-
Notifications
You must be signed in to change notification settings - Fork 473
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Licensing problem with Adobe's xmp-core >= 5.1.2 #502
Comments
Hi @tballison, thanks for reaching out about this. From the discussion on the TIKA issue, there is some suggestion that perhaps https://www.adobe.com/devnet/xmp/library/eula-xmp-library-java.html applies and that the library is available under the terms of the BSD license. Do you know whether that is the case? |
Sorry for my delay! It is available under BSD3, but our user correctly objected to the contradictory license that was included in the jar. 6.1.11 is now available, and the jar contains no license so the EULA applies without contradiction. |
Somewhat oddly 6.1.11 continues with the .internal. namespace, but this won't be a problem for you! Again, many thanks! |
Fantastic. I've pushed an update. Thanks very much Tim. |
Has anyone found the Java source code for 6.1.11? If so, I could go over it and update the XmpCore dotnet project to (more or less) match. |
Over on https://issues.apache.org/jira/browse/TIKA-3204, a user pointed out that versions of xmpcore >= 5.1.2 include
The problem is that 5.1.2 is vulnerable to an XXE and versions < 6.? are vulnerable to a DoS with too many entities as children of
photoshop:DocumentAncestors
.The best solution would be for Adobe to release an update of their latest that fixes the licensing issue.
We've made some inquiries...but that'll probably take some time.
A crummy solution would be to fork 5.1.2, fix the XXE and DoS, but we'd be missing a bunch of improvements, and that'd change the namespace...
I don't have a solution, but I did want to notify you of this licensing problem.
As always, thank you so very much for metadata-extractor!!!
The text was updated successfully, but these errors were encountered: