Discussion:
JSON License and Apache Projects
Thomas Vandahl
2016-11-25 08:50:09 UTC
Permalink
Hi Georg,

does this affect fulcrum-json in any way?

Bye, Thomas.


-------- Forwarded Message --------
Subject: JSON License and Apache Projects
Date: Wed, 23 Nov 2016 09:10:39 -0500
From: Jim Jagielski <***@apache.org>
Reply-To: ***@apache.org
To: ASF Board <***@apache.org>

(forwarded from legal-discuss@)

As some of you may know, recently the JSON License has been
moved to Category X (https://www.apache.org/legal/resolved#category-x).

I understand that this has impacted some projects, especially
those in the midst of doing a release. I also understand that
up until now, really, there has been no real "outcry" over our
usage of it, especially from end-users and other consumers of
our projects which use it.

As compelling as that is, the fact is that the JSON license
itself is not OSI approved and is therefore not, by definition,
an "Open Source license" and, as such, cannot be considered as
one which is acceptable as related to categories.

Therefore, w/ my VP Legal hat on, I am making the following
statements:

o No new project, sub-project or codebase, which has not
used JSON licensed jars (or similar), are allowed to use
them. In other words, if you haven't been using them, you
aren't allowed to start. It is Cat-X.

o If you have been using it, and have done so in a *release*,
AND there has been NO pushback from your community/eco-system,
you have a temporary exclusion from the Cat-X classification thru
April 30, 2017. At that point in time, ANY and ALL usage
of these JSON licensed artifacts are DISALLOWED. You must
either find a suitably licensed replacement, or do without.
There will be NO exceptions.

o Any situation not covered by the above is an implicit
DISALLOWAL of usage.

Also please note that in the 2nd situation (where a temporary
exclusion has been granted), you MUST ensure that NOTICE explicitly
notifies the end-user that a JSON licensed artifact exists. They
may not be aware of it up to now, and that MUST be addressed.

If there are any questions, please ask on the legal-***@a.o
list.

--
Jim Jagielski
VP Legal Affairs




---------------------------------------------------------------------
To unsubscribe, e-mail: dev-***@turbine.apache.org
For additional commands, e-mail: dev-***@turbine.apache.org
Georg Kallidis
2016-11-25 11:52:58 UTC
Permalink
Hi Thomas,

YES and Turbine 4.x !

1) In SNAPSHOTS

Fulcrum Jackson2 1.1.1-SNAPSHOT dependency
- <groupId>com.fasterxml.jackson.datatype</groupId>
<artifactId>jackson-datatype-json-org</artifactId>

Fulcrum Gson 1.1.1-SNAPSHOT dependency
- <groupId>com.jayway.jsonpath</groupId>
<artifactId>json-path</artifactId>

Turbine 4 class
org.apache.turbine.services.jsonrpc.JSONProcessor

- dependency
+ <groupId>org.jabsorb</groupId>
<artifactId>jabsorb</artifactId>
<version>1.3.2</version>

2) RELEASED

Turbine 4 M2
s.a. T 4 class + dep

Turbine 4 M1
s.a T 4 class

+ <groupId>com.metaparadigm</groupId>
<artifactId>json-rpc</arti

What should we do? It´s used as an mapping interface.

The snapshots could just switch to an alternative, e.g.

<groupId>com.vaadin.external.google</groupId>
<artifactId>android-json</artifactId>
<version>0.0.20131108.vaadin1</version>

or https://code.google.com/archive/p/json-simple/?

The latter one has the disadvantage having a different package - using it
with a new turbine version and a released fulcrum or a new fulcrum and an
old turbine version might result in problems. As a result the former
alternative seems to be best, or isn´t it?

How could we handle the released versions?

Best regards, Georg




Von: Thomas Vandahl <***@apache.org>
An: Turbine Developers List <***@turbine.apache.org>
Datum: 25.11.2016 09:50
Betreff: Fwd: JSON License and Apache Projects



Hi Georg,

does this affect fulcrum-json in any way?

Bye, Thomas.


-------- Forwarded Message --------
Subject: JSON License and Apache Projects
Date: Wed, 23 Nov 2016 09:10:39 -0500
From: Jim Jagielski <***@apache.org>
Reply-To: ***@apache.org
To: ASF Board <***@apache.org>

(forwarded from legal-discuss@)

As some of you may know, recently the JSON License has been
moved to Category X (https://www.apache.org/legal/resolved#category-x).

I understand that this has impacted some projects, especially
those in the midst of doing a release. I also understand that
up until now, really, there has been no real "outcry" over our
usage of it, especially from end-users and other consumers of
our projects which use it.

As compelling as that is, the fact is that the JSON license
itself is not OSI approved and is therefore not, by definition,
an "Open Source license" and, as such, cannot be considered as
one which is acceptable as related to categories.

