endpoints-management-control-all does not properly shade OpenCensus

[meltsufin]

This is causing diamond dependency issues.

See: https://github.com/spring-cloud/spring-cloud-gcp/issues/1815#issuecomment-521392758

[elharo]

It probably shouldn't shade this. Rather it should simply depend on the usual jar rather than bundling it.

[suztomo]

Pasting my findings on duplicate class via Maven extra-enforcer rule's banDuplicateClasses:

Duplicate classes found:

  Found in:
    com.google.endpoints:endpoints-management-control-appengine-all:jar:1.0.11:compile
    javax.transaction:transaction-api:jar:1.1:compile
  Duplicate classes:
    javax/transaction/SystemException.class
    (...omit ...)
    javax/transaction/TransactionSynchronizationRegistry.class

  Found in:
    com.google.errorprone:error_prone_annotations:jar:2.3.2:compile
    com.google.endpoints:endpoints-management-control-appengine-all:jar:1.0.11:compile
  Duplicate classes:
    com/google/errorprone/annotations/Var.class
    com/google/errorprone/annotations/concurrent/LockMethod.class
    com/google/errorprone/annotations/FormatString.class
    (...omit ...)
    com/google/errorprone/annotations/Immutable.class
    com/google/errorprone/annotations/RestrictedApi.class

  Found in:
    com.google.code.findbugs:jsr305:jar:3.0.2:compile
    com.google.endpoints:endpoints-management-control-appengine-all:jar:1.0.11:compile
  Duplicate classes:
    javax/annotation/WillCloseWhenClosed.class
    javax/annotation/meta/TypeQualifierValidator.class
    javax/annotation/concurrent/Immutable.class
    (...omit ...)
    javax/annotation/RegEx$Checker.class

  Found in:
    org.apache.tomcat.embed:tomcat-embed-core:jar:9.0.21:compile
    javax.servlet:servlet-api:jar:2.5:compile
    com.google.endpoints:endpoints-management-control-appengine-all:jar:1.0.11:compile
  Duplicate classes:
    javax/servlet/http/HttpSessionAttributeListener.class
    javax/servlet/SingleThreadModel.class
    (...omit ...)
    javax/servlet/http/HttpSession.class
    javax/servlet/http/HttpSessionEvent.class

  Found in:
    com.google.endpoints:endpoints-management-control-appengine-all:jar:1.0.11:compile
    io.opencensus:opencensus-contrib-grpc-metrics:jar:0.19.2:compile
  Duplicate classes:
    io/opencensus/contrib/grpc/metrics/RpcViews.class
    io/opencensus/contrib/grpc/metrics/RpcViewConstants.class
    io/opencensus/contrib/grpc/metrics/RpcMeasureConstants.class

  Found in:
    com.google.endpoints:endpoints-management-control-appengine-all:jar:1.0.11:compile
    javax.jdo:jdo2-api:jar:2.3-eb:compile
  Duplicate classes:
    javax/jdo/annotations/ForeignKey.class
    javax/jdo/spi/JDOImplHelper.class
    (...omit ...)
    javax/jdo/listener/LoadLifecycleListener.class
    javax/jdo/annotations/PersistenceCapable.class

  Found in:
    io.opencensus:opencensus-api:jar:0.23.0:compile
    com.google.endpoints:endpoints-management-control-appengine-all:jar:1.0.11:compile
  Duplicate classes:
    io/opencensus/stats/AutoValue_ViewData.class
    io/opencensus/trace/TraceOptions$Builder.class
    (...omit ...)
    io/opencensus/tags/unsafe/ContextUtils$1.class
    io/opencensus/trace/samplers/Samplers.class
    io/opencensus/stats/Aggregation.class

  Found in:
    com.google.endpoints:endpoints-management-control-appengine-all:jar:1.0.11:compile
    com.google.api.grpc:proto-google-common-protos:jar:1.16.0:compile
  Duplicate classes:
    com/google/cloud/audit/AuthorizationInfo$Builder.class
    com/google/cloud/audit/AuthenticationInfo.class
    (...omit ...)
    com/google/cloud/audit/AuditLogOrBuilder.class
    com/google/cloud/audit/AuthenticationInfoOrBuilder.class

These are the risks endpoints-management-control-appengine-all may shadow classes at users' runtime.

[elharo]

Again, the issue is not that it doesn't shade these classes. It shouldn't shade them. It shouldn't bundle them either.

[suztomo]

I agree that this library should not shade dependencies.