Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clarify the license of com.google.code.findbugs : jsr305 : 3.0.1 #128

Closed
ctron opened this issue Sep 30, 2016 · 14 comments
Closed

Clarify the license of com.google.code.findbugs : jsr305 : 3.0.1 #128

ctron opened this issue Sep 30, 2016 · 14 comments
Assignees
@billpugh

Comments

@ctron
Copy link

ctron commented Sep 30, 2016

The maven artifact containing the JSR 305 annotations on Maven Central [1] declares the Apache License 2 as the license to use for the JSR305 annotations. However, the FindBugs project states that all source code is licensed under the LGPL [2].

Which one is true?

[1] http://search.maven.org/#artifactdetails|com.google.code.findbugs|jsr305|3.0.1|jar
[2] http://findbugs.sourceforge.net/
@ctubbsii
Copy link

The original JSR305 code was produced and distributed as BSD, which appears confirmed elsewhere in this repo. I suspect it's just being uploaded to Maven Central incorrectly, and whoever is uploading it needs to do a better job of labeling it with the right license in its POM.

@ctubbsii ctubbsii mentioned this issue Oct 23, 2016
Merged
@carlossg
Copy link

There is also the question raised in http://stackoverflow.com/a/36198568/1815832 about the license issues of using javax.annotations

If you are distributing a JRE then as you already know you need to comply with the Oracle Java Binary License.

You may want to refresh yourself with the terms of that license, specifically:

F. JAVA TECHNOLOGY RESTRICTIONS. You may not create, modify, or change the behavior of, or authorize your licensees to create, modify, or change the behavior of, classes, interfaces, or subpackages that are in any way identified as "java", "javax", "sun", “oracle” or similar convention as specified by Oracle in any naming convention designation.

So if you are distributing a JRE and the same distribution includes a jar file that defines classes in a javax subpackage, unless the classes comply with a specification released and published by a JSR, you are not complying with the terms of the Oracle Java Binary License.

At this point in time that JSR 305 has not published anything

@ctubbsii
Copy link

@carlossg That is out of date. Since that time, the JSR305 page has published a specification, and this is the corresponding code which complies with that specification.

@spectejb
Copy link

spectejb commented Feb 8, 2017

@ctron - Were you able to resolve the licensing issue?

@ctron
Copy link
Author

ctron commented Feb 8, 2017

Not really.

@ctubbsii
Copy link

ctubbsii commented Feb 8, 2017

@ctron What remains unclear?

@ctron
Copy link
Author

ctron commented Feb 10, 2017

The original authors of the project did never reply to any inquery about the state of the license.

@ctubbsii
Copy link

@ctron Why do they need to respond? The fact that it is BSD is documented in numerous places, including in this findbugs repo. What remains unclear?

@ctron
Copy link
Author

ctron commented Feb 10, 2017

The Eclipse Foundation wanted to confirm the license. The authors never responded. As we've seen before different locations seems to have different records on this library.

The two possible solutions where to go with IntelliJ annotations or take it as an acceptable risk. The decision for the latter was made.

@KengoTODA
Copy link
Contributor

I agree with @ctubbsii. It should be BSD as described in its license file.

IMHO, license data in pom.xml like [1] is untrustable. Not only this artifact but also others have wrong discription. I recommend you to stop caring about this.
About [2], this is license of FindBugs itself, not this JSR305 artifact.

@jtnord
Copy link

jtnord commented Feb 18, 2017

@ctubbsii

That is out of date. Since that time, the JSR305 page has published a specification, and this is the corresponding code which complies with that specification.

Really - there is absolutely noting listed on https://jcp.org/en/jsr/detail?id=305 that confirms this in any official way whatsoever that I can find. A WIP drop of code is not an official spec, so @carlossg is correct and #88 stands.

@ctubbsii
Copy link

@jtnord I'm not a lawyer, so I can't advise on the proper interpretation of that Oracle binary license clause pertaining to redistributing the JRE. But, it seems to me that the intent was to permit redistribution of the JRE with JSR code, which are expected to use those package naming conventions. It also seems to me that the description of the JSR on that page you linked, specifying the behavior of the JSR, would constitute the "published specification" that license paragraph refers to. That JSR specifies the creation of these annotations, and this code complies with that specification by creating these annotations. So, by both intent and by a literal reading, I think there is no concern regarding the Oracle binary license. But, as I said, I'm not a lawyer.

Regardless, I think that's a separate issue. This one seems resolved: The license is BSD.

As for #88 , I think that should be discussed on that issue.

@KengoTODA KengoTODA mentioned this issue Feb 23, 2017
Closed
@huitseeker huitseeker mentioned this issue May 19, 2017
Merged
@romeara romeara mentioned this issue May 23, 2017
Closed
@lukaseder lukaseder mentioned this issue May 23, 2017
Closed
@spectejb
Copy link

@iloveeclipse Can you please give this group guidance on the Apache 2.0 vs. BSD vs. LGPL license question for jsr305? We want to make sure we understand how to comply with using it as you intended.

Any help would be greatly appreciated!

@iloveeclipse
Copy link
Member

@spectejb : I'm neither a lawyer nor the author of the library, but looking at the original license files you will see that this is clearly BSD (https://opensource.org/licenses/BSD-3-Clause):

https://github.com/amaembo/jsr-305/blob/master/ri/LICENSE
https://github.com/findbugsproject/findbugs/blob/3.0.1/findbugs/licenses/LICENSE-jsr305.txt

Whoever put that thing into maven repo under the different license was just plain wrong.
Unfortunately the original JSR-305 author @billpugh never responds any questions related to JSR-305, but you can try to contact him on twitter (https://twitter.com/wpugh), may be you have more luck.

@sdeleuze sdeleuze mentioned this issue Oct 16, 2017
Closed
@oleg-nenashev oleg-nenashev mentioned this issue Feb 28, 2018
Merged
4 tasks
@jdasch jdasch mentioned this issue Mar 20, 2018
Open
@rdblue rdblue mentioned this issue Aug 7, 2019
Merged
@suztomo suztomo mentioned this issue Dec 11, 2019
Merged
3 tasks
@genos genos mentioned this issue Aug 11, 2020
Closed
@syleeeee syleeeee mentioned this issue Jan 19, 2021
Merged
trustin pushed a commit to line/armeria that referenced this issue Jan 20, 2021
@syleeeee @anuraaga
Correct FindBugs-JSR305 license (#3290)
077f547 
I found JSR305 is actually BSD-licensed, not Apache 2.0.
Somehow there's wrong information in Maven POM. 

You can see the discussion regarding the JSR305 license here:
- findbugsproject/findbugs#128

Co-authored-by: Anuraag Agrawal <anuraaga@gmail.com>
@offa offa mentioned this issue Oct 19, 2021
Merged
@offa offa mentioned this issue Jan 26, 2022
Closed
This was referenced Mar 11, 2022
Merged
Merged
@jchrys jchrys mentioned this issue Oct 10, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@billpugh billpugh

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@carlossg @ctron @jtnord @KengoTODA @iloveeclipse @ctubbsii @billpugh @spectejb