Therefore, w/ my VP Legal hat on, I am making the following
statements:

o No new project, sub-project or codebase, which has not
used JSON licensed jars (or similar), are allowed to use
them. In other words, if you haven't been using them, you
aren't allowed to start. It is Cat-X.

o If you have been using it, and have done so in a *release*,
AND there has been NO pushback from your community/eco-system,
you have a temporary exclusion from the Cat-X classification thru
April 30, 2017. At that point in time, ANY and ALL usage
of these JSON licensed artifacts are DISALLOWED. You must
either find a suitably licensed replacement, or do without.
There will be NO exceptions.

o Any situation not covered by the above is an implicit
DISALLOWAL of usage.

Also please note that in the 2nd situation (where a temporary
exclusion has been granted), you MUST ensure that NOTICE explicitly
notifies the end-user that a JSON licensed artifact exists. They
may not be aware of it up to now, and that MUST be addressed.

If there are any questions, please ask on the legal-***@a.o
list.

--
Jim Jagielski
VP Legal Affairs




---------------------------------------------------------------------
To unsubscribe, e-mail: dev-***@turbine.apache.org
For additional commands, e-mail: dev-***@turbine.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-***@turbine.apache.org
For additional commands, e-mail: dev-***@turbine.apache.org
Thomas Vandahl
2016-11-26 18:58:00 UTC
Permalink
Hi Georg,

On 25.11.16 12:52, Georg Kallidis wrote:
> Fulcrum Jackson2 1.1.1-SNAPSHOT dependency
> - <groupId>com.fasterxml.jackson.datatype</groupId>
> <artifactId>jackson-datatype-json-org</artifactId>
>
> Fulcrum Gson 1.1.1-SNAPSHOT dependency
> - <groupId>com.jayway.jsonpath</groupId>
> <artifactId>json-path</artifactId>

Are these actually JSON-licensed? I thought the directly dependent
libraries have AL 2.0 licenses?

>
> Turbine 4 class
> org.apache.turbine.services.jsonrpc.JSONProcessor
>
> - dependency
> + <groupId>org.jabsorb</groupId>
> <artifactId>jabsorb</artifactId>
> <version>1.3.2</version>

According to the POM, this one is AL 2.0 licensed. However I don't know
about transient dependencies.

> The snapshots could just switch to an alternative, e.g.
>
> <groupId>com.vaadin.external.google</groupId>
> <artifactId>android-json</artifactId>
> <version>0.0.20131108.vaadin1</version>
>
> or https://code.google.com/archive/p/json-simple/?
>
> The latter one has the disadvantage having a different package - using it
> with a new turbine version and a released fulcrum or a new fulcrum and an
> old turbine version might result in problems. As a result the former
> alternative seems to be best, or isn´t it?

Somehow, I don't like the idea of having Vaadin and/or Android stuff as
a dependency to Turbine. Do you believe that anyone else besides you and
me actually used this?

>
> How could we handle the released versions?
>

Released versions are *released* after all. We cannot call them back. I
don't know what is meant by the "temporary exclusion" but this is
generally what is accepted as a law of nature. I'll ask back on board@

Bye, Thomas



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-***@turbine.apache.org
For additional commands, e-mail: dev-***@turbine.apache.org
Georg Kallidis
2016-11-28 16:37:29 UTC
Permalink
Hi Thomas,

yes, the two libraries are Apache 2.0 licensed and only the first one (
jackson-datatype-json-org) depends on
org.apache.geronimo.bundles:json:jar:20090211_1, which is a wrapper of the
offending library (BTW we are still Java 6 compatible).
The second one has indeed no transient / compile time dependency at all to
org.json packages (no wrapper, no JSON lib), but runtime dependency.
The org.jabsorb library on the other side has the org.json classes
included (!) with the offending license (2002 JSON.org, 2006 JSON org).
All three libraries are optional and thus not automatically included.
---
Nothing seems to be done for the Fulcrum modules.
As the org.jabsorb package does include the x-cat files we have probably
to do something there, at least if being an optional dependendy is not
enough. Could we release a clean one or may be adopt the code without this
package? May be as (repackaged) part of Fulcrum JSON?
As a result just including a fresh package would not suffice here, I am
afraid... I´ll check legal-discuss also...

Best regards, Georg



Von: Thomas Vandahl <***@apache.org>
An: Turbine Developers List <***@turbine.apache.org>
Datum: 26.11.2016 19:58
Betreff: Re: Fwd: JSON License and Apache Projects



Hi Georg,

On 25.11.16 12:52, Georg Kallidis wrote:
> Fulcrum Jackson2 1.1.1-SNAPSHOT dependency
> - <groupId>com.fasterxml.jackson.datatype</groupId>
> <artifactId>jackson-datatype-json-org</artifactId>
>
> Fulcrum Gson 1.1.1-SNAPSHOT dependency
> - <groupId>com.jayway.jsonpath</groupId>
> <artifactId>json-path</artifactId>

Are these actually JSON-licensed? I thought the directly dependent
libraries have AL 2.0 licenses?

>
> Turbine 4 class
> org.apache.turbine.services.jsonrpc.JSONProcessor
>
> - dependency
> + <groupId>org.jabsorb</groupId>
> <artifactId>jabsorb</artifactId>
> <version>1.3.2</version>

According to the POM, this one is AL 2.0 licensed. However I don't know
about transient dependencies.

