aerospike / aerospike-client-java

Aerospike Java Client Library
Other
236 stars 212 forks source link

Replace gnu cyrpto with Non GPL alternative #110

Closed aahmed-se closed 6 years ago

aahmed-se commented 6 years ago

Currently the aerspike java client is using the gnu crypto library for base64 and RupeMD hashing.

Since it's a GPL based library packing with other systems is complicated. Would request the library be replaced with a non GPL alternative that has more flexible licensing.

https://github.com/aerospike/aerospike-client-java/search?l=Java&q=gnu&type=

BrianNichols commented 6 years ago

The gnu crypto library license is GPL with a library exception which permits its use as a library in conjunction with non-Free software. See http://www.gnu.org/software/gnu-crypto.

It's perfectly legal for proprietary closed source applications to link with the gnu crypto library given this library exception. The GPL license terms apply to source code changes in the gnu crypto library itself (we did not make source code changes).

The reason we stuck with gnu-crypto is that it performs RIPEMD-160 hashing 15% faster than the bouncy castle alternative.

That said, you could still replace gnu-crypto with the bouncy castle crypto library with some minor source code tweaks and maven configuration switches in a fork of this repo.

merlimat commented 6 years ago

Hi @BrianNichols , unfortunately the interpretation of ASF is a bit different and any dependencies with GPL+exceptions are not allowed in any Apache projects. https://www.apache.org/legal/resolved.html#category-x

BrianNichols commented 6 years ago

That is an unfortunate interpretation. We will investigate methods to switch RIPEMD-160/base64 implementations. No decisions yet, just some research.

BrianNichols commented 6 years ago

Aerospike Java client 4.1.11 adds the ability to switch between GNU and Bouncy Castle crypto libraries at compile time. Bouncy Castle has a MIT-based license.

There are now two Aerospike Java client libraries available on Maven Central Repository. The previously existing aerospike-client continues to link with GNU crypto. The new aerospike-client-bc links with Bouncy Castle crypto.

To use AerospikeClient with Bouncy Castle crypto, define this dependency in your pom.xml.

    <dependency>
      <groupId>com.aerospike</groupId>
      <artifactId>aerospike-client-bc</artifactId>
      <version>4.1.11</version>
    </dependency>
aahmed-se commented 6 years ago

Thanks @BrianNichols this should work