[Java] EPL Dependencies #40896
Comments
|
Sorry about this. We were trying to eliminate a dependency on Netty from the core. Looking around I think our only choice is to use stdlib map and accept any potential performance hit, or to vendor the Netty implementation of this collection. |
|
We also need to set up similar CI to prevent issues like this in the future. |
|
Thanks for the quick feedback - it is actually good from our point of view to hear that this is not intentional! Is there any chance the fix will be in version 16 or is it too late for that now? For license scans we use Gradle-License-Report for Java, pip-licenses for Python and license-checker-rseidelsohn for JavaScript - appreciate you have a lot more languages to worry about! |
lidavidm
added
the
Critical Fix
|
I'm going to try to get this in ASAP. Actually, I just labeled this as a critical fix. I put together a basic Java-only license scan already. My schedule is about to go pear-shaped but hopefully I can get this done tonight/tomorrow. |
|
Thanks for the report. We have several Maven plugins that can check the license (rat doesn't check the license by its own). I will take a look to detect this (we should accept Cat A licenses by default, Cat B should be discussed, Cat X is not allowed). |
|
I explicitly added the blocker label because I'm not sure if our scripts treat critical fix as a blocker. I think that label is more for call outs in the release notes cc @raulcd |
Thanks @assignUser ! I agree. I will take a look on this one as well. |
) ### Rationale for this change Remove runtime dependencies on [Category B](https://apache.org/legal/resolved.html#category-b) dependencies. ### What changes are included in this PR? - logback: move to test-only - eclipse: remove dependency, vendor the Netty implementation we originally used I wanted to remove javax.annotation.Generated but gRPC doesn't yet let us do that (grpc/grpc-java#9179). That's ~okay though since effectively that's a build only dependency. ### Are these changes tested? #40901 ### Are there any user-facing changes? No. **This PR contains a "Critical Fix".** License issues do not cause runtime issues but are important as an Apache project. * GitHub Issue: #40896 Authored-by: David Li <li.davidm96@gmail.com> Signed-off-by: Sutou Kouhei <kou@clear-code.com>
|
Issue resolved by pull request 40904 |
|
Thank you so much for the quick response - I look forward to getting the fix in 16.0! |
apache#40904) Remove runtime dependencies on [Category B](https://apache.org/legal/resolved.html#category-b) dependencies. - logback: move to test-only - eclipse: remove dependency, vendor the Netty implementation we originally used I wanted to remove javax.annotation.Generated but gRPC doesn't yet let us do that (grpc/grpc-java#9179). That's ~okay though since effectively that's a build only dependency. No. **This PR contains a "Critical Fix".** License issues do not cause runtime issues but are important as an Apache project. * GitHub Issue: apache#40896 Authored-by: David Li <li.davidm96@gmail.com> Signed-off-by: Sutou Kouhei <kou@clear-code.com>
|
You can remove the generated annotation now |
apache#40904) Remove runtime dependencies on [Category B](https://apache.org/legal/resolved.html#category-b) dependencies. - logback: move to test-only - eclipse: remove dependency, vendor the Netty implementation we originally used I wanted to remove javax.annotation.Generated but gRPC doesn't yet let us do that (grpc/grpc-java#9179). That's ~okay though since effectively that's a build only dependency. No. **This PR contains a "Critical Fix".** License issues do not cause runtime issues but are important as an Apache project. * GitHub Issue: apache#40896 Authored-by: David Li <li.davidm96@gmail.com> Signed-off-by: Sutou Kouhei <kou@clear-code.com>
|
@martin-traverse @lidavidm FYI, Eclipse Collections is dual licensed under EPL 1.0 and EDL 1.0 (Eclipse Distribution License), which is listed under the link of Category A licenses you submitted in this issue. One of the biggest users of Eclipse Collections is the Legend project which is also a FINOS project. Note: I am the creator of Eclipse Collections. Thanks! |
|
Aha, good to know. Thanks for chiming in - I saw the report and just wanted to make sure we avoided any potential problems even if it turned out to be a false alarm. (In the end, we only need 1 class so vendoring was probably preferable in any case.) |
|
@lidavidm You're welcome. I was curious to understand why Apache Arrow had a dependency on Eclipse Collections which is how I found this issue, albeit a bit too late unfortunately to save the effort. Using one of the primitive collections like I certainly appreciate every project's desire and challenge to reduce runtime dependencies. I found the PR that introduced the Eclipse Collections dependency six months ago and it simultaneously removed Netty Common as a dependency. There was a specific difference in the @martin-traverse I would appreciate if you would let me know if there is an issue with Gradle License Report picking up dual licenses, or if there is something we can address in Eclipse Collections to make sure this doesn't happen to others in the future thinking they have to use the EPL license when the EDL license is there to provide flexibility to consumers of the library. Thanks! |
