Clarify the license of com.google.code.findbugs : jsr305 : 3.0.1 #128
Comments
|
The original JSR305 code was produced and distributed as BSD, which appears confirmed elsewhere in this repo. I suspect it's just being uploaded to Maven Central incorrectly, and whoever is uploading it needs to do a better job of labeling it with the right license in its POM. |
|
There is also the question raised in http://stackoverflow.com/a/36198568/1815832 about the license issues of using javax.annotations
|
|
@carlossg That is out of date. Since that time, the JSR305 page has published a specification, and this is the corresponding code which complies with that specification. |
|
@ctron - Were you able to resolve the licensing issue? |
|
Not really. |
|
@ctron What remains unclear? |
|
The original authors of the project did never reply to any inquery about the state of the license. |
|
@ctron Why do they need to respond? The fact that it is BSD is documented in numerous places, including in this findbugs repo. What remains unclear? |
|
The Eclipse Foundation wanted to confirm the license. The authors never responded. As we've seen before different locations seems to have different records on this library. The two possible solutions where to go with IntelliJ annotations or take it as an acceptable risk. The decision for the latter was made. |
|
I agree with @ctubbsii. It should be BSD as described in its license file. IMHO, license data in pom.xml like [1] is untrustable. Not only this artifact but also others have wrong discription. I recommend you to stop caring about this. |
Really - there is absolutely noting listed on https://jcp.org/en/jsr/detail?id=305 that confirms this in any official way whatsoever that I can find. A WIP drop of code is not an official spec, so @carlossg is correct and #88 stands. |
|
@jtnord I'm not a lawyer, so I can't advise on the proper interpretation of that Oracle binary license clause pertaining to redistributing the JRE. But, it seems to me that the intent was to permit redistribution of the JRE with JSR code, which are expected to use those package naming conventions. It also seems to me that the description of the JSR on that page you linked, specifying the behavior of the JSR, would constitute the "published specification" that license paragraph refers to. That JSR specifies the creation of these annotations, and this code complies with that specification by creating these annotations. So, by both intent and by a literal reading, I think there is no concern regarding the Oracle binary license. But, as I said, I'm not a lawyer. Regardless, I think that's a separate issue. This one seems resolved: The license is BSD. As for #88 , I think that should be discussed on that issue. |
|
@iloveeclipse Can you please give this group guidance on the Apache 2.0 vs. BSD vs. LGPL license question for jsr305? We want to make sure we understand how to comply with using it as you intended. Any help would be greatly appreciated! |
|
@spectejb : I'm neither a lawyer nor the author of the library, but looking at the original license files you will see that this is clearly BSD (https://opensource.org/licenses/BSD-3-Clause): https://github.com/amaembo/jsr-305/blob/master/ri/LICENSE Whoever put that thing into maven repo under the different license was just plain wrong. |
I found JSR305 is actually BSD-licensed, not Apache 2.0. Somehow there's wrong information in Maven POM. You can see the discussion regarding the JSR305 license here: - findbugsproject/findbugs#128 Co-authored-by: Anuraag Agrawal <anuraaga@gmail.com>
|
I noticed that https://github.com/findbugsproject/findbugs/blob/master/findbugs/licenses/LICENSE-jsr305.txt has a link to https://opensource.org/license/BSD-2-Clause but here http://code.google.com/p/jsr-305/ they have a link to https://opensource.org/license/BSD-3-Clause |
No, it doesn't. It has a link to http://www.opensource.org/licenses/bsd-license.php, which is an old link that presumably would have explained multiple BSD licenses. Now, those have separate pages and have "See also" links on them. This old link now redirects to the one for BSD-2-Clause, but you have to follow the "See also" link on the page to get to the 3-clause terms. You can't just pay attention to the links... those are there for convenience... you have to look at the name of the license. On that page, it specifically says "New BSD license", which is an alternate name for the BSD-3-Clause. So, that's just an old link that now redirects to the wrong place, not an incorrect description of the license. If you use the old link, you have to follow the subsequent links to the correct license. The findbugsproject file could be updated to use a newer link directly to BSD-3-Clause to make this less confusing, but it's not technically wrong. It does correctly say "New BSD license", which is the part that matters. I created PR #197 to update the link. |
|
@ctubbsii "See also" means "see also" and not "this is actually a BSD-3 license". I can not believe that a single lawyer will take what you've explained seriously. If it leads to BSD2 it is BSD2 and there is no ambiguity here.
|
Correct. |
|
@AlexanderBartash wrote:
That's not what I said. The correct license is the BSD-3-Clause (aka "New BSD license") because that's what its authors released it under, not because of the contents of any link, or even what the findbugs project says about it. My point about "see also" links was that, even though the correct license terms cannot directly be found at the provided link, they can be found by following an additional link.
The link leading to BSD2 doesn't make those terms applicable to JSR-305's redistribution. It just means the link is wrong. I'm not interested in your hypotheticals about what a lawyer will take seriously. If a lawyer can't understand the facts, I wouldn't hire them. Here are the facts:
I don't know why you shared the screenshot of the page; it added no new information. We already know that the link redirects to the wrong license, and I acknowledged that it is confusing. I created a PR to fix it. I'm not sure what you hope to accomplish by further arguing about it. |
The maven artifact containing the JSR 305 annotations on Maven Central [1] declares the Apache License 2 as the license to use for the JSR305 annotations. However, the FindBugs project states that all source code is licensed under the LGPL [2].
Which one is true?
[1] http://search.maven.org/#artifactdetails|com.google.code.findbugs|jsr305|3.0.1|jar
[2] http://findbugs.sourceforge.net/
The text was updated successfully, but these errors were encountered: