third party licenses examined for 3.2.11 RC2
​Here is my analysis of our third party licenses. Using this history as a guide: https://www.mail-archive.com/dev@rya.incubator.apache.org/msg00969.html and this : https://issues.apache.org/jira/browse/RYA-177 in order: the good, the bad, the to-do: ### BSD good from: http://asm.ow2.org/license.html (Unknown license) ASM Core (asm:asm:3.1 - http://asm.objectweb.org/asm/ ) ### already excluded, see RYA-200 Remove findbugs:jsr305 Dependency (GNU Lesser Public License) FindBugs-Annotations (com.google.code.findbugs:annotations:2.0.2 - http://findbugs.sourceforge .net/) ### apache project (Unknown license) commons-beanutils (commons-beanutils:commons- beanutils:1.7.0 - no url defined) ### Already exclusion from another library, its OKAY (HSQLDB License) HSQLDB (hsqldb:hsqldb:1.8.0.10 - http://hsqldb.org/) ### used by many Apache projects (Unknown license) servlet-api (javax.servlet:servlet-api:2.5 - no url defined) (Unknown license) jsp-api (javax.servlet.jsp:jsp-api:2.1 - no url defined) (Common Public License Version 1.0) JUnit (junit:junit:4.8.2 - http://junit.org) ### BSD license good from http://www.antlr.org/about.html (Unknown license) Antlr 3.4 Runtime (org.antlr:antlr-runtime:3.4 - http://www.antlr.org) ### apache (Unknown license) Jettison (org.codehaus.jettison:jettison:1.1 - no url defined) ### Apache licenced, all spring stuff (Unknown license) spring-aop (org.springframework:spring- aop:3.0.5.RELEASE) (Unknown license) spring-asm (org.springframework:spring- asm:3.0.5.RELEASE) (Unknown license) spring-beans (org.springframework:spring- beans:3.0.5.RELEASE) (Unknown license) spring-context (org.springframework:spring- context:3.0.5.RELEASE) (Unknown license) spring-context-support (org.springframework:spring- context-support:3.0.7.RELEASE (Unknown license) spring-core (org.springframework:spring- core:3.0.5.RELEASE (Unknown license) spring-expression (org.springframework:spring- expression:3.0.5.RELEASE (Unknown license) spring-tx (org.springframework:spring- tx:3.0.5.RELEASE ## end of good. ### MIT- with evil clause ( "The Software shall be used for Good, not Evil." from http://www.json.org/license.html ) Consider replaceing with this drop in replacement: https://mvnrepository.com/artifact/com.tdunning/json from: https://stackoverflow.com/questions/10396176/org-json-jar-provisioning (provided without support or warranty) JSON (JavaScript Object Notation) (org.json:json:20090211 - http://www.json.org/java/index.html) ### BAD I don't know about JMH libs: (GNU General Public License (GPL), version 2, with the Classpath exception) JMH Core (org.openjdk.jmh:jmh-core:1.13 - http://openjdk.java.net/projects/code-tools/jmh/jmh-core/) (GNU General Public License (GPL), version 2, with the Classpath exception) JMH Generators: Annotation Processors (org.openjdk.jmh:jmh-generator-annprocess:1.13 - http://openjdk.java.net/projects/code-tools/jmh/jmh-generator-annprocess/) That is as far as I got. TODO: (Unknown license) oro (oro:oro:2.0.8 - no url defined) (Unknown license) regexp (regexp:regexp:1.3 - no url defined) (Unknown license) org.osgi.compendium (org.osgi:org.osgi.compendium: 4.2.0) (Unknown license) org.osgi.core (org.osgi:org.osgi.core:4.2.0 ) (Jython Software License) Jython (org.python:jython:2.5.3 - http://www.jython.org/)
Re: [VOTE] Release Rya (Incubating) version 3.2.11 RC2
