Thanks for checking 2.7.0! I think then upgrading should get rid of
the misleading license information.
I tried quickly a pretend-update to Jackson 2.7.0 with
mvn license:aggregate-add-third-party -Djackson.version=2.7.0
And now my target/generated-sources/license/THIRD-PARTY.txt lists them
correctly as:
(The Apache Software License, Version 2.0) Jackson-annotations
(com.fasterxml.jackson.core:jackson-annotations:2.7.0 -
http://github.com/FasterXML/jackson)
(The Apache Software License, Version 2.0) Jackson-core
(com.fasterxml.jackson.core:jackson-core:2.7.0 -
https://github.com/FasterXML/jackson-core)
(The Apache Software License, Version 2.0) jackson-databind
(com.fasterxml.jackson.core:jackson-databind:2.7.0 -
http://github.com/FasterXML/jackson)
Shall we change the dependency version in Maven Parent and see if it
works well for the remaining repositories? Note that Jackson's JSON
objects form part of the Configuration API of scufl2-api, so we would
rely on them following semantic versioning rules.
I've tracked this as https://issues.apache.org/jira/browse/TAVERNA-933
On 8 March 2016 at 18:38, Gale Naylor <[email protected]> wrote:
> The latest Jackson release is 2.7.0, downloaded from
> http://wiki.fasterxml.com/JacksonDownload#Downloads.2C_2.x. (10 Jan 2016)
>
> The LICENSE and MANIFEST.MF files (for annotation, core, and databind) only
> list the Apache License. (I've copied the text below, in case there is
> something I missed.)
>
> I don't see anything about licenses in the pom.xml files. If I search for
> "license" nothing comes up. I attached the text of the databind pom.xml
> below, again, just in case there is something I missed.
>
> *****************************
> * jackson-annotations-2.7.0 *
> *****************************
>
> $ cat license
>
> This copy of Jackson JSON processor annotations is licensed under the
> Apache (Software) License, version 2.0 ("the License").
> See the License for details about distribution rights, and the
> specific rights regarding derivate works.
>
> You may obtain a copy of the License at:
>
> http://www.apache.org/licenses/LICENSE-2.0
>
>
> $ cat manifest.mf
>
> Manifest-Version: 1.0
> Bnd-LastModified: 1452404803429
> Build-Jdk: 1.7.0_79
> Built-By: tatu
> Bundle-Description: Core annotations used for value types, used by Jacks
> on data binding package.
> Bundle-DocURL: http://github.com/FasterXML/jackson
> Bundle-License: http://www.apache.org/licenses/LICENSE-2.0.txt
> Bundle-ManifestVersion: 2
> Bundle-Name: Jackson-annotations
> Bundle-SymbolicName: com.fasterxml.jackson.core.jackson-annotations
> Bundle-Vendor: FasterXML
> Bundle-Version: 2.7.0
> Created-By: Apache Maven Bundle Plugin
> Export-Package: com.fasterxml.jackson.annotation;version="2.7.0"
> Implementation-Build-Date: 2016-01-09 21:46:40-0800
> Implementation-Title: Jackson-annotations
> Implementation-Vendor: FasterXML
> Implementation-Vendor-Id: com.fasterxml.jackson.core
> Implementation-Version: 2.7.0
> Require-Capability: osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"
> Specification-Title: Jackson-annotations
> Specification-Vendor: FasterXML
> Specification-Version: 2.7.0
> Tool: Bnd-2.3.0.201405100607
> X-Compile-Source-JDK: 1.6
> X-Compile-Target-JDK: 1.6
>
> **********************
> * jackson-core-2.7.0 *
> **********************
>
> $ cat license
>
> This copy of Jackson JSON processor streaming parser/generator is licensed
> under
> the
> Apache (Software) License, version 2.0 ("the License").
> See the License for details about distribution rights, and the
> specific rights regarding derivate works.
