.xml.bind-api > (jakarta.xml.bind:jakarta.xml.bind-api:2.3.2 - > https://github.com/eclipse-ee4j/jaxb-api/jakarta.xml.bind-api) > > > - Apache Giraph dependency > - (GNU General Public License (GPL), version 2, with the Classpath > exception) Java Object Layout: Core (org.openjdk.jol:jol-core:0.1 - > http://maven.apache.org) > - (Jython Software License) Jython (org.python:jython:2.5.3 - > http://www.jython.org/) > > > - org.json Removed direct dependency(IN PROGRESS), but also is on Apache > Graph Dependency > - (The JSON License) JSON in Java (org.json:json:20160212 - > https://github.com/douglascrockford/JSON-java) > - (provided without support or warranty) JSON (JavaScript Object > Notation) (org.json:json:20090211 - > http://www.json.org/java/index.html) > > > - Apache Spark, Apache Hadoop have as dependency > - (GNU Lesser Public License) FindBugs-Annotations > (com.google.code.findbugs:annotations:2.0.2 - > http://findbugs.sourceforge.net/) > > > What do you think, is it ok to have these licenses ? > > > Best regards, > > Bertty > > El lun, 6 sept 2021 a las 14:16, Alexander Alten (<[email protected]>) > escribió: > > > Thanks Chris! > > > > On Mon, Sep 6, 2021, 13:13 Christofer Dutz <[email protected]> > > wrote: > > > > > Hi all, > > > > > > I asked Justin McLean (VP of the Incubator) to review the thread and > > > he confirmed the advice was sound ... > > > So I guess this is something you could start working with. > > > > > > Chris > > > > > > > > > -----Ursprüngliche Nachricht----- > > > Von: Christofer Dutz <[email protected]> > > > Gesendet: Montag, 6. September 2021 12:31 > > > An: [email protected] > > > Betreff: AW: Apache Wayang dependencies with other licenses > > > > > > Ok … condensing the licenses in play … (Mostly listed multiple times > > > due to different notation) > > > > > > Ones with „OK“ are ok … ones with „BAD“ can be used in some cases, > > > depending on the case, „FORBIDDEN“ can’t be used in an Apache release. > > > > > > Here the list of the sorted licenses: > > > OK - MIT > > > FORBIDDEN - GPLv2 (with classpath exception) BAD - CDDL + GPLv2 > > > (with classpath exception) (Dual licensing … chan choose which one > > > applies) > > (CDDL > > > is considered BAD … can be contained in certain situations) OK - BSD > > > 2-Clause OK - BSD 3-Clause (AKA „the new BSD“) FORBIDDEN - BSD > > > 4-Clauss (Aka „The BSD License“) OK - Apache 2.0 BAD - EPL 1.0 (Aka > > > Eclipse public > > > license) BAD - EPL 2.0 (Aka Eclipse public license) OK - Public > > > Domain (Needs attribution) OK - ICU License FORBIDDEN - LGPL (AKA > > > GNU Lesser Public License, GNU Lesser General Public License, …) BAD > > > - MPL (Aka Mozilla Public License) OK - CC0 (Aka Creative Commons) > > > (Needs > > attribution) > > > FORBIDDEN - JSON License BAD - CDDL OK - PostgreSQL License > > > > > > Ones I’m not sure of: > > > HSQLDB License > > > OW2 Licence > > > Jython Software License > > > > > > Chris > > > > > > Von: Bertty Contreras <[email protected]> > > > Gesendet: Freitag, 3. September 2021 01:55 > > > An: [email protected] > > > Betreff: Re: Apache Wayang dependencies with other licenses > > > > > > I just finished checking all the licenses and the resume list is below. > > > > > > NOTE: the pipe (|) indicate different name for the same license > > > > > > (36 licenses different) > > > > > > * The MIT License | MIT License | MIT > > > * GPL | GNU General Public License (GPL), version 2, with the > > > Classpath exception > > > * New BSD License | New BSD license | The New BSD License > > > * BSD 2-Clause License > > > * BSD 3 Clause | The BSD 3-Clause License | BSD 3-Clause "New" or > > > "Revised" License (BSD-3-Clause | 3-Clause BSD License |BSD 3-clause > > > |BSD 3-clause |BSD 3-Clause | BSD 3 Clause License > > > * BSD | The BSD License | BSD licence > > > * Revised BSD > > > * Apache License > > > * ASF 2.0 | The Apache Software License, Version 2.0 | Apache > > License, > > > Version 2.0 | Apache 2.0 License | Apache License Version 2.0 | > > > Apache > > 2.0 > > > | Apache-2.0 | The Apache License, Version 2.0 | Apache License > > > | Version > > 2 | > > > Apache 2 | http://www.apache.org/licenses/LICENSE-2.0.txt | Apache > > > License 2.0 | Apache Software License - Version 2.0 > > > * Eclipse Public License 1.0 | Eclipse Public License - Version 1.0 > > > * Eclipse Public License v2.0 > > > * Public Domain > > > * Unicode/ICU License > > > * LGPL > > > * GNU Lesser Public License > > > * GNU Lesser General Public License (LGPL), Version 2.1 | GNU > Lesser > > > General Public License 2.1 | LGPL 2.1 > > > * MPL > > > * Unknown license > > > * MPL 1.1 > > > * HSQLDB License, a BSD open source license > > > * GPL2 w/ CPE > > > * http://asm.ow2.org/license.html > > > * CDDL + GPLv2 with classpath exception > > > * Dual license consisting of the CDDL v1.1 and GPL v2 > > > * Jython Software License > > > * CC0 > > > * Public domain > > > * The JSON License > > > * COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL) Version 1.0) > > > * The PostgreSQL License > > > * CDDL 1.1 > > > * provided without support or warranty > > > * CDDL+GPL License > > > I used the plugin org.codehaus.mojo:license-maven-plugin:2.0.0 to > > > the licenses attached on the file THIRD-PARTY. > > > > > > if you find some license that you think we need to delete let me > > > know, > > but > > > also many of them are like 2 or more levels of dependency down > > > > > > Related to the trove4j(is the unique direct one), I will use the > > > apache commons library and I will put a "TODO" of doing a test with > > > different libraries, but i think it is not too much difference. > > > > > > Best regards, > > > Bertty > > > > > > On Thu, Sep 2, 2021 at 11:08 PM Christofer Dutz < > > [email protected] > > > <mailto:[email protected]>> wrote: > > > Have a look at Google guava > > > https://github.com/google/guava > > > > > > Or, even better, apache commons. > > > > > > Chris > > > > > > Holen Sie sich Outlook für Android<https://aka.ms/AAb9ysg> > > > ________________________________ > > > From: bertty contreras <[email protected]<mailto: > > > [email protected]>> > > > Sent: Thursday, September 2, 2021 10:25:43 PM > > > To: [email protected]<mailto:[email protected]> < > > > [email protected]<mailto:[email protected]>> > > > Subject: Re: Apache Wayang dependencies with other licenses > > > > > > Then i will remove the Trave4j(LGPL that we are using in the code), > > > and i will figure out if exist an third party that is using some > > > LGPL and > > notify > > > to you. > > > > > > Best regards, > > > Bertty > > > > > > On Thu 2. Sep 2021 at 18:30, Jean-Baptiste Onofre <[email protected] > > <mailto: > > > [email protected]>> wrote: > > > > > > > Yes, it’s my point: if it’s included like this and third party use > > > > wayang as dependencies, then the LGPL dependency will come > > transitively. > > > > > > > > So it’s not good IMHO. > > > > > > > > Regards > > > > JB > > > > > > > > > Le 2 sept. 2021 à 18:28, Christofer Dutz > > > > > <[email protected]<mailto:[email protected]>> a > > > > écrit : > > > > > > > > > > I think he means: Adding a dependency in a pom. > > > > > > > > > > It's technically not included in the Apache release. However if > > > > > you > > > > build something with it, the end product will have to contain it. > > > > (A sort of borderline case is if it's used for testing, but isn't > > > > included in the final output, but that's a slippery slope). > > > > > > > > > > So in the end if someone would be building something with our > > > > > Apache > > > > licensed library, in the end he would be stuck with something > > > > that's technically LGPL ... that's why we don't like that license. > > > > > > > > > > Chris > > > > > > > > > > > > > > > -----Ursprüngliche Nachricht----- > > > > > Von: Jean-Baptiste Onofre > > > > > <[email protected]<mailto:[email protected]>> > > > > > Gesendet: Donnerstag, 2. September 2021 18:23 > > > > > An: [email protected]<mailto:[email protected]> > > > > > Betreff: Re: Apache Wayang