Yep. For the same reason that geoindexing module cannot be built by default (requires the user to acknowledge that they're using a library with this license), the benchmark module cannot be built by default. Good catch folks. On 9/13/17 3:57 PM, Jeff Dasch wrote: Created RYA-370 to track the geoindexing profile bug and the renaming recommendation. My finding wrt the sesame-runtime-osgi pom is covered by RYA-8. Ignoring that for now. Here's the current license check. Are there any issues with the GNU licenses here? Apache Giraph seems to be providing the com.google.code.findbugs:annotations:2.0.2 dependency. Do we need to profile away the rya.benchmark project which provides the JMH dependency? $ mvn license:aggregate-add-third-party $ egrep -iv "BSD|ASF|MIT|CDDL|EPL|Apache|ASL|Eclipse|Public Domain" target/generated-sources/license/THIRD-PARTY.txt Lists of 538 third-party dependencies. (Unknown license) ASM Core (asm:asm:3.1 - http://asm.objectweb.org/asm/ ) (GNU Lesser Public License) FindBugs-Annotations (com.google.code.findbugs:annotations:2.0.2 - http://findbugs.sourceforge. net/) (Unknown license) commons-beanutils (commons-beanutils:commons-beanutils:1.7.0 - no url defined) (HSQLDB License) HSQLDB (hsqldb:hsqldb:1.8.0.10 - http://hsqldb.org/) (Unknown license) servlet-api (javax.servlet:servlet-api:2.5 - no url defined) (Unknown license) jsp-api (javax.servlet.jsp:jsp-api:2.1 - no url defined) (Common Public License Version 1.0) JUnit (junit:junit:4.8.2 - http://junit.org) (Unknown license) Antlr 3.4 Runtime (org.antlr:antlr-runtime:3.4 - http://www.antlr.org) (Unknown license) Jettison (org.codehaus.jettison:jettison:1.1 - no url defined) (provided without support or warranty) JSON (JavaScript Object Notation) (org.json:json:20090211 - http://www.json.org/java/index.html) (GNU General Public License (GPL), version 2, with the Classpath exception) JMH Core (org.openjdk.jmh:jmh-core:1.13 - http://openjdk.java.net/projects/code-tools/jmh/jmh-core/) (GNU General Public License (GPL), version 2, with the Classpath exception) JMH Generators: Annotation Processors (org.openjdk.jmh:jmh-generator-annprocess:1.13 - http://openjdk.java.net/projects/code-tools/jmh/jmh-generator-annprocess/) (Unknown license) org.osgi.compendium (org.osgi:org.osgi.compendium:4.2.0 - no url defined) (Unknown license) org.osgi.core (org.osgi:org.osgi.core:4.2.0 - no url defined) (Jython Software License) Jython (org.python:jython:2.5.3 - http://www.jython.org/) (Unknown license) spring-aop (org.springframework:spring-aop:3.0.5.RELEASE - no url defined) (Unknown license) spring-asm (org.springframework:spring-asm:3.0.5.RELEASE - no url defined) (Unknown license) spring-beans (org.springframework:spring-beans:3.0.5.RELEASE - no url defined) (Unknown license) spring-context (org.springframework:spring-context:3.0.5.RELEASE - no url defined) (Unknown license) spring-context-support (org.springframework:spring-context-support:3.0.7.RELEASE - no url defined) (Unknown license) spring-core (org.springframework:spring-core:3.0.5.RELEASE - no url defined) (Unknown license) spring-expression (org.springframework:spring-expression:3.0.5.RELEASE - no url defined) (Unknown license) spring-tx (org.springframework:spring-tx:3.0.5.RELEASE - no url defined) (Unknown license) oro (oro:oro:2.0.8 - no url defined) (Unknown license) regexp (regexp:regexp:1.3 - no url defined) On Wed, Sep 13, 2017 at 10:45 AM, David Lotts wrote: , nexus seems to have a lot of geoindexing artifacts in it. Probably need to