>
> You may obtain a copy of the License at:
>
> http://www.apache.org/licenses/LICENSE-2.0
>
>
> $ cat manifest.mf
>
> Manifest-Version: 1.0
> Bnd-LastModified: 1452405208027
> Build-Jdk: 1.7.0_79
> Built-By: tatu
> Bundle-Description: Core Jackson abstractions, basic JSON streaming API
> implementation
> Bundle-DocURL: https://github.com/FasterXML/jackson-core
> Bundle-License: http://www.apache.org/licenses/LICENSE-2.0.txt
> Bundle-ManifestVersion: 2
> Bundle-Name: Jackson-core
> Bundle-SymbolicName: com.fasterxml.jackson.core.jackson-core
> Bundle-Vendor: FasterXML
> Bundle-Version: 2.7.0
> Created-By: Apache Maven Bundle Plugin
> Export-Package: com.fasterxml.jackson.core;version="2.7.0",com.fasterxml
> .jackson.core.base;version="2.7.0",com.fasterxml.jackson.core.filter;ve
> rsion="2.7.0",com.fasterxml.jackson.core.format;version="2.7.0",com.fas
> terxml.jackson.core.io;version="2.7.0",com.fasterxml.jackson.core.json;
> version="2.7.0",com.fasterxml.jackson.core.sym;version="2.7.0",com.fast
> erxml.jackson.core.type;version="2.7.0",com.fasterxml.jackson.core.util
> ;version="2.7.0"
> Implementation-Build-Date: 2016-01-09 21:53:18-0800
> Implementation-Title: Jackson-core
> Implementation-Vendor: FasterXML
> Implementation-Vendor-Id: com.fasterxml.jackson.core
> Implementation-Version: 2.7.0
> Require-Capability: osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"
> Specification-Title: Jackson-core
> Specification-Vendor: FasterXML
> Specification-Version: 2.7.0
> Tool: Bnd-2.3.0.201405100607
> X-Compile-Source-JDK: 1.6
> X-Compile-Target-JDK: 1.6
>
>
> **************************
> * jackson-databind-2.7.0 *
> **************************
>
> $ cat license
>
> This copy of Jackson JSON processor databind module is licensed under the
> Apache (Software) License, version 2.0 ("the License").
> See the License for details about distribution rights, and the
> specific rights regarding derivate works.
>
> You may obtain a copy of the License at:
>
> http://www.apache.org/licenses/LICENSE-2.0
>
>
> $ cat manifest.mf
>
> Manifest-Version: 1.0
> Bnd-LastModified: 1452406176600
> Build-Jdk: 1.7.0_25
> Built-By: tatu
> Bundle-Description: General data-binding functionality for Jackson: work
> s on core streaming API
> Bundle-DocURL: http://github.com/FasterXML/jackson
> Bundle-License: http://www.apache.org/licenses/LICENSE-2.0.txt
> Bundle-ManifestVersion: 2
> Bundle-Name: jackson-databind
> Bundle-SymbolicName: com.fasterxml.jackson.core.jackson-databind
> Bundle-Vendor: FasterXML
> Bundle-Version: 2.7.0
> Created-By: Apache Maven Bundle Plugin
> Export-Package: com.fasterxml.jackson.databind;version="2.7.0",com.faste
> rxml.jackson.databind.annotation;version="2.7.0",com.fasterxml.jackson.
> databind.cfg;version="2.7.0",com.fasterxml.jackson.databind.deser;versi
> on="2.7.0",com.fasterxml.jackson.databind.deser.impl;version="2.7.0",co
> m.fasterxml.jackson.databind.deser.std;version="2.7.0",com.fasterxml.ja
> ckson.databind.exc;version="2.7.0",com.fasterxml.jackson.databind.ext;v
> ersion="2.7.0",com.fasterxml.jackson.databind.introspect;version="2.7.0
> ",com.fasterxml.jackson.databind.jsonFormatVisitors;version="2.7.0",com
> .fasterxml.jackson.databind.jsonschema;version="2.7.0",com.fasterxml.ja
> ckson.databind.jsontype;version="2.7.0",com.fasterxml.jackson.databind.
