[
https://issues.apache.org/jira/browse/YARN-5433?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15596720#comment-15596720
]
Sangjin Lee commented on YARN-5433:
-----------------------------------
I looked into new dependencies that timelineservice modules add (~ 50 at the
individual artifact level). I arrived at that list by looking at the
dependencies from these modules and removing the ones that are marked as "done"
in Andrew's spreadsheet.
Most of them are ASLv2 licenses (e.g. HBase, Kerby, Tephra, Twill, etc.). I
understand from HADOOP-12893 that ASLv2, BSD, and MIT license do not require
separate mentions in our L&N. I then arrive at the following that still needs
to be examined:
{noformat}
(CDDL License) jsr311-api (javax.ws.rs:jsr311-api:1.1.1 -
https://jsr311.dev.java.net)
(Mozilla Public License Version 1.1) jamon-runtime
(org.jamon:jamon-runtime:2.3.1 - http://www.jamon.org/jamon-runtime/)
(Unknown license) sqlline (sqlline:sqlline:1.1.8 - no url defined)
{noformat}
It appears that sqlline is a 3-clause BSD license
(https://github.com/julianhyde/sqlline). I suppose we're OK with the JSR 311
(CDDL license)? How about the Mozilla license?
[~busbey], I guess sqlline and jamon-runtime were looked at from the hbase and
phoenix side of things? FYI, jsr311 is pulled in by jersey-core, jamon-runtime
by hbase-server, and sqlline by phoenix-core.
> Audit dependencies for Category-X
> ---------------------------------
>
> Key: YARN-5433
> URL: https://issues.apache.org/jira/browse/YARN-5433
> Project: Hadoop YARN
> Issue Type: Bug
> Components: timelineserver
> Affects Versions: 3.0.0-alpha1
> Reporter: Sean Busbey
> Assignee: Sangjin Lee
> Priority: Blocker
>
> Recently phoenix has found some category-x dependencies in their build
> (PHOENIX-3084, PHOENIX-3091), which also showed some problems in HBase
> (HBASE-16260).
> Since the Timeline Server work brought in both of these as dependencies, we
> should make sure we don't have any cat-x dependencies either. From what I've
> seen in those projects, our choice of HBase version shouldn't be impacted but
> our Phoenix one is.
> Greping our current dependency list for the timeline server component shows
> some LGPL:
> {code}
> ...
> [INFO] net.sourceforge.findbugs:annotations:jar:1.3.2:compile
> ...
> {code}
> I haven't checked the rest of the dependencies that have changed since
> HADOOP-12893 went in, so ATM I've filed this against YARN since that's where
> this one example came in.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