revist the extras/pom.xml as it looks like there's a regression in there. The last release 3.2.10 has no geoindexing jars in Nexus. I see what you are saying. This release candidate has folders for each. https://repository.apache.org/content/repositories/releases/ org/apache/rya/ I unfortunately missed your renaming recommendation from your review. david. On Wed, Sep 13, 2017 at 9:25 AM, Jeff Dasch wrote: Also, it appears that there is an issue with this project as well: grep -r 3.2.10-incubating-SNAPSHOT rya-project-3.2.11-incubating rya-project-3.2.11-incubating/osgi/sesame-runtime-osgi/pom.xml: *3.2.10-incubating-SNAPSHOT* On Wed, Sep 13, 2017 at 12:05 AM, Jeff Dasch wrote: It is fine to not to release the geoindexing artifacts, but we need all of the pom version strings to be consistent (and correct) so that if one did want to build them with the geoindexing profile, they can. Speaking of artifacts, nexus seems to have a lot of geoindexing artifacts in it. Probably need to revist the extras/pom.xml as it looks like there's a regression in there. On Tue, Sep 12, 2017 at 10:22 PM, Puja Valiyil wrote: Don't we not release the geoindexing artifacts? Sorry if I'm being slow here Sent from my iPhone On Sep 12, 2017, at 5:23 PM, Jeff Dasch wrote: -
Re: [VOTE] Release Rya (Incubating) version 3.2.11 RC2
Created RYA-370 to track the geoindexing profile bug and the renaming recommendation. My finding wrt the sesame-runtime-osgi pom is covered by RYA-8. Ignoring that for now. Here's the current license check. Are there any issues with the GNU licenses here? Apache Giraph seems to be providing the com.google.code.findbugs:annotations:2.0.2 dependency. Do we need to profile away the rya.benchmark project which provides the JMH dependency? $ mvn license:aggregate-add-third-party $ egrep -iv "BSD|ASF|MIT|CDDL|EPL|Apache|ASL|Eclipse|Public Domain" target/generated-sources/license/THIRD-PARTY.txt Lists of 538 third-party dependencies. (Unknown license) ASM Core (asm:asm:3.1 - http://asm.objectweb.org/asm/ ) (GNU Lesser Public License) FindBugs-Annotations (com.google.code.findbugs:annotations:2.0.2 - http://findbugs.sourceforge. net/) (Unknown license) commons-beanutils (commons-beanutils:commons-beanutils:1.7.0 - no url defined) (HSQLDB License) HSQLDB (hsqldb:hsqldb:1.8.0.10 - http://hsqldb.org/) (Unknown license) servlet-api (javax.servlet:servlet-api:2.5 - no url defined) (Unknown license) jsp-api (javax.servlet.jsp:jsp-api:2.1 - no url defined) (Common Public License Version 1.0) JUnit (junit:junit:4.8.2 - http://junit.org) (Unknown license) Antlr 3.4 Runtime (org.antlr:antlr-runtime:3.4 - http://www.antlr.org) (Unknown license) Jettison (org.codehaus.jettison:jettison:1.1 - no url defined) (provided without support or warranty) JSON (JavaScript Object Notation) (org.json:json:20090211 - http://www.json.org/java/index.html) (GNU General Public License (GPL), version 2, with the Classpath exception) JMH Core (org.openjdk.jmh:jmh-core:1.13 - http://openjdk.java.net/projects/code-tools/jmh/jmh-core/) (GNU General Public License (GPL), version 2, with the Classpath exception) JMH Generators: Annotation Processors (org.openjdk.jmh:jmh-generator-annprocess:1.13 - http://openjdk.java.net/projects/code-tools/jmh/jmh-generator-annprocess/) (Unknown license) org.osgi.compendium (org.osgi:org.osgi.compendium:4.2.0 - no url defined) (Unknown license) org.osgi.core (org.osgi:org.osgi.core:4.2.0 - no url defined) (Jython Software License) Jython (org.python:jython:2.5.3 - http://www.jython.org/) (Unknown license) spring-aop (org.springframework:spring-aop:3.0.5.RELEASE - no url defined) (Unknown license) spring-asm (org.springframework:spring-asm:3.0.5.RELEASE - no url defined) (Unknown license) spring-beans (org.springframework:spring-beans:3.0.5.RELEASE - no url defined) (Unknown license) spring-context (org.springframework:spring-context:3.0.5.RELEASE - no url defined) (Unknown license) spring-context-support (org.springframework:spring-context-support:3.0.7.RELEASE - no url defined) (Unknown license) spring-core (org.springframework:spring-core:3.0.5.RELEASE - no url defined) (Unknown license) spring-expression (org.springframework:spring-expression:3.0.5.RELEASE - no url defined) (Unknown license) spring-tx (org.springframework:spring-tx:3.0.5.RELEASE - no url defined) (Unknown license) oro (oro:oro:2.0.8 - no url defined) (Unknown license) regexp (regexp:regexp:1.3 - no url defined) On Wed, Sep 13, 2017 at 10:45 AM, David Lotts wrote: > > , nexus seems to have a lot of geoindexing > > artifacts in it. Probably need to revist the extras/pom.xml as it > > looks like there's a regression in there. > > The last release 3.2.10 has no geoindexing jars in Nexus. I see what you > are saying. This release candidate has folders for each. > https://repository.apache.org/content/repositories/releases/ > org/apache/rya/ > > I unfortunately missed your renaming recommendation from your review. > > david. > > On Wed, Sep 13, 2017 at 9:25 AM, Jeff Dasch wrote: > > > Also, it appears that there is an issue with this project as well: > > > > grep -r 3.2.10-incubating-SNAPSHOT rya-project-3.2.11-incubating > > rya-project-3.2.11-incubating/osgi/sesame-runtime-osgi/pom.xml: > > *3.2.10-incubating-SNAPSHOT* > > > > On Wed, Sep 13, 2017 at 12:05 AM, Jeff Dasch wrote: > > > > > It is fine to not to release the geoindexing artifacts, but we need all > > of > > > the pom version strings to be consistent (and correct) so that if one > did > > > want to build them with the geoindexing profile, they can. > > > > > > Speaking of artifacts, nexus seems to have a lot of geoindexing > artifacts > > > in it. Probably need to revist the extras/pom.xml as it looks like > > there's > > > a regression in there. > > > > > > > > > > > > On Tue, Sep 12, 2017 at 10:22 PM, Puja Valiyil > > wrote: > > > > > >> Don't we not release the geoindexing artifacts? Sorry if I'm being > slow > > >> here > > >> > > >> Sent from my iPhone > > >> > > >> > On Sep 12, 2017, at 5:23 PM, Jeff Dasch wrote: > > >> > > > >> > -1 (non-binding) > > >> > > > >> > The pom for rya.pcj.functions.geo references a parent artifact with > a > > >
Re: [VOTE] Release Rya (Incubating) version 3.2.11 RC2
> , nexus seems to have a lot of geoindexing > artifacts in it. Probably need to revist the extras/pom.xml as it > looks like there's a regression in there. The last release 3.2.10 has no geoindexing jars in Nexus. I see what you are saying. This release candidate has folders for each. https://repository.apache.org/content/repositories/releases/org/apache/rya/ I unfortunately missed your renaming recommendation from your review. david. On Wed, Sep 13, 2017 at 9:25 AM, Jeff Dasch wrote: > Also, it appears that there is an issue with this project as well: > > grep -r 3.2.10-incubating-SNAPSHOT rya-project-3.2.11-incubating > rya-project-3.2.11-incubating/osgi/sesame-runtime-osgi/pom.xml: > *3.2.10-incubating-SNAPSHOT* > > On Wed, Sep 13, 2017 at 12:05 AM, Jeff Dasch wrote: > > > It is fine to not to release the geoindexing artifacts, but we need all > of > > the pom version strings to be consistent (and correct) so that if one did > > want to build them with the geoindexing profile, they can. > > > > Speaking of artifacts, nexus seems to have a lot of geoindexing artifacts > > in it. Probably need to revist the extras/pom.xml as it looks like > there's > > a regression in there. > > > > > > > > On Tue, Sep 12, 2017 at 10:22 PM, Puja Valiyil > wrote: > > > >> Don't we not release the geoindexing artifacts? Sorry if I'm being slow > >> here > >> > >> Sent from my iPhone > >> > >> > On Sep 12, 2017, at 5:23 PM, Jeff Dasch wrote: > >> > > >> > -1 (non-binding) > >> > > >> > The pom for rya.pcj.functions.geo references a parent artifact with a > >> > 3.2.11-incubating-SNAPSHOT version: > >> > grep -r 3.2.11-incubating-SNAPSHOT rya-project-3.2.11-incubating > >> > rya-project-3.2.11-incubating/extras/rya.pcj.fluo/rya.pcj.fu > >> nctions.geo/pom.xml: > >> > 3.2.11-incubating-SNAPSHOT > >> > > >> > Need to clean your maven repo and build with the geoindexing profile > to > >> see > >> > this issue. RC1 was also affected. > >> > > >> > > >> >> On Mon, Sep 11, 2017 at 5:44 PM, David Lotts > wrote: > >> >> > >> >> I am pleased to be calling this vote for the source release of Apache > >> Rya > >> >> (Incubating), version 3.2.11. > >> >> > >> >> The source zip, including signatures, digests, etc. can be found at: > >> >> https://dist.apache.org/repos/dist/dev/incubator/rya/rya- > >> >> incubating-3.2.11-rc2/ > >> >> > >> >> > >> >> Ancillary artifacts such as poms, jars, wars. can be found here: > >> >> https://repository.apache.org/content/repositories/ > >> >> orgapacherya-1006/org/apache/rya/rya-project/3.2.11-incubating/ > >> >> > >> >> The Git tag is rya-incubating-3.2.11-rc2 > >> >> The Git commit ID is f9e5787a4057d8fbaacc8d22e4de5d86fcb45ba8 > >> >> https://git-wip-us.apache.org/repos/asf?p=incubator-rya.git; > >> a=commit;h= > >> >> f9e5787a4057d8fbaacc8d22e4de5d86fcb45ba8 > >> >> > >> >> Checksums of rya-project-3.2.11-source-release.zip: > >> >> MD5: aa4dff6ed9664fb1e06752389bebcea9 > >> >> SHA1: a801e7814bdd09f603256858e4511db4b59605b2 > >> >> SHA512: > >> >> 66ad82cf9f6c04e5ab230b609fb902f071fd77ff63989f3fa2e331ddcc34 > >> >> 3b1ad7ee7d3ae3bbd138b399e59c565a57457060c357c01a805c0b4bbe2cd0c34dd9 > >> >> > >> >> Release artifacts are signed with the following key: > >> >> https://people.apache.org/keys/committer/dlotts.asc > >> >> > >> >> KEYS file available here: > >> >> https://dist.apache.org/repos/dist/release/incubator/rya/KEYS > >> >> > >> >> Issues that were closed/resolved for this release are here: > >> >> https://issues.apache.org/jira/secure/ReleaseNote.jspa? > >> >> projectId=12319020&version=12341279 > >> >> (Should be complete now.) > >> >> > >> >> The vote will be open for at least 72 hours starting Monday 9/11/2017 > >> and > >> >> close at Friday 9/15/2017 10am Eastern Time USA. > >> >> Please download the release candidate and evaluate the necessary > items > >> >> including checking hashes, signatures, build from source, and test. > >> Then > >> >> please vote: > >> >> > >> >> [ ] +1 Release this package as rya-project-3.2.11 > >> >> [ ] +0 no opinion > >> >> [ ] -1 Do not release this package because because... > >> >> > >> > > > > >
