Hi, We discovered the GPL dependency at Dapr using https://fossa.com/, you can also try the same. It can be added in the CI step to prevent introducing any such dependencies further.
Thanks, Shubham On 2022/03/08 19:44:29 Michael Marshall wrote: > +1 for releasing 0.8.1. Thanks for starting this discussion, Rui. > > Is there any official ASF protocol for dealing with this situation? I > think we should warn users about the unintended GPL dependency > included in 0.8.0. Perhaps we can do that by adding a warning to the > GitHub Release page for 0.8.0 [0] and sending a note to the users > mailing list? > > Also, does Go have any tooling we can add to our release process to > help prevent this kind of error in future releases? > > Thanks, > Michael > > [0] https://github.com/apache/pulsar-client-go/releases/tag/v0.8.0 > > On Mon, Mar 7, 2022 at 7:59 PM Rui Fu > rf...@apache.org<mailto:rf...@apache.org> wrote: > > > > Thanks for all your votings, I will start working on the release. > > > > On 2022/03/07 19:14:00 Sijie Guo wrote: > > > +1 > > > > > > On Sun, Mar 6, 2022 at 6:46 PM r...@apache.org<mailto:r...@apache.org> > > > ra...@gmail.com<mailto:ra...@gmail.com> > > > wrote: > > > > > > > +1 > > > > > > > > -- > > > > Thanks > > > > Xiaolong Ran > > > > > > > > PengHui Li pe...@apache.org<mailto:pe...@apache.org> 于2022年3月5日周六 > > > > 18:10写道: > > > > > > > > > +1 > > > > > > > > > > Penghui > > > > > > > > > > On Sat, Mar 5, 2022 at 4:58 AM Matteo Merli > > > > > ma...@gmail.com<mailto:ma...@gmail.com> > > > > > wrote: > > > > > > > > > > > +1 Thanks Rui, we should eliminate the GPL dependency ASAP. > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > Matteo Merli > > > > > > ma...@gmail.com<mailto:ma...@gmail.com> > > > > > > > > > > > > On Thu, Mar 3, 2022 at 2:08 AM Rui Fu > > > > > > rf...@apache.org<mailto:rf...@apache.org> wrote: > > > > > > > > > > > > > > Hi everyone, > > > > > > > > > > > > > > I would like to start a discussion here about starting a new > > > > > > > release > > > > of > > > > > > > pulsar-client-go v0.8.1. Recently we have some of dependencies > > > > updated > > > > > > PRs > > > > > > > from the community, [1] is bumping `github.com/beefsack/go-rate` > > > > http://github.com/beefsack/go-rate > > > > > http://github.com/beefsack/go-rate > > > > > > http://github.com/beefsack/go-rate to the > > > > > > > latest version, which migrates the license from GPL to MIT. [2] is > > > > > > bumping ` > > > > > > > github.com/prometheus/client_golang` > > > > http://github.com/prometheus/client_golang > > > > > http://github.com/prometheus/client_golang > > > > > > http://github.com/prometheus/client_golang to address the > > > > > > CVE-2022-21698. For > > > > > > > more details, please check the links below. > > > > > > > > > > > > > > As the v0.8.0 was just released weeks ago and the next release > > > > > > > will > > > > > start > > > > > > > about 2 month later, I think we should start the release of > > > > > > > v0.8.1. > > > > > > > > > > > > > > [1]: https://github.com/apache/pulsar-client-go/pull/735 > > > > > > > [2]: https://github.com/apache/pulsar-client-go/pull/738 > > > > > > > > > > > > > > -- > > > > > > > > > > > > > > Best Regards, > > > > > > > > > > > > > > Rui Fu > > > > > > > > > > > > > > > > > > >
