Hi Xiaolong, The go SDK had this dependency github.com/beefsack/go-rate<https://github.com/beefsack/go-rate> which had GPL license. With this<https://github.com/beefsack/go-rate/pull/11> pull request, it was changed to MIT. The v0.8.1 version contains my PR<https://github.com/apache/pulsar-client-go/issues/725> which upgrades the version of beefsack/go-rate that uses MIT, and is compliant.
Thanks, Shubham From: r...@apache.org <ranxiaolong...@gmail.com> Sent: Monday, March 14, 2022 8:47 AM To: Dev <dev@pulsar.apache.org>; Shubham Sharma (DEVDIV) <shubh...@microsoft.com>; canrml2pntoayqvysslvgbigbkgmyausf1v3anmljxdytsmb...@mail.gmail.com Subject: [EXTERNAL] Re: Re: [DISCUSS] Releasing pulsar-client-go 0.8.1 You don't often get email from ranxiaolong...@gmail.com<mailto:ranxiaolong...@gmail.com>. Learn why this is important<http://aka.ms/LearnAboutSenderIdentification> Hello Shubham Sharma: Thanks for your email, which Lib the Go SDK depends on is caused by this? The release version of 0.8.1 was just launched recently, which is also mainly to solve the problem of license compatibility. -- Thanks Xiaolong Ran Shubham Sharma (DEVDIV) <shubh...@microsoft.com.invalid<mailto:shubh...@microsoft.com.invalid>> 于2022年3月9日周三 22:47写道: Hi, We discovered the GPL dependency at Dapr using https://fossa.com/<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffossa.com%2F&data=04%7C01%7Cshubhash%40microsoft.com%7Cc7f750b6453d401233c208da05691630%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637828247230261838%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=1x%2F%2Be3LGoYd1lK836Q83h4BDZ1VK1Fv7PSkn5Hq1VaM%3D&reserved=0>, you can also try the same. It can be added in the CI step to prevent introducing any such dependencies further. Thanks, Shubham On 2022/03/08 19:44:29 Michael Marshall wrote: > +1 for releasing 0.8.1. Thanks for starting this discussion, Rui. > > Is there any official ASF protocol for dealing with this situation? I > think we should warn users about the unintended GPL dependency > included in 0.8.0. Perhaps we can do that by adding a warning to the > GitHub Release page for 0.8.0 [0] and sending a note to the users > mailing list? > > Also, does Go have any tooling we can add to our release process to > help prevent this kind of error in future releases? > > Thanks, > Michael > > [0] > https://github.com/apache/pulsar-client-go/releases/tag/v0.8.0<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fapache%2Fpulsar-client-go%2Freleases%2Ftag%2Fv0.8.0&data=04%7C01%7Cshubhash%40microsoft.com%7Cc7f750b6453d401233c208da05691630%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637828247230261838%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=xYuPvARwL1DtpyKpXGyuC3x7ClIBZFGlb5zMJK1KB%2Bo%3D&reserved=0> > > On Mon, Mar 7, 2022 at 7:59 PM Rui Fu > rf...@apache.org<mailto:rf...@apache.org><mailto:rf...@apache.org<mailto:rf...@apache.org>> > wrote: > > > > Thanks for all your votings, I will start working on the release. > > > > On 2022/03/07 19:14:00 Sijie Guo wrote: > > > +1 > > > > > > On Sun, Mar 6, 2022 at 6:46 PM > > > r...@apache.org<mailto:r...@apache.org><mailto:r...@apache.org<mailto:r...@apache.org>> > > > > > > ra...@gmail.com<mailto:ra...@gmail.com><mailto:ra...@gmail.com<mailto:ra...@gmail.com>> > > > wrote: > > > > > > > +1 > > > > > > > > -- > > > > Thanks > > > > Xiaolong Ran > > > > > > > > PengHui Li > > > > pe...@apache.org<mailto:pe...@apache.org><mailto:pe...@apache.org<mailto:pe...@apache.org>> > > > > 于2022年3月5日周六 18:10写道: > > > > > > > > > +1 > > > > > > > > > > Penghui > > > > > > > > > > On Sat, Mar 5, 2022 at 4:58 AM Matteo Merli > > > > > ma...@gmail.com<mailto:ma...@gmail.com><mailto:ma...@gmail.com<mailto:ma...@gmail.com>> > > > > > wrote: > > > > > > > > > > > +1 Thanks Rui, we should eliminate the GPL dependency ASAP. > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > Matteo Merli > > > > > > ma...@gmail.com<mailto:ma...@gmail.com><mailto:ma...@gmail.com<mailto:ma...@gmail.com>> > > > > > > > > > > > > On Thu, Mar 3, 2022 at 2:08 AM Rui Fu > > > > > > rf...@apache.org<mailto:rf...@apache.org><mailto:rf...@apache.org<mailto:rf...@apache.org>> > > > > > > wrote: > > > > > > > > > > > > > > Hi everyone, > > > > > > > > > > > > > > I would like to start a discussion here about starting a new > > > > > > > release > > > > of > > > > > > > pulsar-client-go v0.8.1. Recently we have some of dependencies > > > > updated > > > > > > PRs > > > > > > > from the community, [1] is bumping > > > > > > > `github.com/beefsack/go-rate`<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgithub.com%2Fbeefsack%2Fgo-rate&data=04%7C01%7Cshubhash%40microsoft.com%7Cc7f750b6453d401233c208da05691630%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637828247230261838%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=bpFJu5ZRoFKhLrxd7ctWCfjcGHTcuAp47kKM%2BxWdHK0%3D&reserved=0> > > > > http://github.com/beefsack/go-rate<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgithub.com%2Fbeefsack%2Fgo-rate&data=04%7C01%7Cshubhash%40microsoft.com%7Cc7f750b6453d401233c208da05691630%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637828247230261838%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=bpFJu5ZRoFKhLrxd7ctWCfjcGHTcuAp47kKM%2BxWdHK0%3D&reserved=0> > > > > > http://github.com/beefsack/go-rate<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgithub.com%2Fbeefsack%2Fgo-rate&data=04%7C01%7Cshubhash%40microsoft.com%7Cc7f750b6453d401233c208da05691630%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637828247230261838%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=bpFJu5ZRoFKhLrxd7ctWCfjcGHTcuAp47kKM%2BxWdHK0%3D&reserved=0> > > > > > > http://github.com/beefsack/go-rate<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgithub.com%2Fbeefsack%2Fgo-rate&data=04%7C01%7Cshubhash%40microsoft.com%7Cc7f750b6453d401233c208da05691630%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637828247230311835%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=GmezHVUxcZZ0jLEeM3dGCf6QblBZKwGFuISzPnjKqqQ%3D&reserved=0> > > > > > > to the > > > > > > > latest version, which migrates the license from GPL to MIT. [2] is > > > > > > bumping ` > > > > > > > github.com/prometheus/client_golang`<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgithub.com%2Fprometheus%2Fclient_golang&data=04%7C01%7Cshubhash%40microsoft.com%7Cc7f750b6453d401233c208da05691630%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637828247230311835%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=tYfw%2FWu1z%2Bnb98ISMjfgVyVZ0RBo%2FK2u7Ndn3db0X4w%3D&reserved=0> > > > > http://github.com/prometheus/client_golang<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgithub.com%2Fprometheus%2Fclient_golang&data=04%7C01%7Cshubhash%40microsoft.com%7Cc7f750b6453d401233c208da05691630%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637828247230311835%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=tYfw%2FWu1z%2Bnb98ISMjfgVyVZ0RBo%2FK2u7Ndn3db0X4w%3D&reserved=0> > > > > > http://github.com/prometheus/client_golang<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgithub.com%2Fprometheus%2Fclient_golang&data=04%7C01%7Cshubhash%40microsoft.com%7Cc7f750b6453d401233c208da05691630%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637828247230311835%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=tYfw%2FWu1z%2Bnb98ISMjfgVyVZ0RBo%2FK2u7Ndn3db0X4w%3D&reserved=0> > > > > > > http://github.com/prometheus/client_golang<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgithub.com%2Fprometheus%2Fclient_golang&data=04%7C01%7Cshubhash%40microsoft.com%7Cc7f750b6453d401233c208da05691630%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637828247230311835%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=tYfw%2FWu1z%2Bnb98ISMjfgVyVZ0RBo%2FK2u7Ndn3db0X4w%3D&reserved=0> > > > > > > to address the > > > > > > CVE-2022-21698. For > > > > > > > more details, please check the links below. > > > > > > > > > > > > > > As the v0.8.0 was just released weeks ago and the next release > > > > > > > will > > > > > start > > > > > > > about 2 month later, I think we should start the release of > > > > > > > v0.8.1. > > > > > > > > > > > > > > [1]: > > > > > > > https://github.com/apache/pulsar-client-go/pull/735<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fapache%2Fpulsar-client-go%2Fpull%2F735&data=04%7C01%7Cshubhash%40microsoft.com%7Cc7f750b6453d401233c208da05691630%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637828247230311835%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=qka4IW%2BQ1uli0jc5nw6r9nwjYkKLV%2B4Gd8MFjOYpfG4%3D&reserved=0> > > > > > > > [2]: > > > > > > > https://github.com/apache/pulsar-client-go/pull/738<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fapache%2Fpulsar-client-go%2Fpull%2F738&data=04%7C01%7Cshubhash%40microsoft.com%7Cc7f750b6453d401233c208da05691630%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637828247230311835%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=dCyy1DcgMChO1bmudwijLNHCKCLxOVjS65DedQ9pTzs%3D&reserved=0> > > > > > > > > > > > > > > -- > > > > > > > > > > > > > > Best Regards, > > > > > > > > > > > > > > Rui Fu > > > > > > > > > > > > > > > > > > >
