Closed
Description
Using Spring Boot 1.3.4, we recognized that spring boot is using the json library.
Details here:
https://wiki.debian.org/qa.debian.org/jsonevil
Dependency graph:
--- org.springframework.boot:spring-boot-configuration-processor:1.3.4.RELEASE
+--- org.json:json:20140107
--- org.springframework:spring-core:4.2.4.RELEASE (*)
Metadata
Metadata
Assignees
Labels
Type
Projects
Relationships
Development
No branches or pull requests
Activity
[-]Please replace non-free (!) org.json library with jackson in spring-boot-configuration-processor[/-][+]Consider replacing org.json in spring-boot-configuration-processor due to licence[/+]philwebb commentedon May 12, 2016
That's a very annoying clause in the license. We intentionally chose something lightweight for the configuration processor since it's a compiler plugin. Perhaps json-simple might be an option.
You can always remove
spring-boot-configuration-processor
if it's causing a big legal issue for you (although you won't get generated meta-data).jgoldhammer commentedon May 12, 2016
Just started hacking on it and I hit some challenges:
What do you think? Is rewriting the tests useful?
snicoll commentedon May 13, 2016
That's what the debian community states. Here is what the Apache foundation states
philwebb commentedon May 13, 2016
@snicoll Interesting, thanks!
@jgoldhammer have you actually hit a legal issue here?
jgoldhammer commentedon May 14, 2016
No, we are just in preparation phase for an audit of our application and
just scanned the licences of the libraries we are using. I wanna make sure
that we have no findings in terms of licences....
What do you think, Phil?
Thanks,
Jens
Phil Webb notifications@github.com schrieb am Fr., 13. Mai 2016 um 22:41:
philwebb commentedon May 23, 2016
Unless someone wants to step-up and migrate the code I hope that the Apache legal statement will be enough for most people. Don't forget that the configuration processor is only used at compile time and isn't usually distributed with your jar.
Davio commentedon Nov 13, 2016
The statement by Apache was updated:
CAN APACHE PRODUCTS INCLUDE WORKS LICENSED UNDER THE JSON LICENSE?
No. As of 2016-11-03 this has been moved to the 'Category X' license list. Prior to this, use of the JSON Java library was allowed. See Debian's page for a list of alternatives.
33 remaining items