[jira] [Commented] (HBASE-16321) Ensure findbugs jsr305 jar isn't present

Wed, 03 Aug 2016 21:32:47 -0700 

    [ 
https://issues.apache.org/jira/browse/HBASE-16321?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15407118#comment-15407118
 ] 

Sean Busbey commented on HBASE-16321:
-------------------------------------

the jsr305 jar claims to be from the findbugs project. I can't find any 
reference on the findbugs project to them having things licensed under anything 
other than LGPL. I don't know the provenance of the pom present in central, so 
I have no reason to believe that its license metadata is correct.

Additionally, jsr305 is dormant ([ref 
jsr305|https://jcp.org/en/jsr/detail?id=305]) so using implementations of it is 
suspect. it also creates classes in the javax package, which means downstream 
folks can't combine it with a JRE under the terms of [the oracle binary license 
section 
F|http://www.oracle.com/technetwork/java/javase/terms/license/index.html] (I 
don't think this is a problem under ASF policy, it's just something we can 
easily avoid by using the cleanroom implementation we're already using across 
the project).

> Ensure findbugs jsr305 jar isn't present
> ----------------------------------------
>
>                 Key: HBASE-16321
>                 URL: https://issues.apache.org/jira/browse/HBASE-16321
>             Project: HBase
>          Issue Type: Sub-task
>          Components: dependencies
>            Reporter: Sean Busbey
>            Assignee: Sean Busbey
>            Priority: Blocker
>             Fix For: 2.0.0, 1.3.0, 1.4.0, 1.1.6, 1.2.3
>
>         Attachments: HBASE-16321.1.patch, HBASE-16321.2.patch
>
>
> we should be using
> {code}
> <dependencies>
>     <dependency>
>       <groupId>com.github.stephenc.findbugs</groupId>
>       <artifactId>findbugs-annotations</artifactId>
>       <version>${findbugs-annotations}</version>
>       <scope>compile</scope>
>     </dependency>
> {code}
>  to ensure we don't have a prohibited dependency, but it looks like we're 
> still bringing in
> {code}
> <dependency>
>          <groupId>com.google.code.findbugs</groupId>
>          <artifactId>jsr305</artifactId>
>          <version>${jsr305.version}</version>
>       </dependency>
> {code}
> remove the findbugs version (even though the maven central pom claims the 
> license is ALv2, that doesn't line up with the referenced project sites).



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to