Closed tballison closed 3 years ago
Hi @tballison, thanks for reaching out about this. From the discussion on the TIKA issue, there is some suggestion that perhaps https://www.adobe.com/devnet/xmp/library/eula-xmp-library-java.html applies and that the library is available under the terms of the BSD license. Do you know whether that is the case?
Sorry for my delay! It is available under BSD3, but our user correctly objected to the contradictory license that was included in the jar.
6.1.11 is now available, and the jar contains no license so the EULA applies without contradiction.
Somewhat oddly 6.1.11 continues with the .internal. namespace, but this won't be a problem for you! Again, many thanks!
6.1.11 is now available
Fantastic. I've pushed an update. Thanks very much Tim.
Has anyone found the Java source code for 6.1.11? If so, I could go over it and update the XmpCore dotnet project to (more or less) match.
Over on https://issues.apache.org/jira/browse/TIKA-3204, a user pointed out that versions of xmpcore >= 5.1.2 include
The problem is that 5.1.2 is vulnerable to an XXE and versions < 6.? are vulnerable to a DoS with too many entities as children of
photoshop:DocumentAncestors
.The best solution would be for Adobe to release an update of their latest that fixes the licensing issue.
We've made some inquiries...but that'll probably take some time.
A crummy solution would be to fork 5.1.2, fix the XXE and DoS, but we'd be missing a bunch of improvements, and that'd change the namespace...
I don't have a solution, but I did want to notify you of this licensing problem.
As always, thank you so very much for metadata-extractor!!!