dependencies with other licenses > > > > > > > > > > What do you mean by « linking » ? You mean use it as dependency ? > > > > > > > > > > Regards > > > > > JB > > > > > > > > > >> Le 2 sept. 2021 à 18:21, Alexander Alten <[email protected] > <mailto: > > > [email protected]>> a écrit : > > > > >> > > > > >> Thats right, but linking per pom.xml is not an issue, isn’t? > > > > >> > > > > >> —Alex > > > > >> > > > > >>> On 2. Sep 2021, at 18:18, Christofer Dutz > > > > >>> <[email protected]<mailto:[email protected]>> > > > > wrote: > > > > >>> > > > > >>> Hi Alex, > > > > >>> > > > > >>> unfortunately this is not quite correct. Having LGPL2 is > > > > >>> actually > > > > something we are not allowed to use. > > > > >>> > > > > >>> Chris > > > > >>> > > > > >>> -----Ursprüngliche Nachricht----- > > > > >>> Von: Alexander Alten > > > > >>> <[email protected]<mailto:[email protected]>> > > > > >>> Gesendet: Donnerstag, 2. September 2021 08:25 > > > > >>> An: [email protected]<mailto:[email protected]> > > > > >>> Betreff: Re: Apache Wayang dependencies with other licenses > > > > >>> > > > > >>> Hi folks, > > > > >>> > > > > >>> According to > > > > >>> https://opensource.stackexchange.com/questions/5664/linking-fr > > > > >>> om-l > > > > >>> gpl > > > > >>> -2-1-software-to-apache-2-0-library/5756#5756 > > > > >>> > > > > >>> the linking to LGPL2 libs is not problematic, the permissive > > > > >>> part > > > > applies. > > > > >>> In general the use of other libs, which are not distributed > > > > >>> over the > > > > project, is fine. We just need to make sure that we reference the > > > > library in the pom.xml file and not distribute them directly. > > > > >>> BSD license, as well as MIT are compatible. > > > > >>> > > > > >>> Chris, and mentors - any comments here before we start to > > > > >>> draft the > > > > first release? > > > > >>> > > > > >>> Best, > > > > >>> --alex > > > > >>> > > > > >>> -- > > > > >>> Alexander Alten > > > > >>> PPMC Apache Wayang > > > > >>> > > > > >>> > > > > >>> > > > > >>> On Tue, Aug 31, 2021, 23:57 Rodrigo Pardo Meza > > > > >>> <[email protected]<mailto:[email protected]>> > > > > >>> wrote: > > > > >>> > > > > >>>> Hi folks, > > > > >>>> > > > > >>>> @bertty contreras > > > > >>>> <[email protected]<mailto:[email protected]>> > > > > >>>> and > > > I have been working on the first release. To this end: > > > > >>>> > > > > >>>> (1) We checked the maintenance state of the libraries > > > > >>>> actively used by Wayang. One of them (HPI) has been deleted > > > > >>>> and Experiments storage functionalities have been > > > > >>>> incorporated into the code of Wayang in order to extend them. > > > > >>>> > > > > >>>> (2) We checked the licenses of the libraries currently used > > > > >>>> by > > > > Wayang. > > > > >>>> Not going further to the licenses of the dependencies of > > > > >>>> these libraries (Only was checked the first level of the > > > > >>>> dependency tree of Wayang). We found the next observations: > > > > >>>> > > > > >>>> - trove4j > > > > >>>> <https://mvnrepository.com/artifact/net.sf.trove4j/trove4j> > > > > >>>> has LGPL 2.1 license > > > > >>>> - antlr4 > > > > >>>> <https://mvnrepository.com/artifact/org.antlr/antlr4-runtime> > > > > >>>> has BSD license > > > > >>>> - paranamer > > > > >>>> <https://mvnrepository.com/artifact/com.thoughtworks.paraname > > > > >>>> r/pa > > > > >>>> ran > > > > >>>> am > > > > >>>> er> has BSD licence. Spark has this dependency as well with > > > > >>>> er> runtime > > > > >>>> scope, if Wayang does the same should be ok? > > > > >>>> - hsqldb > > > > >>>> <https://mvnrepository.com/artifact/org.hsqldb/hsqldb> > > > > >>>> has BSD license > > > > >>>> > > > > >>>> Someone can help us to find out if our project can use these > > > > >>>> dependencies; otherwise, does anyone have suggestions of > > > > >>>> libraries to replace them? > > > > >>>> > > > > >>>> Thanks in advance. > > > > >>>> > > > > >>>> Best regards > > > > >>>> > > > > >> > > > > > > > > > > > > > > > > > > >
