Hi, I am thinking why spring-boot-starter-data-jpa depends on LGPL licensed library "hibernate-core", and can still be Apache 2.0 licensed. I am reading [1]. In section 5 it says:
A program that contains no derivative of any portion of the Library, but is designed to work with the Library by being compiled or linked with it, is called a "work that uses the Library". Such a work, in isolation, is not a derivative work of the Library, and therefore falls outside the scope of this License. I think spring-boot-starter-data-jpa falls in to this case. It is a "work that uses the Library". The source code of incubator-dubbo-admin should also falls into this case, because it does not contain any portion of the hibernate-core. Based on it and explanation here[2], I think the source code can be released anyway. Is my understanding correct? Next, the LGPL license says: However, linking a "work that uses the Library" with the Library creates an executable that is a derivative of the Library (because it contains portions of the Library), rather than a "work that uses the library". The executable is therefore covered by this License. The binary distribution of incuabator-dubbo-admin falls into this case because it creates an executable that contains binary of hibernate-core. Therefore it is a "work based on the library". As a derivative of hibernate-core, it must be licensed with LGPL/GPL, which is not allowed as an Apache product, and eventually causes the incompatibility. If my understanding is correct, there are at least 4 ways to solve this issue: 1. Stop distribute the binary of incubator-dubbo-admin 2. Make the feature optional, as explained here[3] 3. Stop depending on hiberante-core 4. Choose other Apache compatible equivalent I recommend to go with number 3 in my last thread. [1] https://opensource.org/licenses/LGPL-2.1 [2] https://www.apache.org/legal/resolved.html#prohibited [3] https://www.apache.org/legal/resolved.html#optional On Sun, Apr 21, 2019 at 10:40 AM Huxing Zhang <hux...@apache.org> wrote: > > Hi, > > ccing dev@dubbo > > On Fri, Apr 19, 2019 at 8:24 AM Willem Jiang <willem.ji...@gmail.com> wrote: > > > > Hi, > > > > I just checked the binary release kit, it has the third party > > dependency of LGPL (Hibernate core) which is belonged to Cataloge > > X[1], it cannot be included in Apache Product. > > I had to vote -1 for it. We can change the ORM lib to Eclipse Link to > > fix this issue, I just fill an issue here[2]. > > I did some dig for this issue and confirm that this is introduced by > this pull request[1]. > The purpose of this pull request is to introduce the pagination to > service query. > In this pull request a dependency to spring-boot-starter-data-jpa was added, > which introduce the LGPL licensed dependency hibernate-core. > The detailed dependency tree is shown below: > > [INFO] +- > org.springframework.boot:spring-boot-starter-data-jpa:jar:2.0.2.RELEASE:compile > [INFO] | +- > org.springframework.boot:spring-boot-starter-aop:jar:2.0.2.RELEASE:compile > [INFO] | | \- org.aspectj:aspectjweaver:jar:1.8.13:compile > [INFO] | +- > org.springframework.boot:spring-boot-starter-jdbc:jar:2.0.2.RELEASE:compile > [INFO] | | +- com.zaxxer:HikariCP:jar:2.7.9:compile > [INFO] | | \- org.springframework:spring-jdbc:jar:5.0.6.RELEASE:compile > [INFO] | +- org.hibernate:hibernate-core:jar:5.2.17.Final:compile > [INFO] | | +- > org.hibernate.javax.persistence:hibernate-jpa-2.1-api:jar:1.0.0.Final:compile > [INFO] | | +- antlr:antlr:jar:2.7.7:compile > [INFO] | | +- org.jboss:jandex:jar:2.0.3.Final:compile > [INFO] | | +- dom4j:dom4j:jar:1.6.1:compile > [INFO] | | \- > org.hibernate.common:hibernate-commons-annotations:jar:5.0.1.Final:compile > [INFO] | +- javax.transaction:javax.transaction-api:jar:1.2:compile > [INFO] | +- > org.springframework.data:spring-data-jpa:jar:2.0.7.RELEASE:compile > [INFO] | | +- > org.springframework.data:spring-data-commons:jar:2.0.7.RELEASE:compile > [INFO] | | +- org.springframework:spring-orm:jar:5.0.6.RELEASE:compile > [INFO] | | \- org.springframework:spring-tx:jar:5.0.6.RELEASE:compile > [INFO] | \- org.springframework:spring-aspects:jar:5.0.6.RELEASE:compile > > Actually the hiberate-core dependency is never used when implementing > the feature, > I think it can be excluded quietly. This is the safest way to solve this > issue. > To dig further, the only dependency that required to be added is just > spring-data-commons, > which is Apache 2.0 Licensed[2]. (I just confirm the code can compile > and start correctly with spring-data-commons, > it might need to check more at runtime to ensure everything is working) > > We need to be very careful when new dependency is added, and ensure > all the license (including transitive dependencies) are compatible > with Apache. > > The community has identified several similar issues [3][4] for > incubator-dubbo project, and similar actions should be done to > incubator-dubbo-admin as well. > > To identify the issue automatically, I run the following command: > > mvn license:add-third-party -Dlicense.useMissingFile > > and grep the output: > > cat dubbo-admin-server/target/generated-sources/license/THIRD-PARTY.txt| > grep "General Public License" > (Eclipse Public License - v 1.0) (GNU Lesser General Public > License) Logback Classic Module (ch.qos.logback:logback-classic:1.2.3 > - http://logback.qos.ch/logback-classic) > (Eclipse Public License - v 1.0) (GNU Lesser General Public > License) Logback Core Module (ch.qos.logback:logback-core:1.2.3 - > http://logback.qos.ch/logback-core) > (GNU Lesser General Public License) Core Hibernate O/RM > functionality (org.hibernate:hibernate-core:5.2.17.Final - > http://hibernate.org) > (GNU Lesser General Public License) Hibernate Commons Annotations > (org.hibernate.common:hibernate-commons-annotations:5.0.1.Final - > http://hibernate.org) > > The last 2 are both introduced by hibernate-core. A script to check > license issue for dependencies was on the way[5]. > > [1] https://github.com/apache/incubator-dubbo-admin/pull/324 > [2] > https://github.com/spring-projects/spring-data-commons/blob/master/src/main/resources/license.txt > [3] > https://lists.apache.org/thread.html/2231c58509842fe4069f2091f00ea7fd5c4e6ae4bf8ce1a97b16e9c5@%3Cdev.dubbo.apache.org%3E > [4] > https://lists.apache.org/thread.html/e3112c832415850779af2fe04aa7325d8d776144f3939cc63f5eab08@%3Cdev.dubbo.apache.org%3E > [5] https://github.com/apache/incubator-dubbo/issues/3840 > > > > > [1]https://www.apache.org/legal/resolved.html#category-x > > [2]https://github.com/apache/incubator-dubbo-admin/issues/366 > > > > Willem Jiang > > > > Twitter: willemjiang > > Weibo: 姜宁willem > > > > On Mon, Apr 15, 2019 at 10:24 AM Minxuan Zhuang <z82507...@gmail.com> wrote: > > > > > > Hello Incubator Community, > > > > > > The Apache Dubbo community has voted on and approved a proposal to release > > > Apache Dubbo Admin (Incubating) version 0.2.0. > > > > > > We now kindly request the Incubator PMC members review and vote on this > > > incubator release. > > > > > > Apache Dubbo™ (incubating) is a high-performance, java based, open source > > > RPC framework. Dubbo offers three key functionalities, which include > > > interface based remote call, fault tolerance & load balancing, and > > > automatic service registration & discovery. > > > > > > > > > Dubbo community vote and result thread: > > > https://lists.apache.org/thread.html/fc71a5f8c93b8c3606338b97a08c044af64ca3165e226aed37295a45@%3Cdev.dubbo.apache.org%3E > > > > > > The release candidates (RC3): > > > *https://dist.apache.org/repos/dist/dev/incubator/dubbo/dubbo-admin/0.2.0 > > > <https://dist.apache.org/repos/dist/dev/incubator/dubbo/dubbo-admin/0.2.0/>/* > > > > > > > > > Git tag for the release (RC3): > > > https://github.com/apache/incubator-dubbo-admin/releases/tag/0.2.0 > > > > > > Hash for the release tag: > > > 37e23a7354e3da50914e075eb4676c7c2875ffa7 > > > > > > Release Notes: > > > https://github.com/apache/incubator-dubbo-admin/releases/tag/0.2.0 > > > > > > > > > The artifacts have been signed with Key : > > > DA2108479B0C1E71, which can be > > > found in the keys file: > > > *https://dist.apache.org/repos/dist/dev/incubator/dubbo/KEYS > > > <https://dist.apache.org/repos/dist/dev/incubator/dubbo/KEYS>* > > > > > > The vote will be open for at least 72 hours or until necessary number of > > > votes are reached. > > > > > > Please vote accordingly: > > > > > > [ ] +1 approve > > > [ ] +0 no opinion > > > [ ] -1 disapprove with the reason > > > > > > Thanks, > > > The Apache Dubbo (Incubating) Team > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > > For additional commands, e-mail: general-h...@incubator.apache.org > > > > > -- > Best Regards! > Huxing -- Best Regards! Huxing --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