> jsontype.impl;version="2.7.0",com.fasterxml.jackson.databind.module;ver
> sion="2.7.0",com.fasterxml.jackson.databind.node;version="2.7.0",com.fa
> sterxml.jackson.databind.ser;version="2.7.0",com.fasterxml.jackson.data
> bind.ser.impl;version="2.7.0",com.fasterxml.jackson.databind.ser.std;ve
> rsion="2.7.0",com.fasterxml.jackson.databind.type;version="2.7.0",com.f
> asterxml.jackson.databind.util;version="2.7.0"
> Implementation-Build-Date: 2016-01-09 22:09:28-0800
> Implementation-Title: jackson-databind
> Implementation-Vendor: FasterXML
> Implementation-Vendor-Id: com.fasterxml.jackson.core
> Implementation-Version: 2.7.0
> Import-Package: com.fasterxml.jackson.annotation;version="[2.7,3)",com.f
> asterxml.jackson.core;version="[2.7,3)",com.fasterxml.jackson.core.base
> ;version="[2.7,3)",com.fasterxml.jackson.core.filter;version="[2.7,3)",
> com.fasterxml.jackson.core.format;version="[2.7,3)",com.fasterxml.jacks
> on.core.io;version="[2.7,3)",com.fasterxml.jackson.core.json;version="[
> 2.7,3)",com.fasterxml.jackson.core.type;version="[2.7,3)",com.fasterxml
> .jackson.core.util;version="[2.7,3)",javax.xml.datatype,javax.xml.names
> pace,javax.xml.parsers,org.w3c.dom,org.w3c.dom.bootstrap,org.w3c.dom.ls
> ,org.xml.sax
> Require-Capability: osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"
> Specification-Title: jackson-databind
> Specification-Vendor: FasterXML
> Specification-Version: 2.7.0
> Tool: Bnd-2.3.0.201405100607
> X-Compile-Source-JDK: 1.6
> X-Compile-Target-JDK: 1.6
>
> *******************
> *******************
> **** pom. xml ***
> *******************
> *******************
> <?xml version="1.0" encoding="UTF-8"?>
> <project xmlns="http://maven.apache.org/POM/4.0.0"; xmlns:xsi="
> http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="
> http://maven.apache.org/POM/4.0.0
> http://maven.apache.org/xsd/maven-4.0.0.xsd";>
> <modelVersion>4.0.0</modelVersion>
>
> <parent>
> <groupId>com.fasterxml.jackson</groupId>
> <artifactId>jackson-parent</artifactId>
> <version>2.7</version>
> </parent>
>
> <groupId>com.fasterxml.jackson.core</groupId>
> <artifactId>jackson-databind</artifactId>
> <version>2.7.0</version>
> <name>jackson-databind</name>
> <packaging>bundle</packaging>
> <description>General data-binding functionality for Jackson: works on
> core streaming API</description>
> <url>http://github.com/FasterXML/jackson</url>
> <inceptionYear>2008</inceptionYear>
>
> <scm>
> <connection>scm:git:[email protected]:
> FasterXML/jackson-databind.git</connection>
> <developerConnection>scm:git:[email protected]:
> FasterXML/jackson-databind.git</developerConnection>
> <url>http://github.com/FasterXML/jackson-databind</url>
> <tag>jackson-databind-2.7.0</tag>
> </scm>
>
> <properties>
> <!-- Ok, so, Jackson 2.7 require JDK 1.7 (except for
> annotations/streaming). But
> we do not have strict need for Java 7 bytecode. And, unfortunately,
> it looks
> like we have some issues with Mockito tests if we try to go "full
> 1.7"...
> So that is why... this:
> -->
> <javac.src.version>1.6</javac.src.version>
> <javac.target.version>1.6</javac.target.version>
>
> <!-- Can not use default, since group id != Java package name here -->
>
> <osgi.export>com.fasterxml.jackson.databind.*;version=${project.version}</osgi.export>
> <!-- but imports should work fine with defaults -->
>
> <!-- Generate PackageVersion.java into this directory. -->
>
> <packageVersion.dir>com/fasterxml/jackson/databind/cfg</packageVersion.dir>
>
> <packageVersion.package>com.fasterxml.jackson.databind.cfg</packageVersion.package>
> </properties>
>
> <dependencies>
> <!-- Builds on core streaming API; also needs core annotations -->
> <dependency>
> <groupId>com.fasterxml.jackson.core</groupId>
> <artifactId>jackson-annotations</artifactId>
> </dependency>
> <dependency>
> <groupId>com.fasterxml.jackson.core</groupId>
> <artifactId>jackson-core</artifactId>
> <version>2.7.0</version>
> </dependency>
>
> <!-- and for testing we need a few libraries
> libs for which we use reflection for code, but direct dep for
> testing
> -->
> <!-- Mock -->
> <dependency>
> <groupId>org.powermock</groupId>
> <artifactId>powermock-module-junit4</artifactId>
> <version>1.6.3</version>
> <scope>test</scope>
> </dependency>
> <dependency>
> <groupId>org.powermock</groupId>
> <artifactId>powermock-api-mockito</artifactId>
> <version>1.6.3</version>
> <scope>test</scope>
> </dependency>
> <!-- For testing TestNoClassDefFoundDeserializer -->
> <dependency>
> <groupId>javax.measure</groupId>
> <artifactId>jsr-275</artifactId>
> <version>1.0.0</version>
> <scope>test</scope>
> </dependency>
> </dependencies>
>
> <build>
> <plugins>
> <plugin>
> <groupId>org.apache.maven.plugins</groupId>
> <version>${version.plugin.surefire}</version>
> <artifactId>maven-surefire-plugin</artifactId>
> <configuration>
> <classpathDependencyExcludes>
> <exclude>javax.measure:jsr-275</exclude>
> </classpathDependencyExcludes>
> <excludes>
> <exclude>com/fasterxml/jackson/failing/*.java</exclude>
> </excludes>
> </configuration>
> </plugin>
>
> <plugin>
> <groupId>org.apache.maven.plugins</groupId>
> <artifactId>maven-javadoc-plugin</artifactId>
> <version>${version.plugin.javadoc}</version>
> <configuration>
> <!-- Only works on Java 8:
> <additionalparam>-Xdoclint:none</additionalparam>
> -->
> <!-- so with Java 7, use this: -->
> <failOnError>false</failOnError>
> <links>
> <link>http://docs.oracle.com/javase/7/docs/api/</link>
> <link>
> http://fasterxml.github.com/jackson-annotations/javadoc/2.7</link>
> <link>http://fasterxml.github.com/jackson-core/javadoc/2.7
> </link>
> </links>
> </configuration>
> </plugin>
>
> <!-- May want to configure debug info -->
> <plugin>
> <!-- Inherited from oss-base. Generate PackageVersion.java.-->
> <groupId>com.google.code.maven-replacer-plugin</groupId>
> <artifactId>replacer</artifactId>
> <executions>
> <execution>
> <id>process-packageVersion</id>
> <phase>process-sources</phase>
> </execution>
> </executions>
> </plugin>
> </plugins>
> </build>
>
> <reporting>
> <plugins>
> <plugin>
> <groupId>org.codehaus.mojo</groupId>
> <artifactId>cobertura-maven-plugin</artifactId>
> </plugin>
> </plugins>
> </reporting>
>
> <profiles>
> <profile>
> <id>release</id>
> <properties>
> <maven.test.skip>true</maven.test.skip>
> <skipTests>true</skipTests>
> </properties>
> </profile>
> </profiles>
>
> </project>
>
>
> On Tue, Mar 8, 2016 at 9:56 AM Gale Naylor <[email protected]>
> wrote:
>
>> Like magic! Thanks, Ian.
>>
>> On Tue, Mar 8, 2016 at 3:02 AM Ian Dunlop <[email protected]> wrote:
>>
>>> Hello,
>>>
>>> A jar is just a zip file really so I think you can use something like
>>> 7-zip
>>> to look inside it. If you have java installed (and the paths setup
>>> correctly) you can extract the files to the current directory by doing
>>> 'jar
>>> -xvf myfile.jar'
>>>
>>> Cheers,
>>>
>>> Ian
>>>
>>> On 8 March 2016 at 02:55, Gale Naylor <[email protected]>
>>> wrote:
>>>
>>> > RE Jackson
>>> >
>>> > >>Jackson is confusing the license plugin, as those JARs themselves
>>> contain
>>> > a LICENSE file that is just Apache license (so it should be good), while
>>> > the pom.xml and META-INF/MANIFEST.MF lists both - indicating
>>> dual-license.
>>> >
>>> > I must not know where to look or what I'm looking at because all I see
>>> in
>>> > (scufl2 api) pom.xml (for example) is the Jackson version - no license
>>> > information. And I don't know where to find META-INF/MANIFEST.MF.
>>> >
>>> > >>Could you check if this is the case inside also the JAR files of the
>>> > latest Jackson releases, as I think there has been a new major release
>>> > since the one we use?
>>> >
>>> > I will see if I can figure out how to extract a JAR file, meanwhile, I
>>> > found this link: https://github.com/FasterXML/jackson-databind/wiki. It
>>> > says LGPL is allowed only up to version 2.2, and we are using 2.3. It
>>> looks
>>> > like 2.7 is the latest release:
>>> > https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.7
>>> >
>>> >
>>> > On Mon, Mar 7, 2016 at 6:15 PM Stian Soiland-Reyes <[email protected]>
>>> > wrote:
>>> >
>>> > > Good idea - it's probably something to do with the Maven build
>>> > > artifacts, I've seen it just pick the first <license> before - but
>>> > > they shouldn't claim to be dual license if they are now
>>> > > single-license.
>>> > >
>>> > > Could you check if this is the case inside also the JAR files of the
>>> > > latest Jackson releases, as I think there has been a new major release
>>> > > since the one we use?
