search

ops4j / org.ops4j.pax.web

OSGi R7 Http Service, Whiteboard and Web Applications (OSGi CMPN Release chapters 102, 140 and 128) implementation using Jetty 9, Tomcat 9 or Undertow 2.
https://ops4j1.jira.com/wiki/display/paxweb/Pax+Web
Other
146 stars 185 forks source link

GPL dependency? #1699

Open niclash opened 2 years ago

niclash commented 2 years ago

I tried out Debricked analysis tool with OPS4J as a trial to see what comes out of it.

https://debricked.com/app/en/repository/25903?tab=4

Shows that it found GPL and LGPL (various versions of both) in the dependency chain "somehow". Not sure how to go looking for that, but thought I should let you guys know.

grgrzybek commented 2 years ago

I can't login to debricked.com... And yes, I believe mysql driver (in pax.jdbc) is GPL that's why it got separate features file...

I'm not sure about pax.web - could you somehow attach the report here?

niclash commented 2 years ago

Don't you simply get a "Login with GitHub" button and that brings you to the page above? That is at least intended. image

grgrzybek commented 2 years ago

@niclash I simply didn't check ;) I'll check on Monday.

niclash commented 2 years ago

image

niclash commented 2 years ago

image image

niclash commented 2 years ago

F! The above report is for all of OPS4J... Grrr...

niclash commented 2 years ago

image image

These are for Pax Web

grgrzybek commented 2 years ago

I found this for example: https://debricked.com/app/en/dependency/11673?repositoryId=25903 it's about test-scoped dependency org.glassfish.hk2:osgi-resource-locator... Not sure what should I do about it.

grgrzybek commented 2 years ago

4 GPL deps total in Pax Web: https://debricked.com/app/en/repository/25903?tab=3&search=GPL-2.0 jakarta.ws.rs has (in POM):

    <licenses>
        <license>
            <name>EPL 2.0</name>
            <url>http://www.eclipse.org/legal/epl-2.0</url>
            <distribution>repo</distribution>
        </license>
        <license>
            <name>GPL2 w/ CPE</name>
            <url>https://www.gnu.org/software/classpath/license.html</url>
            <distribution>repo</distribution>
        </license>
    </licenses>

so probably dual license. Same for jaspic API (jakarta.security.auth.message):

    <licenses>
        <license>
            <name>EPL 2.0</name>
            <url>http://www.eclipse.org/legal/epl-2.0</url>
            <distribution>repo</distribution>
        </license>
        <license>
            <name>GPL2 w/ CPE</name>
            <url>https://www.gnu.org/software/classpath/license.html</url>
            <distribution>repo</distribution>
        </license>
    </licenses>

Even if the report says "GPL-2.0"...

grgrzybek commented 1 year ago

@niclash hi, any idea how to proceed with this one?

mattrpav commented 1 year ago

Enhancement request with debricked to support CPE reporting?