> The snapshots could just switch to an alternative, e.g.
>
> <groupId>com.vaadin.external.google</groupId>
> <artifactId>android-json</artifactId>
> <version>0.0.20131108.vaadin1</version>
>
> or https://code.google.com/archive/p/json-simple/?
>
> The latter one has the disadvantage having a different package - using
it
> with a new turbine version and a released fulcrum or a new fulcrum and
an
> old turbine version might result in problems. As a result the former
> alternative seems to be best, or isn´t it?

Somehow, I don't like the idea of having Vaadin and/or Android stuff as
a dependency to Turbine. Do you believe that anyone else besides you and
me actually used this?

>
> How could we handle the released versions?
>

Released versions are *released* after all. We cannot call them back. I
don't know what is meant by the "temporary exclusion" but this is
generally what is accepted as a law of nature. I'll ask back on board@

Bye, Thomas



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-***@turbine.apache.org
For additional commands, e-mail: dev-***@turbine.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-***@turbine.apache.org
For additional commands, e-mail: dev-***@turbine.apache.org
Georg Kallidis
2016-11-28 17:48:48 UTC
Permalink
Hi Thomas,

if I think again about it, isn&#180;t then Jabsorb another wrapper around the offending lib? If so, we are clean, as Jabsorb is Apache 2.0 licensed.

This might be of interest for others as its a quite lightweighted bundle..

Best regards, Georg


-----"Georg Kallidis" <***@cedis.fu-berlin.de> schrieb: -----
An: "Turbine Developers List" <***@turbine.apache.org>
Von: "Georg Kallidis" <***@cedis.fu-berlin.de>
Datum: 28.11.2016 17:37
Betreff: Re: Re: Fwd: JSON License and Apache Projects

Hi Thomas,

yes, the two libraries are Apache 2.0 licensed and only the first one (
jackson-datatype-json-org) depends on
org.apache.geronimo.bundles:json:jar:20090211_1, which is a wrapper of the
offending library (BTW we are still Java 6 compatible).
The second one has indeed no transient / compile time dependency at all to
org.json packages (no wrapper, no JSON lib), but runtime dependency.
The org.jabsorb library on the other side has the org.json classes
included (!) with the offending license (2002 JSON.org, 2006 JSON org).
All three libraries are optional and thus not automatically included.
---
Nothing seems to be done for the Fulcrum modules.
As the org.jabsorb package does include the x-cat files we have probably
to do something there, at least if being an optional dependendy is not
enough. Could we release a clean one or may be adopt the code without this
package? May be as (repackaged) part of Fulcrum JSON?
As a result just including a fresh package would not suffice here, I am
afraid... I&#180;ll check legal-discuss also...

Best regards, Georg



Von:    Thomas Vandahl <***@apache.org>
An:     Turbine Developers List <***@turbine.apache.org>
Datum:  26.11.2016 19:58
Betreff:        Re: Fwd: JSON License and Apache Projects



Hi Georg,

On 25.11.16 12:52, Georg Kallidis wrote:
> Fulcrum Jackson2  1.1.1-SNAPSHOT dependency
> -  <groupId>com.fasterxml.jackson.datatype</groupId>
>    <artifactId>jackson-datatype-json-org</artifactId>
>
> Fulcrum Gson  1.1.1-SNAPSHOT dependency
> -  <groupId>com.jayway.jsonpath</groupId>
>     <artifactId>json-path</artifactId>

Are these actually JSON-licensed? I thought the directly dependent
libraries have AL 2.0 licenses?

>
> Turbine 4 class
>  org.apache.turbine.services.jsonrpc.JSONProcessor
>
> - dependency
> +   <groupId>org.jabsorb</groupId>
>      <artifactId>jabsorb</artifactId>
>      <version>1.3.2</version>

According to the POM, this one is AL 2.0 licensed. However I don't know
about transient dependencies.

> The snapshots could just switch to an alternative, e.g.
>
> <groupId>com.vaadin.external.google</groupId>
> <artifactId>android-json</artifactId>
> <version>0.0.20131108.vaadin1</version>
>
> or https://code.google.com/archive/p/json-simple/? 
>
> The latter one has the disadvantage having a different package - using
it
> with a new turbine version and a released fulcrum or a new fulcrum and
an
> old turbine version might result in problems. As a result the former
> alternative seems to be best, or isn&#180;t it?

Somehow, I don't like the idea of having Vaadin and/or Android stuff as
a dependency to Turbine. Do you believe that anyone else besides you and
me actually used this?

>
> How could we handle the released versions?
>

Released versions are *released* after all. We cannot call them back. I
don't know what is meant by the "temporary exclusion" but this is
generally what is accepted as a law of nature. I'll ask back on board@

Bye, Thomas



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-***@turbine.apache.org
For additional commands, e-mail: dev-***@turbine.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-***@turbine.apache.org
For additional commands, e-mail: dev-***@turbine.apache.org

B‹KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB•È[œÝXœØܚX™KK[XZ[ˆ]‹][œÝXœØܚX™P\˜š[™K˜\XÚK›Ü™ÃB‘›ÜˆY][ۘ[ÛÛ[X[™ËK[X
Loading...