Thanks Chris.
I review the dependencies with the information that you provided and below
you can find the final summary.
Most of the dependencies are coming from the Third party platform such as
Apache Spark, Apache Hadoop and Apache Giraph, and normally those
dependencies need to be provided by the user at runtime.
The unique dependencies that wayang is containing is Junit 5 and it
have EPLv2(BAD)
- Apache Flink, Apache Spark, glassfish
- (ASF 2.0) (LGPL 2.1) (MPL 1.1) Javassist
(org.javassist:javassist:3.19.0-GA - http://www.javassist.org/)
- (ASF 2.0) (LGPL 2.1) (MPL 1.1) Javassist
(org.javassist:javassist:3.25.0-GA - http://www.javassist.org/)
- jUnit 5
- (Eclipse Public License 1.0) JUnit (junit:junit:4.12 -
http://junit.org)
- (Eclipse Public License v2.0) JUnit Jupiter (Aggregator)
(org.junit.jupiter:junit-jupiter:5.6.1 - https://junit.org/junit5/)
- (Eclipse Public License v2.0) JUnit Jupiter API
(org.junit.jupiter:junit-jupiter-api:5.6.1 - https://junit.org/junit5/
)
- (Eclipse Public License v2.0) JUnit Jupiter Engine
(org.junit.jupiter:junit-jupiter-engine:5.6.1 -
https://junit.org/junit5/)
- (Eclipse Public License v2.0) JUnit Jupiter Params
(org.junit.jupiter:junit-jupiter-params:5.6.1 -
https://junit.org/junit5/)
- (Eclipse Public License v2.0) JUnit Platform Commons
(org.junit.platform:junit-platform-commons:1.6.1 -
https://junit.org/junit5/)
- (Eclipse Public License v2.0) JUnit Platform Engine API
(org.junit.platform:junit-platform-engine:1.6.1 -
https://junit.org/junit5/)
- (Eclipse Public License v2.0) JUnit Vintage Engine
(org.junit.vintage:junit-vintage-engine:5.6.1 -
https://junit.org/junit5/)
- Jersey Is inside of Apache Hadoop, Apache Spark
- (CDDL 1.1) (GPL2 w/ CPE) JAXB RI
(com.sun.xml.bind:jaxb-impl:2.2.3-1 - http://jaxb.java.net/)
- (CDDL 1.1) (GPL2 w/ CPE) jersey-client
(com.sun.jersey:jersey-client:1.9 -
https://jersey.java.net/jersey-client/)
- (CDDL 1.1) (GPL2 w/ CPE) jersey-core
(com.sun.jersey:jersey-core:1.9 - https://jersey.java.net/jersey-core/
)
- (CDDL 1.1) (GPL2 w/ CPE) jersey-guice
(com.sun.jersey.contribs:jersey-guice:1.9 -
https://jersey.java.net/jersey-contribs/jersey-guice/)
- (CDDL 1.1) (GPL2 w/ CPE) jersey-json
(com.sun.jersey:jersey-json:1.9 - https://jersey.java.net/jersey-json/
)
- (CDDL 1.1) (GPL2 w/ CPE) jersey-server
(com.sun.jersey:jersey-server:1.9 -
https://jersey.java.net/jersey-server/)
- Jakarta y Glassfish are dependencies de apache spark
- (Dual license consisting of the CDDL v1.1 and GPL v2) JSR 353 (JSON
Processing) Default Provider (org.glassfish:javax.json:1.0.4 -
http://jsonp.java.net)
- (EDL 1.0) JavaBeans Activation Framework API jar
(jakarta.activation:jakarta.activation-api:1.2.1 -
https://github.com/eclipse-ee4j/jaf/jakarta.activation-api)
- (EPL 2.0) (GPL2 w/ CPE) HK2 API module
(org.glassfish.hk2:hk2-api:2.6.1 -
https://github.com/eclipse-ee4j/glassfish-hk2/hk2-api)
- (EPL 2.0) (GPL2 w/ CPE) HK2 Implementation Utilities
(org.glassfish.hk2:hk2-utils:2.6.1 -
https://github.com/eclipse-ee4j/glassfish-hk2/hk2-utils)
- (EPL 2.0) (GPL2 w/ CPE) Jakarta Annotations API
(jakarta.annotation:jakarta.annotation-api:1.3.5 -
https://projects.eclipse.org/projects/ee4j.ca)
- (EPL 2.0) (GPL2 w/ CPE) Jakarta Servlet
(jakarta.servlet:jakarta.servlet-api:4.0.3 -
https://projects.eclipse.org/projects/ee4j.servlet)
- (EPL 2.0) (GPL2 w/ CPE) OSGi resource locator
(org.glassfish.hk2:osgi-resource-locator:1.0.3 -
https://projects.eclipse.org/projects/ee4j/osgi-resource-locator)
- (EPL 2.0) (GPL2 w/ CPE) ServiceLocator Default Implementation
(org.glassfish.hk2:hk2-locator:2.6.1 -
https://github.com/eclipse-ee4j/glassfish-hk2/hk2-locator)
