-
Notifications
You must be signed in to change notification settings - Fork 41.2k
Consider replacing org.json in spring-boot-configuration-processor due to licence #5929
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Comments
That's a very annoying clause in the license. We intentionally chose something lightweight for the configuration processor since it's a compiler plugin. Perhaps json-simple might be an option. You can always remove |
That's what the debian community states. Here is what the Apache foundation states |
@snicoll Interesting, thanks! @jgoldhammer have you actually hit a legal issue here? |
No, we are just in preparation phase for an audit of our application and What do you think, Phil? Thanks,
|
Unless someone wants to step-up and migrate the code I hope that the Apache legal statement will be enough for most people. Don't forget that the configuration processor is only used at compile time and isn't usually distributed with your jar. |
The statement by Apache was updated: |
I've started working on this -> kartoffelsup@c11f6d6 Replaced |
@kartoffelsup Yes please! |
There is indeed an issue with the writing of JSON with json-simple. Though if I'm not mistaken, the reflection serialization is only used/needed within the tests(?). I've added GSON to the test dependencies and used that to write the JSON for the tests and they run through fine. But I'm not sure if this is something we want to do. @philwebb @wilkinsona what do you think? |
I think a test only dependency on something more sophisticated is fine. I have a preference for using Jackson over GSON, though. Purely because Jackson is the default JSON library that's used elsewhere in the codebase. |
I guess it's not as simple as I had hoped. :( "defaultValue": [
w,
o,
r,
d
], which is invalid. This is due to the fact that '#toString' gets called if json-simple does not 'recognize' (have an instanceof check inside the writer for) the type. |
This might be an option skyscreamer/JSONassert@2f3576c |
Some public methods are now throwing |
@philwebb those |
OK, ignore me. I realized one of my tool was using a class from the configuration processor directly. Not really something that we should call public API. |
Update the open_source_licenses file to reflect the fact that the org.json library is no longer used. See gh-5929
Using Spring Boot 1.3.4, we recognized that spring boot is using the json library.
Details here:
https://wiki.debian.org/qa.debian.org/jsonevil
Dependency graph:
--- org.springframework.boot:spring-boot-configuration-processor:1.3.4.RELEASE
+--- org.json:json:20140107
--- org.springframework:spring-core:4.2.4.RELEASE (*)
The text was updated successfully, but these errors were encountered: