Skip to content

Consider replacing org.json in spring-boot-configuration-processor due to licence #5929

New issue
New issue
Closed
Closed
Consider replacing org.json in spring-boot-configuration-processor due to licence#5929
Assignees
philwebb
Labels
type: enhancementA general enhancement
Milestone
 
1.5.0 RC1
@jgoldhammer

Description

@jgoldhammer
jgoldhammer
opened on May 12, 2016

Using Spring Boot 1.3.4, we recognized that spring boot is using the json library.

Details here:
https://wiki.debian.org/qa.debian.org/jsonevil

Dependency graph:
--- org.springframework.boot:spring-boot-configuration-processor:1.3.4.RELEASE
+--- org.json:json:20140107
--- org.springframework:spring-core:4.2.4.RELEASE (*)

Activity

spring-projects-issues
added
status: waiting-for-triageAn issue we've not yet triaged
on May 12, 2016
philwebb
changed the title [-]Please replace non-free (!) org.json library with jackson in spring-boot-configuration-processor[/-] [+]Consider replacing org.json in spring-boot-configuration-processor due to licence[/+] on May 12, 2016
philwebb

philwebb commented on May 12, 2016

@philwebb
philwebb
on May 12, 2016
Member

That's a very annoying clause in the license. We intentionally chose something lightweight for the configuration processor since it's a compiler plugin. Perhaps json-simple might be an option.

You can always remove spring-boot-configuration-processor if it's causing a big legal issue for you (although you won't get generated meta-data).

philwebb
added
status: ideal-for-contributionAn issue that a contributor can help us with
for: team-attentionAn issue we'd like other members of the team to review
and removed
status: waiting-for-triageAn issue we've not yet triaged
on May 12, 2016
jgoldhammer

jgoldhammer commented on May 12, 2016

@jgoldhammer
jgoldhammer
on May 12, 2016
Author

Just started hacking on it and I hit some challenges:

  • org-json uses reflection to write deep objects as json
  • simple-son does not use reflection to write complex objects- it just uses toString which does not work for ItemMetadata class...

What do you think? Is rewriting the tests useful?

2016-05-12_22-44-34

snicoll

snicoll commented on May 13, 2016

@snicoll
snicoll
on May 13, 2016
Member

That's what the debian community states. Here is what the Apache foundation states

philwebb

philwebb commented on May 13, 2016

@philwebb
philwebb
on May 13, 2016
Member

@snicoll Interesting, thanks!

@jgoldhammer have you actually hit a legal issue here?

jgoldhammer

jgoldhammer commented on May 14, 2016

@jgoldhammer
jgoldhammer
on May 14, 2016 · edited by jgoldhammer
Author

No, we are just in preparation phase for an audit of our application and
just scanned the licences of the libraries we are using. I wanna make sure
that we have no findings in terms of licences....

What do you think, Phil?

Thanks,
Jens
Phil Webb notifications@github.com schrieb am Fr., 13. Mai 2016 um 22:41:

@snicoll https://github.com/snicoll Interesting, thanks!

@jgoldhammer https://github.com/jgoldhammer have you actually hit a
legal issue here?


You are receiving this because you were mentioned.

Reply to this email directly or view it on GitHub
#5929 (comment)

philwebb

philwebb commented on May 23, 2016

@philwebb
philwebb
on May 23, 2016
Member

Unless someone wants to step-up and migrate the code I hope that the Apache legal statement will be enough for most people. Don't forget that the configuration processor is only used at compile time and isn't usually distributed with your jar.

philwebb
added
status: on-holdWe can't start working on this issue yet
and removed
for: team-attentionAn issue we'd like other members of the team to review
on May 23, 2016
Davio

Davio commented on Nov 13, 2016

@Davio
Davio
on Nov 13, 2016

The statement by Apache was updated:
CAN APACHE PRODUCTS INCLUDE WORKS LICENSED UNDER THE JSON LICENSE?
No. As of 2016-11-03 this has been moved to the 'Category X' license list. Prior to this, use of the JSON Java library was allowed. See Debian's page for a list of alternatives.

philwebb
added
for: team-attentionAn issue we'd like other members of the team to review
on Nov 14, 2016

33 remaining items

Loading
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

Labels

type: enhancementA general enhancement

Type

No type

Projects

No projects

Milestone

Relationships

None yet

    Development

    No branches or pull requests

      Participants

      @snicoll@philwebb@wilkinsona@Davio@kartoffelsup

      Issue actions
        Consider replacing org.json in spring-boot-configuration-processor due to licence · Issue #5929 · spring-projects/spring-boot