- (EPL 2.0) (GPL2 w/ CPE) aopalliance version 1.0 repackaged as a
module (org.glassfish.hk2.external:aopalliance-repackaged:2.6.1 -
https://github.com/eclipse-ee4j/glassfish-hk2/external/aopalliance-repackaged
)
- (EPL 2.0) (GPL2 w/ CPE) jakarta.ws.rs-api
(jakarta.ws.rs:jakarta.ws.rs-api:2.1.6
- https://github.com/eclipse-ee4j/jaxrs-api)
- (EPL 2.0) (GPL2 w/ CPE) javax.inject:1 as OSGi bundle
(org.glassfish.hk2.external:jakarta.inject:2.6.1 -
https://github.com/eclipse-ee4j/glassfish-hk2/external/jakarta.inject)
- (Eclipse Distribution License - v 1.0) jakarta.xml.bind-api
(jakarta.xml.bind:jakarta.xml.bind-api:2.3.2 -
https://github.com/eclipse-ee4j/jaxb-api/jakarta.xml.bind-api)
- Apache Giraph dependency
- (GNU General Public License (GPL), version 2, with the Classpath
exception) Java Object Layout: Core (org.openjdk.jol:jol-core:0.1 -
http://maven.apache.org)
- (Jython Software License) Jython (org.python:jython:2.5.3 -
http://www.jython.org/)
- org.json Removed direct dependency(IN PROGRESS), but also is on Apache
Graph Dependency
- (The JSON License) JSON in Java (org.json:json:20160212 -
https://github.com/douglascrockford/JSON-java)
- (provided without support or warranty) JSON (JavaScript Object
Notation) (org.json:json:20090211 -
http://www.json.org/java/index.html)
- Apache Spark, Apache Hadoop have as dependency
- (GNU Lesser Public License) FindBugs-Annotations
(com.google.code.findbugs:annotations:2.0.2 -
http://findbugs.sourceforge.net/)
What do you think, is it ok to have these licenses ?
Best regards,
Bertty
El lun, 6 sept 2021 a las 14:16, Alexander Alten (<[email protected]>)
escribió:
> Thanks Chris!
>
> On Mon, Sep 6, 2021, 13:13 Christofer Dutz <[email protected]>
> wrote:
>
> > Hi all,
> >
> > I asked Justin McLean (VP of the Incubator) to review the thread and he
> > confirmed the advice was sound ...
> > So I guess this is something you could start working with.
> >
> > Chris
> >
> >
> > -----Ursprüngliche Nachricht-----
> > Von: Christofer Dutz <[email protected]>
> > Gesendet: Montag, 6. September 2021 12:31
> > An: [email protected]
> > Betreff: AW: Apache Wayang dependencies with other licenses
> >
> > Ok … condensing the licenses in play … (Mostly listed multiple times due
> > to different notation)
> >
> > Ones with „OK“ are ok … ones with „BAD“ can be used in some cases,
> > depending on the case, „FORBIDDEN“ can’t be used in an Apache release.
> >
> > Here the list of the sorted licenses:
> > OK - MIT
> > FORBIDDEN - GPLv2 (with classpath exception) BAD - CDDL + GPLv2 (with
> > classpath exception) (Dual licensing … chan choose which one applies)
> (CDDL
> > is considered BAD … can be contained in certain situations) OK - BSD
> > 2-Clause OK - BSD 3-Clause (AKA „the new BSD“) FORBIDDEN - BSD 4-Clauss
> > (Aka „The BSD License“) OK - Apache 2.0 BAD - EPL 1.0 (Aka Eclipse public
> > license) BAD - EPL 2.0 (Aka Eclipse public license) OK - Public Domain
> > (Needs attribution) OK - ICU License FORBIDDEN - LGPL (AKA GNU Lesser
> > Public License, GNU Lesser General Public License, …) BAD - MPL (Aka
> > Mozilla Public License) OK - CC0 (Aka Creative Commons) (Needs
> attribution)
> > FORBIDDEN - JSON License BAD - CDDL OK - PostgreSQL License
> >
> > Ones I’m not sure of:
> > HSQLDB License
> > OW2 Licence
> > Jython Software License
> >
> > Chris
> >
> > Von: Bertty Contreras <[email protected]>
> > Gesendet: Freitag, 3. September 2021 01:55
> > An: [email protected]
> > Betreff: Re: Apache Wayang dependencies with other licenses
> >
> > I just finished checking all the licenses and the resume list is below.
> >
> > NOTE: the pipe (|) indicate different name for the same license
> >
> > (36 licenses different)
> >
> > * The MIT License | MIT License | MIT
> > * GPL | GNU General Public License (GPL), version 2, with the
> > Classpath exception
> > * New BSD License | New BSD license | The New BSD License
> > * BSD 2-Clause License
> > * BSD 3 Clause | The BSD 3-Clause License | BSD 3-Clause "New" or
> > "Revised" License (BSD-3-Clause | 3-Clause BSD License |BSD 3-clause |BSD
> > 3-clause |BSD 3-Clause | BSD 3 Clause License
> > * BSD | The BSD License | BSD licence
> > * Revised BSD
> > * Apache License
> > * ASF 2.0 | The Apache Software License, Version 2.0 | Apache
> License,
> > Version 2.0 | Apache 2.0 License | Apache License Version 2.0 | Apache
> 2.0
> > | Apache-2.0 | The Apache License, Version 2.0 | Apache License Version
> 2 |
> > Apache 2 | http://www.apache.org/licenses/LICENSE-2.0.txt | Apache
> > License 2.0 | Apache Software License - Version 2.0
> > * Eclipse Public License 1.0 | Eclipse Public License - Version 1.0
> > * Eclipse Public License v2.0
> > * Public Domain
> > * Unicode/ICU License
> > * LGPL
> > * GNU Lesser Public License
> > * GNU Lesser General Public License (LGPL), Version 2.1 | GNU Lesser
> > General Public License 2.1 | LGPL 2.1
> > * MPL
> > * Unknown license
> > * MPL 1.1
> > * HSQLDB License, a BSD open source license
> > * GPL2 w/ CPE
> > * http://asm.ow2.org/license.html
> > * CDDL + GPLv2 with classpath exception
> > * Dual license consisting of the CDDL v1.1 and GPL v2
> > * Jython Software License
> > * CC0
> > * Public domain
> > * The JSON License
> > * COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL) Version 1.0)
> > * The PostgreSQL License
> > * CDDL 1.1
> > * provided without support or warranty
> > * CDDL+GPL License
> > I used the plugin org.codehaus.mojo:license-maven-plugin:2.0.0 to the
> > licenses attached on the file THIRD-PARTY.
> >
> > if you find some license that you think we need to delete let me know,
> but
> > also many of them are like 2 or more levels of dependency down
> >
> > Related to the trove4j(is the unique direct one), I will use the apache
> > commons library and I will put a "TODO" of doing a test with different
> > libraries, but i think it is not too much difference.
> >
> > Best regards,
> > Bertty
> >
> > On Thu, Sep 2, 2021 at 11:08 PM Christofer Dutz <
> [email protected]
> > <mailto:[email protected]>> wrote:
> > Have a look at Google guava
> > https://github.com/google/guava
> >
> > Or, even better, apache commons.
> >
> > Chris
> >
> > Holen Sie sich Outlook für Android<https://aka.ms/AAb9ysg>
> > ________________________________
> > From: bertty contreras <[email protected]<mailto:
> > [email protected]>>
> > Sent: Thursday, September 2, 2021 10:25:43 PM
> > To: [email protected]<mailto:[email protected]> <
> > [email protected]<mailto:[email protected]>>
> > Subject: Re: Apache Wayang dependencies with other licenses
> >
> > Then i will remove the Trave4j(LGPL that we are using in the code), and i
> > will figure out if exist an third party that is using some LGPL and
> notify
> > to you.
> >
> > Best regards,
> > Bertty
> >
> > On Thu 2. Sep 2021 at 18:30, Jean-Baptiste Onofre <[email protected]
> <mailto:
> > [email protected]>> wrote:
> >
> > > Yes, it’s my point: if it’s included like this and third party use
> > > wayang as dependencies, then the LGPL dependency will come
> transitively.
> > >
> > > So it’s not good IMHO.
> > >
> > > Regards
> > > JB
> > >
> > > > Le 2 sept. 2021 à 18:28, Christofer Dutz
> > > > <[email protected]<mailto:[email protected]>> a
> > > écrit :
> > > >
> > > > I think he means: Adding a dependency in a pom.
> > > >
> > > > It's technically not included in the Apache release. However if you
> > > build something with it, the end product will have to contain it. (A
> > > sort of borderline case is if it's used for testing, but isn't
> > > included in the final output, but that's a slippery slope).
> > > >
> > > > So in the end if someone would be building something with our Apache
> > > licensed library, in the end he would be stuck with something that's
> > > technically LGPL ... that's why we don't like that license.
