Vespa 8: remove usage of org.json library and stop providing bundle from jdisc runtime

[greatrabi]

Hi Vespa team,

Could you replace the org.json library so that we can use Vespa with confidence?

The org.json library runs under the JSON License with an following clause:

“The Software shall be used for Good, not Evil.”

This clause may make the software non-free.

ref. https://www.apache.org/legal/resolved.html https://wiki.debian.org/qa.debian.org/jsonevil https://www.gnu.org/licenses/license-list.html#JSON

Thanks

[oyving]

Thank you for bringing this to our attention. I suspect the code using this is doing it for legacy reasons, and we can remove the use org.json. It seems org.json is provided transitively through container-disc, but is also in use in the following modules:

• [ ] bundle-plugin-test
• [ ] cloud-tenant-base-dependencies-enforcer
• [ ] container-core
• [ ] container-dependencies-enforcer
• [ ] container-dependency-versions
• [ ] container-disc
• [ ] container-search
• [ ] container-search-and-docproc
• [ ] container-search-gui
• [ ] controller-api
• [ ] controller-server
• [ ] docprocs
• [ ] metrics-proxy

As a first step we should remove our use of the item in the code and either replace it with Jackson or Slime + JsonUtils. Removing the provided dependency might break existing applications, though.

[bjorncs]

We should remove org.json provided dependency as part of next Vespa major release.

[johans1]

Stop using org.json now, remove in Vespa 8

[bjorncs]

I have removed all org.json usage except in the public API class com.yahoo.prelude.hitfield.JSONString, which leaks org.json types from the two methods getParsedJSON and setParsedJSON. These are now deprecated and can be removed in Vespa 8.

[gjoranv]

Please reopen if needed.