|
@donraab Hi. The EPL license is Cat B at ASF, meaning that it could be possible as binary, but avoided in source (https://www.apache.org/legal/resolved.html). As EDL is a kind of BSD-3 license, it's a Cat A, so no problem to be included/used in Apache project. |
|
@jbonofre Thanks! Eclipse Collections is dual-licensed with EDL for this reason so folks shouldn't have issues including it as a dependency. I am a bit concerned now if automated scanners are picking up EPL and ignoring EDL as the more permissive option. Hoping if there is something we can do to address it in Eclipse Collections we'll create an issue and fix it. |
|
@donraab yeah, agree some scanners are not smart enough to deal with dual licenses 😄 |
|
@donraab apologies you are correct, EDL is available as an option and classed as category A by FINOS, we have just not configured it in our license scanning setup. I had not come across EDL before and was not aware it had different terms from EPL, until now. Still I agree with @lidavidm - removing the dependency is a good idea anyway to keep the tree small. Managing version updates, conflicts and security patches in the dependency tree is a big issue for us, for this reason keeping the tree as lean as possible is one of our guiding design principles. Obviously there is a balance to be struck, we try to stick to self-contained package families where possible, so bringing in a foundational lib like this from a different family would go against the grain for us in this particular project. For a project like Arrow, where you don't know what stack the client apps will be using, a small, un-opinionated dependency tree is even more important IMO. It's one of the reasons we went with Arrow in the first place. |
|
@martin-traverse @lidavidm Here's a link to the change that I explained in a previous comment may have been lost with this Netty / Eclipse Collections dependency shuffle / removals. There was a values implementation in This was replaced with current implementation of Now that Netty Thanks! |
|
Ah sorry, thanks for the reminder @vibhatha do you think you could put in the fix sometime? |
|
@lidavidm I followed the thread. I think I should be able to, but probably next week? |
|
sure, there's no rush |
|
Thanks! |
### What changes were proposed in this pull request? The pr aims to upgrade `Arrow` from `15.0.2` to `16.0.0`. ### Why are the changes needed? https://arrow.apache.org/release/16.0.0.html SPARK-46718 and SPARK-47531 upgraded the arrow version from 14 to 15, and 15 introduced the `eclipse-collections` dependency. apache/arrow#40896 ### Does this PR introduce _any_ user-facing change? No ### How was this patch tested? GA ### Was this patch authored or co-authored using generative AI tooling? No Closes #46214 from cxzl25/SPARK-47981. Authored-by: sychen <sychen@ctrip.com> Signed-off-by: Kent Yao <yao@apache.org>
apache#40904) ### Rationale for this change Remove runtime dependencies on [Category B](https://apache.org/legal/resolved.html#category-b) dependencies. ### What changes are included in this PR? - logback: move to test-only - eclipse: remove dependency, vendor the Netty implementation we originally used I wanted to remove javax.annotation.Generated but gRPC doesn't yet let us do that (grpc/grpc-java#9179). That's ~okay though since effectively that's a build only dependency. ### Are these changes tested? apache#40901 ### Are there any user-facing changes? No. **This PR contains a "Critical Fix".** License issues do not cause runtime issues but are important as an Apache project. * GitHub Issue: apache#40896 Authored-by: David Li <li.davidm96@gmail.com> Signed-off-by: Sutou Kouhei <kou@clear-code.com>
apache#40904) ### Rationale for this change Remove runtime dependencies on [Category B](https://apache.org/legal/resolved.html#category-b) dependencies. ### What changes are included in this PR? - logback: move to test-only - eclipse: remove dependency, vendor the Netty implementation we originally used I wanted to remove javax.annotation.Generated but gRPC doesn't yet let us do that (grpc/grpc-java#9179). That's ~okay though since effectively that's a build only dependency. ### Are these changes tested? apache#40901 ### Are there any user-facing changes? No. **This PR contains a "Critical Fix".** License issues do not cause runtime issues but are important as an Apache project. * GitHub Issue: apache#40896 Authored-by: David Li <li.davidm96@gmail.com> Signed-off-by: Sutou Kouhei <kou@clear-code.com>
apache#40904) ### Rationale for this change Remove runtime dependencies on [Category B](https://apache.org/legal/resolved.html#category-b) dependencies. ### What changes are included in this PR? - logback: move to test-only - eclipse: remove dependency, vendor the Netty implementation we originally used I wanted to remove javax.annotation.Generated but gRPC doesn't yet let us do that (grpc/grpc-java#9179). That's ~okay though since effectively that's a build only dependency. ### Are these changes tested? apache#40901 ### Are there any user-facing changes? No. **This PR contains a "Critical Fix".** License issues do not cause runtime issues but are important as an Apache project. * GitHub Issue: apache#40896 Authored-by: David Li <li.davidm96@gmail.com> Signed-off-by: Sutou Kouhei <kou@clear-code.com>