Re: [VOTE] Release Rya (Incubating) version 3.2.11 RC2
Also, it appears that there is an issue with this project as well: grep -r 3.2.10-incubating-SNAPSHOT rya-project-3.2.11-incubating rya-project-3.2.11-incubating/osgi/sesame-runtime-osgi/pom.xml: *3.2.10-incubating-SNAPSHOT* On Wed, Sep 13, 2017 at 12:05 AM, Jeff Dasch wrote: > It is fine to not to release the geoindexing artifacts, but we need all of > the pom version strings to be consistent (and correct) so that if one did > want to build them with the geoindexing profile, they can. > > Speaking of artifacts, nexus seems to have a lot of geoindexing artifacts > in it. Probably need to revist the extras/pom.xml as it looks like there's > a regression in there. > > > > On Tue, Sep 12, 2017 at 10:22 PM, Puja Valiyil wrote: > >> Don't we not release the geoindexing artifacts? Sorry if I'm being slow >> here >> >> Sent from my iPhone >> >> > On Sep 12, 2017, at 5:23 PM, Jeff Dasch wrote: >> > >> > -1 (non-binding) >> > >> > The pom for rya.pcj.functions.geo references a parent artifact with a >> > 3.2.11-incubating-SNAPSHOT version: >> > grep -r 3.2.11-incubating-SNAPSHOT rya-project-3.2.11-incubating >> > rya-project-3.2.11-incubating/extras/rya.pcj.fluo/rya.pcj.fu >> nctions.geo/pom.xml: >> > 3.2.11-incubating-SNAPSHOT >> > >> > Need to clean your maven repo and build with the geoindexing profile to >> see >> > this issue. RC1 was also affected. >> > >> > >> >> On Mon, Sep 11, 2017 at 5:44 PM, David Lotts wrote: >> >> >> >> I am pleased to be calling this vote for the source release of Apache >> Rya >> >> (Incubating), version 3.2.11. >> >> >> >> The source zip, including signatures, digests, etc. can be found at: >> >> https://dist.apache.org/repos/dist/dev/incubator/rya/rya- >> >> incubating-3.2.11-rc2/ >> >> >> >> >> >> Ancillary artifacts such as poms, jars, wars. can be found here: >> >> https://repository.apache.org/content/repositories/ >> >> orgapacherya-1006/org/apache/rya/rya-project/3.2.11-incubating/ >> >> >> >> The Git tag is rya-incubating-3.2.11-rc2 >> >> The Git commit ID is f9e5787a4057d8fbaacc8d22e4de5d86fcb45ba8 >> >> https://git-wip-us.apache.org/repos/asf?p=incubator-rya.git; >> a=commit;h= >> >> f9e5787a4057d8fbaacc8d22e4de5d86fcb45ba8 >> >> >> >> Checksums of rya-project-3.2.11-source-release.zip: >> >> MD5: aa4dff6ed9664fb1e06752389bebcea9 >> >> SHA1: a801e7814bdd09f603256858e4511db4b59605b2 >> >> SHA512: >> >> 66ad82cf9f6c04e5ab230b609fb902f071fd77ff63989f3fa2e331ddcc34 >> >> 3b1ad7ee7d3ae3bbd138b399e59c565a57457060c357c01a805c0b4bbe2cd0c34dd9 >> >> >> >> Release artifacts are signed with the following key: >> >> https://people.apache.org/keys/committer/dlotts.asc >> >> >> >> KEYS file available here: >> >> https://dist.apache.org/repos/dist/release/incubator/rya/KEYS >> >> >> >> Issues that were closed/resolved for this release are here: >> >> https://issues.apache.org/jira/secure/ReleaseNote.jspa? >> >> projectId=12319020&version=12341279 >> >> (Should be complete now.) >> >> >> >> The vote will be open for at least 72 hours starting Monday 9/11/2017 >> and >> >> close at Friday 9/15/2017 10am Eastern Time USA. >> >> Please download the release candidate and evaluate the necessary items >> >> including checking hashes, signatures, build from source, and test. >> Then >> >> please vote: >> >> >> >> [ ] +1 Release this package as rya-project-3.2.11 >> >> [ ] +0 no opinion >> >> [ ] -1 Do not release this package because because... >> >> >> > >