> > > >
> > > > Chris
> > > >
> > > >
> > > > -----Ursprüngliche Nachricht-----
> > > > Von: Jean-Baptiste Onofre <[email protected]<mailto:[email protected]>>
> > > > Gesendet: Donnerstag, 2. September 2021 18:23
> > > > An: [email protected]<mailto:[email protected]>
> > > > Betreff: Re: Apache Wayang dependencies with other licenses
> > > >
> > > > What do you mean by « linking » ? You mean use it as dependency ?
> > > >
> > > > Regards
> > > > JB
> > > >
> > > >> Le 2 sept. 2021 à 18:21, Alexander Alten <[email protected]<mailto:
> > [email protected]>> a écrit :
> > > >>
> > > >> Thats right, but linking per pom.xml is not an issue, isn’t?
> > > >>
> > > >> —Alex
> > > >>
> > > >>> On 2. Sep 2021, at 18:18, Christofer Dutz
> > > >>> <[email protected]<mailto:[email protected]>>
> > > wrote:
> > > >>>
> > > >>> Hi Alex,
> > > >>>
> > > >>> unfortunately this is not quite correct. Having LGPL2 is actually
> > > something we are not allowed to use.
> > > >>>
> > > >>> Chris
> > > >>>
> > > >>> -----Ursprüngliche Nachricht-----
> > > >>> Von: Alexander Alten <[email protected]<mailto:[email protected]>>
> > > >>> Gesendet: Donnerstag, 2. September 2021 08:25
> > > >>> An: [email protected]<mailto:[email protected]>
> > > >>> Betreff: Re: Apache Wayang dependencies with other licenses
> > > >>>
> > > >>> Hi folks,
> > > >>>
> > > >>> According to
> > > >>> https://opensource.stackexchange.com/questions/5664/linking-from-l
> > > >>> gpl
> > > >>> -2-1-software-to-apache-2-0-library/5756#5756
> > > >>>
> > > >>> the linking to LGPL2 libs is not problematic, the permissive part
> > > applies.
> > > >>> In general the use of other libs, which are not distributed over
> > > >>> the
> > > project, is fine. We just need to make sure that we reference the
> > > library in the pom.xml file and not distribute them directly.
> > > >>> BSD license, as well as MIT are compatible.
> > > >>>
> > > >>> Chris, and mentors - any comments here before we start to draft
> > > >>> the
> > > first release?
> > > >>>
> > > >>> Best,
> > > >>> --alex
> > > >>>
> > > >>> --
> > > >>> Alexander Alten
> > > >>> PPMC Apache Wayang
> > > >>>
> > > >>>
> > > >>>
> > > >>> On Tue, Aug 31, 2021, 23:57 Rodrigo Pardo Meza
> > > >>> <[email protected]<mailto:[email protected]>>
> > > >>> wrote:
> > > >>>
> > > >>>> Hi folks,
> > > >>>>
> > > >>>> @bertty contreras
> > > >>>> <[email protected]<mailto:[email protected]>> and
> > I have been working on the first release. To this end:
> > > >>>>
> > > >>>> (1) We checked the maintenance state of the libraries actively
> > > >>>> used by Wayang. One of them (HPI) has been deleted and
> > > >>>> Experiments storage functionalities have been incorporated into
> > > >>>> the code of Wayang in order to extend them.
> > > >>>>
> > > >>>> (2) We checked the licenses of the libraries currently used by
> > > Wayang.
> > > >>>> Not going further to the licenses of the dependencies of these
> > > >>>> libraries (Only was checked the first level of the dependency
> > > >>>> tree of Wayang). We found the next observations:
> > > >>>>
> > > >>>> - trove4j
> > > >>>> <https://mvnrepository.com/artifact/net.sf.trove4j/trove4j>
> > > >>>> has LGPL 2.1 license
> > > >>>> - antlr4
> > > >>>> <https://mvnrepository.com/artifact/org.antlr/antlr4-runtime>
> > > >>>> has BSD license
> > > >>>> - paranamer
> > > >>>> <https://mvnrepository.com/artifact/com.thoughtworks.paranamer/pa
> > > >>>> ran
> > > >>>> am
> > > >>>> er> has BSD licence. Spark has this dependency as well with
> > > >>>> er> runtime
> > > >>>> scope, if Wayang does the same should be ok?
> > > >>>> - hsqldb <https://mvnrepository.com/artifact/org.hsqldb/hsqldb>
> > > >>>> has BSD license
> > > >>>>
> > > >>>> Someone can help us to find out if our project can use these
> > > >>>> dependencies; otherwise, does anyone have suggestions of
> > > >>>> libraries to replace them?
> > > >>>>
> > > >>>> Thanks in advance.
> > > >>>>
> > > >>>> Best regards
> > > >>>>
> > > >>
> > > >
> > >
> > >
> >
>
