Seems like we already include jcip annotations in core <https://github.com/jenkinsci/jenkins/blob/55b67fa06bf35a507bf884020035b96f0781cc57/core/pom.xml#L603-L607> so I am leaning towards using jcip (the licence seems to be ok (CC-by-A and we list licences in the about screen)
As for the 3 Nonnegative annotations - I'm going to remove them - let's have some conversation in the soon to be submitted PR :) /James On Thursday, 26 March 2020 11:38:48 UTC, James Nord wrote: > > Hi all, > > its been on my TODO list for a while to remove JSR-305 annotations from > core. > > the reason behind this is > 1) the framework is deader than a dodo > 2) the annotations have a questionable licence > 3) the annotations are in the reserved javax namespace and there is no > public release of the spec (nor is there ever likely to be see point 1). > > The natural replacement is SpotBugs, however there are a couple of missing > annotations that have no mapping. > > > - > - javax.annotation.concurrent.GuardedBy (14 occurrences) > - javax.annotation.concurrent.Immutable (2 occurrences) > - javax.annotation.Nonnegative (3 occurrences) > > > The first 2 annotations have some possible replacements in Checker > Framework, Error Prone, and JCIP annotations. > The last only appears to have a replacement in Checker Framework, or in > java Beans validation. > > The licence of JCIP annotations means we are likely not able to use it, > whilst there is a Clean room implementation by Stephen Connolly I recall > finding a bug in it the other week as it was not up to date. > > So there are a few possibilities, use annotations from error-prone and > ignore the non negative, include annotations from checker-framework. > > If we start using either error prone or checker framework annotations the > existing spotbugs tooling will not report on any violations - (they support > jcip only today). > > So as I see it we have a few alternatives > > 1) do nothing (I do not think this is wise due to the points at the start > of this mail) > 2) use an alternative annotation which is not checked and for > documentation only > 3) use an alternative annotation and checking framework (unclear if there > is a replacement for findsec-bugs) > > What do people think? > > /James > -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/2baf38d8-74d5-4e29-9e8e-de4393096009%40googlegroups.com.