apache#40904) ### Rationale for this change Remove runtime dependencies on [Category B](https://apache.org/legal/resolved.html#category-b) dependencies. ### What changes are included in this PR? - logback: move to test-only - eclipse: remove dependency, vendor the Netty implementation we originally used I wanted to remove javax.annotation.Generated but gRPC doesn't yet let us do that (grpc/grpc-java#9179). That's ~okay though since effectively that's a build only dependency. ### Are these changes tested? apache#40901 ### Are there any user-facing changes? No. **This PR contains a "Critical Fix".** License issues do not cause runtime issues but are important as an Apache project. * GitHub Issue: apache#40896 Authored-by: David Li <li.davidm96@gmail.com> Signed-off-by: Sutou Kouhei <kou@clear-code.com>
### What changes were proposed in this pull request? The pr aims to upgrade `Arrow` from `15.0.2` to `16.0.0`. ### Why are the changes needed? https://arrow.apache.org/release/16.0.0.html SPARK-46718 and SPARK-47531 upgraded the arrow version from 14 to 15, and 15 introduced the `eclipse-collections` dependency. apache/arrow#40896 ### Does this PR introduce _any_ user-facing change? No ### How was this patch tested? GA ### Was this patch authored or co-authored using generative AI tooling? No Closes apache#46214 from cxzl25/SPARK-47981. Authored-by: sychen <sychen@ctrip.com> Signed-off-by: Kent Yao <yao@apache.org>
# 🔍 Description A regular dependency upgrading, additionally, Arrow 15 introduced the eclipse-collections dependencies but removed in Arrow 16. apache/arrow#40896 Note: This PR upgrades Arrow to 16.0.0 instead of 16.1.0 due to apache/arrow#41717 ## Types of changes 🔖 - [ ] Bugfix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Breaking change (fix or feature that would cause existing functionality to change) ## Test Plan 🧪 Pass GHA --- # Checklist 📝 - [x] This patch was not authored or co-authored using [Generative Tooling](https://www.apache.org/legal/generative-tooling.html) **Be nice. Be informative.** Closes #6391 from pan3793/arrow-16. Closes #6391 d8ea702 [Cheng Pan] 16.0.0 8a8bc46 [Cheng Pan] Bump Arrow from 15.0.2 to 16.1.0 Authored-by: Cheng Pan <chengpan@apache.org> Signed-off-by: Cheng Pan <chengpan@apache.org>
apache#40904) ### Rationale for this change Remove runtime dependencies on [Category B](https://apache.org/legal/resolved.html#category-b) dependencies. ### What changes are included in this PR? - logback: move to test-only - eclipse: remove dependency, vendor the Netty implementation we originally used I wanted to remove javax.annotation.Generated but gRPC doesn't yet let us do that (grpc/grpc-java#9179). That's ~okay though since effectively that's a build only dependency. ### Are these changes tested? apache#40901 ### Are there any user-facing changes? No. **This PR contains a "Critical Fix".** License issues do not cause runtime issues but are important as an Apache project. * GitHub Issue: apache#40896 Authored-by: David Li <li.davidm96@gmail.com> Signed-off-by: Sutou Kouhei <kou@clear-code.com>
Describe the bug, including details regarding any error messages, version, and platform.
Hi,
Please could I ask when and why the Eclipse Collections dependencies were introduced? This puts EPL dependencies into the dependency tree. Our clients are in the financial sector and these kind of licensing issues often cause a lot more pain that you might think they should!
We are a FINOS project and use their license classification scheme which is available here:
https://community.finos.org/docs/governance/software-projects/license-categories/
I see Apache has a similar policy:
https://apache.org/legal/resolved.html
The EPL is category B for both FINOS and Apache. We picked this up because it flagged with our license checks in CI. Although we can add an exception and start reproducing the license in NOTICE and LICENSE files, including it in our distribution packages etc., this doesn't help when clients have their own license scanning and acceptance process for getting software into the enterprise. For this reason, we generally try to stick to "Category A" licenses and count anything that pulls in category B dependencies as being category B. (We do use category B for testing, compliance checks and other non-shipped components).
Please can you share some info on the reasoning around this decision? Is there any appetite to reverse if the touch points are small and/or there are alternatives available, perhaps something from Apache Commons? More generally, do you have a view on your policy towards category B licenses going forward?
I'll be very interested to hear your thoughts on this subject!
Component(s)
Java
The text was updated successfully, but these errors were encountered: