Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clarify license implications for those who make custom jackson-core builds #1002

Closed
vlsi opened this issue Apr 28, 2023 · 14 comments
Closed

Clarify license implications for those who make custom jackson-core builds #1002

vlsi opened this issue Apr 28, 2023 · 14 comments

Comments

@vlsi
Copy link

vlsi commented Apr 28, 2023

Jackson seems to redistribute fastdoubleparser in the shaded form.
fastdoubleparser's license requires that every redistribution should include the copyright notice and the permissions must be included.

See https://github.com/wrandelshofer/FastDoubleParser/blob/aeeab26365235cc2fbfb68fea2145a4b86a800fd/LICENSE#L12-L13

Unfortunately, jackson fails to comply with the license requirements.

I would suggest either stop using shaded dependency, or include the relevant information into the jackson's license that is already included into the release jar.

Is it really required to shade the parser? If you use a regular dependency, then the users can upgrade it in case of CVEs.

See a corresponding licensing issue at fastdoubleparser side: wrandelshofer/FastDoubleParser#38
@vlsi vlsi changed the title jackson redistributes shaded fastdoubleparser without including the corresponding copyright notice and permissions jackson violates fastdoubleparser license as the license requires to include the corresponding copyright notice and permissions Apr 28, 2023
@vlsi
Copy link
Author

vlsi commented Apr 28, 2023

@cowtowncoder , it would be nice if you could incorporate it into 2.15.1 as well (e.g. either un-shade fastdoubleparser or include the proper licensing information for all the shaded dependencies).

@vlsi
Copy link
Author

vlsi commented Apr 28, 2023

Looks like jackson uses a custom-licensed implementation: #577 (comment)

@vlsi vlsi closed this as completed Apr 28, 2023
@vlsi vlsi changed the title jackson violates fastdoubleparser license as the license requires to include the corresponding copyright notice and permissions Clarify license implications for those who make custom jackson-core builds Apr 28, 2023
@vlsi vlsi reopened this Apr 28, 2023
@vlsi
Copy link
Author

vlsi commented Apr 28, 2023

Even though there was a custom agreement between fastdoubleparser and jackson-core developers, it is not clear what are the exact terms of fastdoubleparser code in jackson-core.

For instance, it is not clear if the agreement was for a single version only or if all fastdoubleparser versions.
It is not clear if others can build jackson-core and still get the same licensing preferences for fastdoubleparser.

From the consumer perspective, it would be so much easier if fastdoubleparser shadowing followed the regular procedure, so jackson-core would mention which software is shaded, mention the incense, and so on.

@vlsi vlsi mentioned this issue Apr 28, 2023
Closed
1 task
@pjfanning pjfanning mentioned this issue Apr 28, 2023
Merged
@vlsi vlsi mentioned this issue Apr 28, 2023
Closed
@pjfanning
Copy link
Member

@vlsi there is a PR that does just that - #1003

cowtowncoder added a commit that referenced this issue Apr 28, 2023
@cowtowncoder
Update release notes wrt #1002 / #1003
fd73cb2
@wrandelshofer
Copy link

@pjfanning Unfortunately PR #1003 is not sufficient.

You have to add 2 additional sections to the NOTICE file.

Like so:

fastfloat, Copyright (c) 2021 The fast_float authors. MIT License.
https://github.com/fastfloat/fast_float
https://github.com/fastfloat/fast_float/blob/dc88f6f882ac7eb8ec3765f633835cb76afa0ac2/LICENSE-MIT

bigint, Copyright 2020 Tim Buktu. 2-clause BSD License.
https://github.com/tbuktu/bigint/tree/floatfft
https://github.com/tbuktu/bigint/blob/617c8cd8a7c5e4fb4d919c6a4d11e2586107f029/LICENSE
(We only use those portions of the bigint project that can be licensed under 2-clause BSD License.)

Instead of the perma-links to the license files, you have to paste the license file contents.

I think, the bigint project violates its own license terms by not including the 2-clause BSD license text. So, I made one by myself:
https://github.com/wrandelshofer/FastDoubleParser/blob/a5eb036dd909c7d167219c7ee60c5454b2061926/bigint-LICENSE

@pjfanning
Copy link
Member

@wrandelshofer thanks - I'll review this extra bits over the coming days. I'll be travelling so it might take a few days.

Do the extra copyrights also apply to older versions of your lib (eg 0.6.0)? We have a still supported version of Jackson (2.14) that uses an older copy of your code. The latest line of Jackson (2.15) uses your 0.8.0 but shades the classes instead of having a checked in copy of your code. We can update this Jackson 2.15 line to use any updated jars you publish. We will still update our notice and license files regardless.

@wrandelshofer
Copy link

Yes, it also applies to 0.6.0.

I am going to check through all references in the code.

I just found one more reference in the code (project fast_double_parser). Also I licensed fast_float and fast_double_parser under Apache 2.0 at the time. I'll update this thread today or tomorrow.

@wrandelshofer
Copy link

After scrutinizing the code: this is what you need to include in your notice:

fast_double_parser, Copyright (c) 2022 Daniel Lemire. Apache 2.0 License.
https://github.com/fastfloat/fast_float
https://github.com/fastfloat/fast_float/blob/dc88f6f882ac7eb8ec3765f633835cb76afa0ac2/LICENSE-APACHE

fast_float, Copyright (c) 2021 The fast_float authors. Apache 2.0 License.
https://github.com/fastfloat/fast_float
https://github.com/lemire/fast_double_parser/blob/07d9189a8fb815fe800cb15ca022e7a07093236e/LICENSE

bigint, Copyright 2020 Tim Buktu. 2-clause BSD License.
https://github.com/tbuktu/bigint/tree/floatfft
https://github.com/tbuktu/bigint/blob/617c8cd8a7c5e4fb4d919c6a4d11e2586107f029/LICENSE
(We only use those portions of the bigint project that can be licensed under 2-clause BSD License.)

There is a folder in the FastDoubleParser project, that contains code from yet another project. But this code is not part of any release of FastDoubleParser. So, I believe, you do not need to reference that project:
https://github.com/wrandelshofer/FastDoubleParser/tree/main/supplemental_test_files

@cowtowncoder
Copy link
Member

Happy to merge these whenever.

Just one quick question: I am thinking of releasing 2.14.3 patch soon -- @wrandelshofer / @pjfanning do you think updated NOTICE there is good to go, based on above discussion? I can wait if need be, just want to know if that is necessary.
2.15 branch won't be ready for release as quickly anyway so that's fine.

@wrandelshofer
Copy link

No, in #1003 the NOTICE is not perfect, and the FastDoubleParser-LICENSE is not the correct one.

Proposed fix:

@pjfanning
Copy link
Member

We should update 2.14. If 2.14.3 is going out this weekend, I can cobble together a better license tonight or tomorrow. If we can wait a few days, we might be a tad better off.

@pjfanning pjfanning mentioned this issue Apr 29, 2023
Merged
@cowtowncoder
Copy link
Member

@pjfanning Did not mean to create a crisis: taking time is perfectly fine. I probably won't have time to do release tomorrow anyway. So let's get it done right.

@wrandelshofer
Copy link

I have now published v0.9.0 of FastDoubleParser. This version includes the required NOTICE and LICENSE files in the META-INF folder of its Jar files.
https://central.sonatype.com/artifact/ch.randelshofer/fastdoubleparser/0.9.0

@vlsi vlsi mentioned this issue May 8, 2023
Closed
1 task
@cowtowncoder
Copy link
Member

Assuming necessary work completed by now; closing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@cowtowncoder @vlsi @wrandelshofer @pjfanning and others