Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Suspend Crowd2 integration plugin due to closed source dependency #3854

Closed
MarkEWaite opened this issue Dec 8, 2023 · 2 comments · Fixed by jenkins-infra/update-center2#755
Closed

Suspend Crowd2 integration plugin due to closed source dependency #3854

MarkEWaite opened this issue Dec 8, 2023 · 2 comments · Fixed by jenkins-infra/update-center2#755
Assignees
@MarkEWaite
Labels
updateCenter

Comments

@MarkEWaite
Copy link

MarkEWaite commented Dec 8, 2023
edited

Service(s)

Update center

Summary

The Crowd2 integration plugin is using dependencies that are closed source and are not licensed with an OSI approved open source license. The Jenkins project governance document and the hosting page state that we deliver plugins with open source licenses.

We should suspend distribution of the Crowd2 integration plugin.

The specific license of concern is:

The Atlassian EULA 3.0 links to the same license agreement.

From the /plugin/crowd2/wrapper/thirdPartyLicenses page of a Jenkins installation that includes the crowd2 plugin:

Using the Atlassian Customer Agreement:

  • com.atlassian.crowd:crowd-integration-api:5.1.5
  • com.atlassian.crowd:crowd-integration-client-rest:5.1.5
  • com.atlassian.crowd:embedded-crowd-api:5.1.5
  • com.atlassian.crowd:crowd-integration-client-common:5.1.5

Using the Atlassian 3.0 End User License Agreement

  • com.atlassian.collectors:atlassian-collectors-util:1.1

Reproduction steps

  1. Install Jenkins 2,426.1 (or any other recent Jenkins version)
  2. Install the Crowd2 integration plugin
  3. Open the /plugin/crowd2/wrapper/thirdPartyLicenses URL and confirm that you see something like this:

screencapture-testing-b-markwaite-net-8080-plugin-crowd2-wrapper-thirdPartyLicenses-2023-12-08-10_19_12-edit
@MarkEWaite MarkEWaite added the triage Incoming issues that need review label Dec 8, 2023
@MarkEWaite MarkEWaite mentioned this issue Dec 8, 2023
Closed
20 tasks
@MarkEWaite MarkEWaite removed the triage Incoming issues that need review label Dec 8, 2023
@MarkEWaite MarkEWaite changed the title Suspend distribution of Crowd2 integration plugin because it uses a closed source dependency Suspend Crowd2 integration plugin because of closed source dependency Dec 8, 2023
@MarkEWaite MarkEWaite changed the title Suspend Crowd2 integration plugin because of closed source dependency Suspend Crowd2 integration plugin due to closed source dependency Dec 8, 2023
@basil
Copy link
Collaborator

basil commented Dec 8, 2023

https://bitbucket.org/atlassian/crowd-rest-client/src/master is Apache-licensed but the last commit was in 2015. https://bitbucket.org/atlassian/crowd-scala-rest-client/src/master/ is also Apache-licensed and the last commit was in 2021.

@MarkEWaite MarkEWaite self-assigned this Dec 9, 2023
MarkEWaite added a commit to MarkEWaite/update-center2 that referenced this issue Dec 9, 2023
@MarkEWaite
Suspend Crowd2 plugin distribution - uses closed source dependency
f9eb151 
jenkins-infra/helpdesk#3854 explains that
the Crowd2 integration plugin uses a dependency that is not open source
licensed.

The Crowd2 integration library is Atlassian licensed as described in
jenkins-infra/helpdesk#3842 (comment)

The Atlassian license is not an open source license.  Refer to
https://www.atlassian.com/legal/software-license-agreement for the
details of the license.

https://www.jenkins.io/project/governance/#license says that the Jenkins
project requires plugins that it distributes to be open source, including
their dependencies.  When a closed source dependency is detected in a
plugin, we suspend distribution of that plugin.  If maintainers update
the plugin to remove the closed source dependency, distribution can
begin for the new release that removes the closed source dependency.

Fixes jenkins-infra/helpdesk#3854
@MarkEWaite MarkEWaite mentioned this issue Dec 9, 2023
Merged
MarkEWaite added a commit to MarkEWaite/configuration-as-code-plugin that referenced this issue Dec 9, 2023
@MarkEWaite
Remove Crowd2 demo and integration test - suspended plugin
f4d163e 
jenkins-infra/helpdesk#3854 notes that
the Crowd2 plugin uses one or more closed source dependencies.
Those dependencies make it ineligible to be distributed by the Jenkins
update center.  Let's remove the integration test and documentation so
that we are not describing the configuration of a suspended plugin.

jenkins-infra/helpdesk#3842 (comment)
describes the case where we detected the closed source dependency
through the configuration as code plugin integration test of the Crowd2
plugin.  Unless we include the Atlassian closed source repository,
the configuration as code plugin fails to compile its integration tests.

jenkins-infra/helpdesk#3842 (comment)
provides additional details from the investigation related to the Jenkins
artifact repository and its caches.

jenkins-infra/helpdesk#3842 (comment)
summarizes my investigation
@MarkEWaite MarkEWaite mentioned this issue Dec 9, 2023
Merged
5 tasks
@MarkEWaite
Copy link
Author

MarkEWaite commented Dec 9, 2023
edited

I've submitted a documentation pull request to the crowd2 plugin repository explaining why it will be suspended.

@github-actions github-actions bot mentioned this issue Dec 10, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@MarkEWaite MarkEWaite

Labels
updateCenter
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Suspend distribution of Crowd2 plugin MarkEWaite/update-center2
2 participants
@basil @MarkEWaite