>> The license covers binary and source form, so we should adhere to the >> original license, which is 3 clause BSD. > > I don't think we should be in the business of checking whether it volatiles > 3 clause BSD license or not. > The dependency that we pulled in is a bundled binary, which we should use > the LICENSE that they associated > with the bundled jar that the author pushed to maven central. If it > violates BSD license, the author of this jar should address. > However I am not the lawyer. so I can't judge what is right and what is > wrong. Just because findbugs violated the license doesn't mean were are in the clear if we do the same. Findbugs is dead, so there's no hope of them actually addressing it.
Ideally we could just remove this dependency, but the annotations have runtime retention, so it's unlikely to result in good things happening. So we should include the correct license, which is available on google code. > You seem to have strong opinions about these two *problematic* > dependencies. And these dependencies were introduced by twitter stats > providers for bookkeeper-all packages. libthrift comes as part of twitter-server, but yes, they're not in the default bookkeeper-server package. > In order not to block release 4.6.0, I would suggest removing > bookkeeper-all package from release 4.6.0. If people need bookkeeper-all > package, they can compile from src package. Sounds good to me. > We can resume the discussion of bookkeeper-all package when licensing > concerns are removed. I've asked on the finagle github issues about getting the source or notice for libthrift. -Ivan
