> > > On Tuesday, July 25, 2023 at 4:24:04 PM UTC-6 Filipe Roque wrote: > I have not found any discussion on the mailing list about this. > > JSON License has not been considered an open source license by Apache [1], > Debian [2] and FSF [3] and is not OSI approved [4]. > > Douglas Crockford has relicensed org.json:json java library to be Public > Domain starting with version 20220924 [5]. > > Jenkins requires plugins and its dependencies to be free and open source > software [6][7]. > > I did some analysis on the latest Jenkins plugins usage of org.json:json [8]. > I have found a total of 473 plugins that depend on org.json:json (directly or > transitively), with 104 plugins being free versions, 67 plugins directly > depend on non free versions of org.json:json. > > Is this an actual concern for the Jenkins project ? If so, how to proceed ? > > I think it is a concern for the Jenkins project. Thanks for noting the > issue. I don't think the risk is high, but it is a concern that is worth > some effort to assure that Jenkins remains free and open source. > > I believe one concern is related to software that is in the public domain not > using an OSI approved license. We could extend the definition of licenses > accepted by the Jenkins project to include OSI approved licenses and public > domain software. That would address the concerns of those who worry that > "public domain" is not a license.
That would make sense, yes. > > The other concern is how do we reduce the number of versions and encourage > use of the public domain version instead of the not quite OSI approved > license of the earlier versions. I think that Basil's observation that the > org.json:json should be made into a library plugin is the way to reduce the > number of versions and encourage use of the public domain version. I think it would be easier when the plugins (if they are still maintained) would bump their version to the latest public domain version. Using a library plugin needs someone to maintain the library and all plugins need to upgrade their baselines and modernize the plugins (so it would be better to use a library but will cause more work). Maybe this is something for Hacktoberfest? > > With regards to the list of plugins, only 7 of the 67 plugins that directly > depend on versions prior to 20220924 have more than 1000 installations. > Those seem like the first candidates to consider for either an upgrade of the > library version or replacement of the library dependency with a plugin > dependency. > > With regards to the analysis, I'm not confident in my understanding of the > specific details of the analysis. Maybe you can help me understand more > clearly. > What do the colors mean in the spreadsheet? > I maintain the elastic axis plugin and it is on the list as having a > transitive dependency on an older version of the json library. The elastic > axis plugin depends on the matrix project plugin. The matrix project plugin > depends on the junit plugin. The junit plugin depends on the jackson2 api > plugin. The jackson2 api plugin bundles the jackson2 api jar file and the > json-20230227.jar inside its hpi file. I think that would cause jackson2 api > calls to use the the json-20230227.jar that is bundled in the hpi file. > > However, the analysis indicates that there is a dependency on json-20190722. > Is the analysis not detecting that the jackson2 api plugin already includes a > newer version of the json library? Am I misunderstanding how libraries are > resolved? > > I'll put the topic on the next agenda for the Jenkins governing board. > > Thanks, > Mark Waite > > > Filipe Roque > > [1] https://lwn.net/Articles/707510/ > [2] https://wiki.debian.org/qa.debian.org/jsonevil > [3] https://www.gnu.org/licenses/license-list.html#JSON > [4] https://opensource.org/licenses/ > [5] https://github.com/stleary/JSON-java/issues/686 > [6] https://www.jenkins.io/doc/developer/publishing/preparation/#license > [7] > https://www.jenkins.io/project/governance/#3rd-party-library-licenses-in-the-plugins > [8] > https://docs.google.com/spreadsheets/d/1MWNi796iAovFa6GK7LJ0gilbQRwvb8Su3c7YgpH_fuc/edit?usp=sharing > > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to jenkinsci-dev+unsubscr...@googlegroups.com > <mailto:jenkinsci-dev+unsubscr...@googlegroups.com>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-dev/d84bbf01-6d3c-495c-81fb-a715377c89e4n%40googlegroups.com > > <https://groups.google.com/d/msgid/jenkinsci-dev/d84bbf01-6d3c-495c-81fb-a715377c89e4n%40googlegroups.com?utm_medium=email&utm_source=footer>. -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/6D074D9D-5F26-4F8B-8739-C77A9973F0FB%40gmail.com.
