Josh, I put up a PR to move Rya to findbugs-annotations [1]. Besides removing some annotations, the biggest change was to go from "import javax.annotation.Nullable" to "import edu.umd.cs.findbugs.annotations.Nullable". Does that look correct?
I went over to Apache Phoenix to see how they deal with the package names for the findbugs-annotations, and it appears that Phoenix still uses "javax.annotation.Nullable" and has a direct dependency on findbugs:jsr305 [2]. --Aaron [1] https://github.com/apache/incubator-rya/pull/115 [2] https://github.com/apache/phoenix/blob/master/pom.xml#L864 On Mon, Oct 17, 2016 at 2:58 PM Aaron D. Mihalik <aaron.miha...@gmail.com> wrote: > I meant "fluo has a transitive dependency on findbugs:jsr305". I agree > that findbugs-annotations is good and jsr305 is bad. > > On Mon, Oct 17, 2016 at 2:51 PM Puja Valiyil <puja...@gmail.com> wrote: > > Yea findbugs-annotations is not LGPL: > https://github.com/stephenc/findbugs-annotations > It appears to be apache 2, though aaron you should verify. > > On Mon, Oct 17, 2016 at 11:19 AM, Aaron D. Mihalik < > aaron.miha...@gmail.com> > wrote: > > > fluo has a transitive dependency on findbugs-annotations, not direct. > > > > My issue is that > com.github.stephenc.findbugs:findbugs-annotations:3.0.1-1 > > isn't in maven central. I think it would be straightforward for us to > > exclude and replace with c.g.s.f:findbugs-annotations:3.0.1-1, but it's > > going to be difficult with earlier versions of > > c.g.s.f:findbugs-annotations. > > > > I'll take a closer look at it today, though. > > > > --Aaron > > > > > > On Sun, Oct 16, 2016 at 5:51 PM Josh Elser <josh.el...@gmail.com> wrote: > > > > > Also, over in Apache Phoenix, we're using > > > com.github.stephenc.findbugs:findbugs-annotations:1.3.9-1. Maybe I gave > > > some bad advice on the GAV to use the first time around :) > > > > > > Josh Elser wrote: > > > > A (Maven) repo? It's published central -- you shouldn't have to do > > > > anything extra to get it. Sonatype is automatically mirrored to > central > > > > (like Apache is). > > > > > > > > Also, Fluo is depending on this directly? Or just transitively? I am > > > > hoping I did not miss it directly depending... > > > > > > > > No, it's not ok :). You're bundling code whose license is dodgy. > Either > > > > way you need to exclude the Findbugs' findbugs-annotations from these > > > > dependencies. Whether or not you replace in > > c.g.s.f:findbugs-annotations > > > > instead is up to you (not sure if you would run into problems) > > > > > > > > Aaron D. Mihalik wrote: > > > >> Anyone know where I can find a repo for this artifact: > > > >> > > > >> com.github.stephenc.findbugs:findbugs-annotations:3.0.1-1 > > > >> > > > >> stephenc lists the Repositories here [1] but I can't find the latest > > > >> release in those mentioned repos (i.e. here [2] or here [3]) > > > >> > > > >> I don't think we'll have this resolved for RC2, but I'm hoping > that's > > > >> okay > > > >> because other projects depend on findbugs:jsr305 (i.e. hadoop and > > fluo). > > > >> > > > >> --Aaron > > > >> > > > >> > > > >> [1] > > > >> > > > http://stephenc.github.io/findbugs-annotations/ > > distribution-management.html > > > >> > > > >> [2] > > > >> > > > https://oss.sonatype.org/content/repositories/releases/ > > com/github/stephenc/findbugs/findbugs-annotations/ > > > >> > > > >> [3] > > > >> > > > https://repo.maven.apache.org/maven2/com/github/stephenc/ > > findbugs/findbugs-annotations/ > > > >> > > > >> > > > > > > >
