Skip to content

Consider replacing org.json in spring-boot-configuration-processor due to licence #5929

Closed
@jgoldhammer

Description

@jgoldhammer

Using Spring Boot 1.3.4, we recognized that spring boot is using the json library.

Details here:
https://wiki.debian.org/qa.debian.org/jsonevil

Dependency graph:
--- org.springframework.boot:spring-boot-configuration-processor:1.3.4.RELEASE
+--- org.json:json:20140107
--- org.springframework:spring-core:4.2.4.RELEASE (*)

Activity

changed the title [-]Please replace non-free (!) org.json library with jackson in spring-boot-configuration-processor[/-] [+]Consider replacing org.json in spring-boot-configuration-processor due to licence[/+] on May 12, 2016
philwebb

philwebb commented on May 12, 2016

@philwebb
Member

That's a very annoying clause in the license. We intentionally chose something lightweight for the configuration processor since it's a compiler plugin. Perhaps json-simple might be an option.

You can always remove spring-boot-configuration-processor if it's causing a big legal issue for you (although you won't get generated meta-data).

jgoldhammer

jgoldhammer commented on May 12, 2016

@jgoldhammer
Author

Just started hacking on it and I hit some challenges:

  • org-json uses reflection to write deep objects as json
  • simple-son does not use reflection to write complex objects- it just uses toString which does not work for ItemMetadata class...

What do you think? Is rewriting the tests useful?

2016-05-12_22-44-34

snicoll

snicoll commented on May 13, 2016

@snicoll
Member

That's what the debian community states. Here is what the Apache foundation states

philwebb

philwebb commented on May 13, 2016

@philwebb
Member

@snicoll Interesting, thanks!

@jgoldhammer have you actually hit a legal issue here?

jgoldhammer

jgoldhammer commented on May 14, 2016

@jgoldhammer
Author

No, we are just in preparation phase for an audit of our application and
just scanned the licences of the libraries we are using. I wanna make sure
that we have no findings in terms of licences....

What do you think, Phil?

Thanks,
Jens
Phil Webb notifications@github.com schrieb am Fr., 13. Mai 2016 um 22:41:

@snicoll https://github.com/snicoll Interesting, thanks!

@jgoldhammer https://github.com/jgoldhammer have you actually hit a
legal issue here?


You are receiving this because you were mentioned.

Reply to this email directly or view it on GitHub
#5929 (comment)

philwebb

philwebb commented on May 23, 2016

@philwebb
Member

Unless someone wants to step-up and migrate the code I hope that the Apache legal statement will be enough for most people. Don't forget that the configuration processor is only used at compile time and isn't usually distributed with your jar.

added
status: on-holdWe can't start working on this issue yet
and removed
for: team-attentionAn issue we'd like other members of the team to review
on May 23, 2016
Davio

Davio commented on Nov 13, 2016

@Davio

The statement by Apache was updated:
CAN APACHE PRODUCTS INCLUDE WORKS LICENSED UNDER THE JSON LICENSE?
No. As of 2016-11-03 this has been moved to the 'Category X' license list. Prior to this, use of the JSON Java library was allowed. See Debian's page for a list of alternatives.

33 remaining items

Loading
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

Labels

Type

No type

Projects

No projects

Relationships

None yet

    Development

    No branches or pull requests

      Participants

      @snicoll@philwebb@wilkinsona@Davio@kartoffelsup

      Issue actions

        Consider replacing org.json in spring-boot-configuration-processor due to licence · Issue #5929 · spring-projects/spring-boot