>>> > >
>>> > >
>>> > > On 7 March 2016 at 01:55, Gale Naylor <[email protected]>
>>> > wrote:
>>> > > > Thank you for the dual-license, and other license, information. It's
>>> > > > getting a little clearer. ;-)
>>> > > >
>>> > > > Since the Jackson wiki says Jackson 2.x is Apache-only, should we
>>> > contact
>>> > > > them about the issue of the pom.xml and META-INF/MANIFEST.MF showing
>>> > both
>>> > > > licenses? Maybe it's an oversight?
>>> > > >
>>> > > > On Sun, Mar 6, 2016 at 5:26 PM Stian Soiland-Reyes (JIRA) <
>>> > > [email protected]>
>>> > > > wrote:
>>> > > >
>>> > > >>
>>> > > >> [
>>> > > >>
>>> > >
>>> >
>>> https://issues.apache.org/jira/browse/TAVERNA-926?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15182436#comment-15182436
>>> > > >> ]
>>> > > >>
>>> > > >> Stian Soiland-Reyes commented on TAVERNA-926:
>>> > > >> ---------------------------------------------
>>> > > >>
>>> > > >>
>>> > > >> If a binary dependency is CDDL/GPL dual-licensed (as most of the
>>> > Oracle
>>> > > >> stuff), then it's best to leave them as-is to not force a choice on
>>> > > >> downstream users. E.g. if we choose GPL, then it's not compatible
>>> with
>>> > > >> Apache license (and we can't distribute it ourselves). If we choose
>>> > CDDL
>>> > > >> (which we can redistribute), then it's not compatible with GPL
>>> license
>>> > > >> (and so you couldn't use Taverna with a GPL plugin).
>>> > > >>
>>> > > >> Jackson is confusing the license plugin, as those JARs themselves
>>> > > contain
>>> > > >> a LICENSE file that is just Apache license (so it should be good),
>>> > while
>>> > > >> the pom.xml and META-INF/MANIFEST.MF lists both - indicating
>>> > > dual-license.
>>> > > >>
>>> > > >> > Category B licenses in taverna-databundle
>>> > > >> > -----------------------------------------
>>> > > >> >
>>> > > >> > Key: TAVERNA-926
>>> > > >> > URL:
>>> > > https://issues.apache.org/jira/browse/TAVERNA-926
>>> > > >> > Project: Apache Taverna
>>> > > >> > Issue Type: Bug
>>> > > >> > Components: Taverna Language
>>> > > >> > Affects Versions: language 0.15.1
>>> > > >> > Reporter: Gale Naylor
>>> > > >> >
>>> > > >> > The following GNU, GPL licenses are Category B licenses and are
>>> not
>>> > > >> allowed in Apache products:
>>> > > >> > (GNU Lesser General Public License, Version 2.1) (The Apache
>>> > > >> Software License, Version 2.0) Jackson-annotations
>>> > > >> (com.fasterxml.jackson.core:jackson-annotations:2.3.3 -
>>> > > >> http://wiki.fasterxml.com/JacksonHome)
>>> > > >> > (GNU Lesser General Public License, Version 2.1) (The Apache
>>> > > >> Software License, Version 2.0) Jackson-core
>>> > > >> (com.fasterxml.jackson.core:jackson-core:2.3.3 -
>>> > > >> http://wiki.fasterxml.com/JacksonHome)
>>> > > >> > (GNU Lesser General Public License, Version 2.1) (The Apache
>>> > > >> Software License, Version 2.0) jackson-databind
>>> > > >> (com.fasterxml.jackson.core:jackson-databind:2.3.3 -
>>> > > >> http://wiki.fasterxml.com/JacksonHome)
>>> > > >> > (CDDL+GPL License) JAXB OSGI
>>> > (com.sun.xml.bind:jaxb-osgi:2.2.11 -
>>> > > >> http://jaxb.java.net/jaxb-bundles/jaxb-osgi/jaxb-osgi)
>>> > > >>
>>> > > >>
>>> > > >>
>>> > > >> --
>>> > > >> This message was sent by Atlassian JIRA
>>> > > >> (v6.3.4#6332)
>>> > > >>
>>> > >
>>> > >
>>> > >
>>> > > --
>>> > > Stian Soiland-Reyes
>>> > > Apache Taverna (incubating), Apache Commons RDF (incubating)
>>> > > http://orcid.org/0000-0001-9842-9718
>>> > >
>>> >
>>>
>>
--
Stian Soiland-Reyes
Apache Taverna (incubating), Apache Commons RDF (incubating)
http://orcid.org/0000-0001-9842-9718
