ActiveMQ
  1. ActiveMQ
  2. AMQ-3491

Investigate and resolve LGPL dependency via camel-web

    Details

    • Type: Task Task
    • Status: Resolved
    • Priority: Blocker Blocker
    • Resolution: Fixed
    • Affects Version/s: 5.4.0, 5.5.0
    • Fix Version/s: 5.4.3, 5.5.1, 5.6.0
    • Component/s: None
    • Labels:
      None

      Description

      May be related to trimmed down distro that uses old camel web.
      see: https://issues.apache.org/jira/browse/AMQ-3329

      ActiveMQ 5.5.0's distro includes Jaffl 0.5.1 which is
      LGPL. I traced this down to the distro containing an unpacked
      camel-web 2.4.0 war, which has several org.jruby:jruby dependencies in
      it. My read is that this is a problem because of:
      http://www.apache.org/legal/resolved#category-x

      I also noted that the distro includes org.jruby.ext.posix:jnr-posix
      which may be LGPL/GPL and also org.jruby.extras:jffi:1.0.1 which
      appears to be LGPL as well.

      The following artifacts have gaffl in them:
      ------------------------------------------------

      groupid artifactid version

      ------------------------------------------------

      org.apache.activemq apache-activemq 5.4.2
      org.apache.activemq apache-activemq 5.4.0
      org.apache.activemq apache-activemq 5.4.1
      org.apache.activemq apache-activemq 5.5.0
      org.apache.camel camel-web-standalone 2.4.0
      org.apache.camel camel-web 2.4.0

      ------------------------------------------------

        Issue Links

          Activity

          Hide
          Michael Hayes added a comment - - edited

          Additional info. indicating that jaffl and jffi later versions are now Apache V2-licensed, and that jnr-posix is triple-licensed. Details below.

          The two main FOSSes of concern are the LGPL licensed jaffl and jffi in the Camel Web Console component.

          jaffl 0.5.1 has the LGPLv3 license for the included version: http://mvnrepository.com/artifact/org.jruby.extras/jaffl/0.5.1

          The latest jaffl 0.5.11 http://mvnrepository.com/artifact/org.jruby.extras/jaffl/0.5.11 is Apache v2 licensed, and it has been so since jaffl 0.5.9, see http://mvnrepository.com/artifact/org.jruby.extras/jaffl

          Jaffl depends on jffi, which WAS LGPL licensed up to 1.0.6 (version 1.0.1 is in AMQ 5.4.1). From 1.0.7 it is Apache V2 licensed: http://mvnrepository.com/artifact/org.jruby.extras/jffi/1.0.7

          Another component of concern is mentioned: org.jruby.ext.posix:jnr-posix which appears to be triple-licensed: CPL/GPL/LGPL and depends on multiple other components: http://mvnrepository.com/artifact/com.github.jnr/jnr-posix/2.0. The CPL license would be appropriate.

          Show
          Michael Hayes added a comment - - edited Additional info. indicating that jaffl and jffi later versions are now Apache V2-licensed, and that jnr-posix is triple-licensed. Details below. The two main FOSSes of concern are the LGPL licensed jaffl and jffi in the Camel Web Console component. jaffl 0.5.1 has the LGPLv3 license for the included version: http://mvnrepository.com/artifact/org.jruby.extras/jaffl/0.5.1 The latest jaffl 0.5.11 http://mvnrepository.com/artifact/org.jruby.extras/jaffl/0.5.11 is Apache v2 licensed, and it has been so since jaffl 0.5.9, see http://mvnrepository.com/artifact/org.jruby.extras/jaffl Jaffl depends on jffi, which WAS LGPL licensed up to 1.0.6 (version 1.0.1 is in AMQ 5.4.1). From 1.0.7 it is Apache V2 licensed: http://mvnrepository.com/artifact/org.jruby.extras/jffi/1.0.7 Another component of concern is mentioned: org.jruby.ext.posix:jnr-posix which appears to be triple-licensed: CPL/GPL/LGPL and depends on multiple other components: http://mvnrepository.com/artifact/com.github.jnr/jnr-posix/2.0 . The CPL license would be appropriate.
          Hide
          Michael Hayes added a comment -

          First I have to say I really appreciate the decisive action on this unfortunate issue - you guys did the right thing.

          I have a suggestion for the future (and for all ASF projects, really).
          Would you consider running something like Black Duck Protex or equivalent as part of pre-release testing - to assure users that there are no license incompatability issues?
          Maybe running the checks just for major releases at least?
          If every ASF project could access some license-checking tool (and use it as a pre-release check) it would add great value to the ASF brand - assuring users that all reasonable steps have been taken to avoid any licensing difficulties.

          Show
          Michael Hayes added a comment - First I have to say I really appreciate the decisive action on this unfortunate issue - you guys did the right thing. I have a suggestion for the future (and for all ASF projects, really). Would you consider running something like Black Duck Protex or equivalent as part of pre-release testing - to assure users that there are no license incompatability issues? Maybe running the checks just for major releases at least? If every ASF project could access some license-checking tool (and use it as a pre-release check) it would add great value to the ASF brand - assuring users that all reasonable steps have been taken to avoid any licensing difficulties.
          Hide
          Tim Wood added a comment -

          After a little searching on the mailing list I found a reference to the Apache archive download site: http://archive.apache.org/dist/activemq/apache-activemq/. It's a little confusing to new users trying to download this software that there are no valid downloads from the public downloads page.

          Show
          Tim Wood added a comment - After a little searching on the mailing list I found a reference to the Apache archive download site: http://archive.apache.org/dist/activemq/apache-activemq/ . It's a little confusing to new users trying to download this software that there are no valid downloads from the public downloads page.
          Hide
          Tim Wood added a comment -

          This issue was referred to by Gary Tully in http://activemq.2283324.n4.nabble.com/5-5-Downloads-tp3897983p3898090.html. I cannot find a single download for any version of ActiveMQ on any mirror site or the primary site. Were all versions pulled due to this issue? Is there a timeframe for the software to be available to download agin? Thanks!

          Show
          Tim Wood added a comment - This issue was referred to by Gary Tully in http://activemq.2283324.n4.nabble.com/5-5-Downloads-tp3897983p3898090.html . I cannot find a single download for any version of ActiveMQ on any mirror site or the primary site. Were all versions pulled due to this issue? Is there a timeframe for the software to be available to download agin? Thanks!
          Hide
          Gary Tully added a comment -

          removed the use of the camel-web console from activemq. We can look at pulling it back in once the lgpl deps are resolved.

          fix in: http://svn.apache.org/viewvc?rev=1181860&view=rev

          Show
          Gary Tully added a comment - removed the use of the camel-web console from activemq. We can look at pulling it back in once the lgpl deps are resolved. fix in: http://svn.apache.org/viewvc?rev=1181860&view=rev
          Hide
          Gary Tully added a comment -

          fix for 5.6

          Show
          Gary Tully added a comment - fix for 5.6
          Hide
          Gary Tully added a comment -

          fixing https://issues.apache.org/jira/browse/AMQ-3329 may be the answer once the deps are gone from there.

          Show
          Gary Tully added a comment - fixing https://issues.apache.org/jira/browse/AMQ-3329 may be the answer once the deps are gone from there.

            People

            • Assignee:
              Gary Tully
              Reporter:
              Gary Tully
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development