Modify

Opened 12 months ago

Closed 3 months ago

Last modified 2 months ago

#23220 closed defect (fixed)

javax.annotation uses non-free CC-BY-2.5 license

Reported by: sebastic Owned by: team
Priority: normal Milestone: 24.07
Component: Core Version:
Keywords: Cc: sebastic, stoecker

Description

JOSM uses javax.annotation and includes its sources in the source JAR.

In Debian Bug #1053542 one of the Debian FTP masters pointed out that the CC-BY-2.5 license is considered non-free.

From https://wiki.debian.org/DFSGLicenses:

In contrast to the CC BY-SA 1.0 license, version 3.0 is considered to be compatible to the DFSG. In addition, the version 2.0 and 2.5 are NOT transitively compatible because of clause 4b, since that only allows redistribution of derivative works under later versions of the license.

Can we switch to jakarta.annotation which uses EPL-2.0 or GPL-2.0 with Classpath-exception-2.0?

These are the only two import in the JOSM sources:

import javax.annotation.Nonnull;
import javax.annotation.Nullable;

jakarta.annotation also provides Nonull and Nullable.

Attachments (2)

use-jakarta-annotation.patch (4.0 KB ) - added by sebastic 12 months ago.
Use jakarta.annotation instead of javax.annotation.
0001-Use-jakarta.annotation-instead-of-javax.annotation.patch (938 bytes ) - added by sebastic 12 months ago.
Use jakarta.annotation instead of javax.annotation in plugins.

Download all attachments as: .zip

Change History (20)

by sebastic, 12 months ago

Use jakarta.annotation instead of javax.annotation.

comment:1 by sebastic, 12 months ago

The attached patch seems to work, JOSM can read and write a PBF file just fine with jakarta.annotation which is the largest user:

$ grep javax.annotation src/org/openstreetmap/ -r
src/org/openstreetmap/josm/data/osm/pbf/Blob.java:import javax.annotation.Nonnull;
src/org/openstreetmap/josm/data/osm/pbf/Blob.java:import javax.annotation.Nullable;
src/org/openstreetmap/josm/data/osm/pbf/HeaderBlock.java:import javax.annotation.Nonnull;
src/org/openstreetmap/josm/data/osm/pbf/HeaderBlock.java:import javax.annotation.Nullable;
src/org/openstreetmap/josm/data/osm/pbf/BlobHeader.java:import javax.annotation.Nonnull;
src/org/openstreetmap/josm/data/osm/pbf/BlobHeader.java:import javax.annotation.Nullable;
src/org/openstreetmap/josm/data/osm/pbf/Info.java:import javax.annotation.Nullable;
src/org/openstreetmap/josm/data/notes/Note.java:import javax.annotation.Nullable;
src/org/openstreetmap/josm/io/OsmPbfReader.java:import javax.annotation.Nonnull;
src/org/openstreetmap/josm/io/OsmPbfReader.java:import javax.annotation.Nullable;
src/org/openstreetmap/josm/io/auth/CredentialsAgent.java:import javax.annotation.Nullable;
src/org/openstreetmap/josm/gui/util/imagery/CameraPlane.java:import javax.annotation.Nullable;
src/org/openstreetmap/josm/gui/layer/geoimage/viewers/projections/Equirectangular.java:import javax.annotation.Nonnull;
src/org/openstreetmap/josm/gui/layer/geoimage/viewers/projections/Equirectangular.java:import javax.annotation.Nullable;

Downloading notes likewise works.

Plugins likely also need to be updated to use jakarta.annotation.

by sebastic, 12 months ago

Use jakarta.annotation instead of javax.annotation in plugins.

comment:2 by sebastic, 12 months ago

Plugins likely also need to be updated to use jakarta.annotation.

Only the imageio plugin uses javax.annotation.

comment:3 by sebastic, 12 months ago

javax.annotation is not included in ivy.xml, it seems to be picked up automatically.

If that doesn't apply to jakarta.annotation you likely also need this change:

--- a/ivy.xml
+++ b/ivy.xml
@@ -21,6 +21,7 @@
     <dependencies>
         <!-- api->default -->
         <dependency conf="api->default" org="org.openstreetmap.jmapviewer" name="jmapviewer" rev="2.16"/>
+        <dependency conf="api->default" org="jakarta.annotation" name="jakarta.annotation-api" rev="2.1.1"/>
         <!-- The javax json dependencies should be removed sometime in 2024 -->
         <dependency conf="api->default" org="javax.json" name="javax.json-api" rev="1.1.4"/>
         <dependency conf="api->default" org="org.glassfish" name="javax.json" rev="1.1.4"/>
@@ -40,6 +41,7 @@
         <dependency conf="api->default" org="org.webjars.npm" name="tag2link" rev="2022.11.28"/>
         <!-- sources->sources -->
         <dependency conf="sources->sources" org="org.openstreetmap.jmapviewer" name="jmapviewer" rev="2.16"/>
+        <dependency conf="sources->sources" org="jakarta.annotation" name="jakarta.annotation-api" rev="2.1.1"/>
         <dependency conf="sources->sources" org="javax.json" name="javax.json-api" rev="1.1.4"/>
         <dependency conf="sources->sources" org="org.glassfish" name="javax.json" rev="1.1.4"/>
         <dependency conf="sources->sources" org="jakarta.json" name="jakarta.json-api" rev="2.1.2"/>

comment:4 by sebastic, 12 months ago

Cc: sebastic added

comment:5 by sebastic, 12 months ago

FWIW, the CC-BY-2.5 licensed code is limited to the javax.annotation.concurrent sources which are not included in jakarta.annotation.

comment:6 by taylor.smock, 12 months ago

The javax.annotation package and subpackages comes from JSR305. The pom.xml file distributed in the JAR has the license as Apache 2.0.

I'd really like to know why they think the files are CC-BY-2.5. I've been meaning to open a ticket for changing to something else like the checker framework (the JSR305 jar has other problems). Unfortunately I would still need to keep the dependency around for awhile, since some plugins use the annotations from it.

comment:7 by taylor.smock, 12 months ago

Cc: stoecker added

It looks like the javax.annotation.concurrent files are under the CC-By-2.5 license based off of the source code. I don't know if the author (Brian Goetz) gave special permission to the JSR305 jar file authors or not to dual license it with apache 2.0. For safety, I'll assume not.

@stoecker: What do you think about switching annotation dependencies?

The current major annotation frameworks are as follows:

  • Checker Framework
    • I've played around with this one before; of specific note is an annotation for units, an annotation for deterministic/side effect free methods, and an annotation for methods that affect the GUI
  • Jakarta Annotations
    • This seems like it might be the closest 1:1 transfer
  • JetBrains Annotations
    • This is licensed under the Apache 2.0 license, not proprietary

in reply to:  6 comment:8 by sebastic, 12 months ago

Replying to taylor.smock:

Unfortunately I would still need to keep the dependency around for awhile, since some plugins use the annotations from it.

Which plugins are those? I only found the imageio plugin.

comment:9 by taylor.smock, 12 months ago

We have a ant task for checking binary compatibility, ant check-plugins. I think you need to be running it with Java 8. It also isn't a very fast job, IIRC.

Anyway, of the plugins which we control, these additional plugins use annotations from the JSR305 jar:

  • Mapillary
  • Streetside
  • MapRoulette
  • MapWithAI
  • Wikipedia

As a general rule, I tend to prefer to give plugins some time to update before breaking compatibility. For example, I added the jakarta.json dependencies in r18723 (2023-05-10), with the intention of removing the javax.json dependencies in December (see #22941). There are also a bunch of @Deprecated methods that we still have in JOSM that were deprecated years ago.

So once we decide which annotations library to use instead of JSR305, there will be at least 6 months before we completely remove the JSR305 annotations from the distributed jar file.

comment:10 by taylor.smock, 12 months ago

@stoecker: Do you have any preference for the annotation library we switch to?

Sizes:

  • checker: 219kb
  • jakarta: 25.5kb
  • jetbrains: 29.9kb

comment:11 by stoecker, 12 months ago

One of the smaller ones ;-)

comment:12 by taylor.smock, 12 months ago

In 18877/josm:

See #23220: Use jakarta.annotation instead of javax.annotation (JSR305)

jsr305 should be removed in June 2024 to give plugins time to migrate.

Some lint issues were also fixed.

comment:13 by taylor.smock, 12 months ago

Milestone: 23.1024.06
Version: tested

comment:14 by taylor.smock, 12 months ago

In 36180/osm:

See #23220: Use jakarta.annotation instead of javax.annotation (JSR305)

Some lint issues were also fixed.

comment:15 by stoecker, 3 months ago

Milestone: 24.0624.07

Milestone closed.

comment:16 by taylor.smock, 3 months ago

Resolution: fixed
Status: newclosed

In 19148/josm:

Dependency updates

ivy.xml

  • Remove old dependencies (javax.json, jsr305 -- fixes #23220)
  • JMapViewer: 2.19 -> 2.20 - fixes deadlock when Bing attribution cannot be loaded (see #23721)
  • Wiremock: 3.6.0 -> 3.8.0
  • Various other minor dependency updates

in reply to:  16 comment:17 by sebastic, 2 months ago

Replying to taylor.smock:

In 19148/josm:

Dependency updates

ivy.xml

  • Remove old dependencies (javax.json, jsr305 -- fixes #23220)
  • JMapViewer: 2.19 -> 2.20 - fixes deadlock when Bing attribution cannot be loaded (see #23721)
  • Wiremock: 3.6.0 -> 3.8.0
  • Various other minor dependency updates

The javax dependencies are still present in the sources section, patch:

--- a/ivy.xml
+++ b/ivy.xml
@@ -36,15 +36,11 @@
         <dependency conf="api->default" org="org.webjars.npm" name="tag2link" rev="2024.7.8"/>
         <!-- sources->sources -->
         <dependency conf="sources->sources" org="org.openstreetmap.jmapviewer" name="jmapviewer" rev="2.20"/>
-        <dependency conf="sources->sources" org="javax.json" name="javax.json-api" rev="1.1.4"/>
-        <dependency conf="sources->sources" org="org.glassfish" name="javax.json" rev="1.1.4"/>
         <dependency conf="sources->sources" org="jakarta.json" name="jakarta.json-api" rev="2.1.3"/>
         <dependency conf="sources->sources" org="org.eclipse.parsson" name="parsson" rev="1.1.6"/>
         <dependency conf="sources->sources" org="org.apache.commons" name="commons-jcs3-core" rev="3.2.1"/>
         <dependency conf="sources->sources" org="org.apache.commons" name="commons-compress" rev="1.26.2"/>
         <dependency conf="sources->sources" org="jakarta.annotation" name="jakarta.annotation-api" rev="2.1.1" />
-        <!-- jsr305 has some source files with non-free CC-BY-2.5 license. Remove after 2024-06-01 to give plugins time to migrate. See #23220 for details -->
-        <dependency conf="sources->sources" org="com.google.code.findbugs" name="jsr305" rev="3.0.2"/>
         <dependency conf="sources->sources" org="org.tukaani" name="xz" rev="1.9"/>
         <dependency conf="sources->sources" org="com.adobe.xmp" name="xmpcore" rev="6.1.11"/>
         <dependency conf="sources->sources" org="com.drewnoakes" name="metadata-extractor" rev="2.19.0" transitive="false"/>
Last edited 2 months ago by sebastic (previous) (diff)

comment:18 by taylor.smock, 2 months ago

In 19161/josm:

See #23220: Remove jsr305 from dependencies (patch by sebastic)

I (taylor.smock) didn't remove the dependencies from the sources section in r19148.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain team.
as The resolution will be set.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.