#23220 closed defect (fixed)
javax.annotation uses non-free CC-BY-2.5 license
Reported by: | sebastic | Owned by: | team |
---|---|---|---|
Priority: | normal | Milestone: | 24.07 |
Component: | Core | Version: | |
Keywords: | Cc: | sebastic, stoecker |
Description
JOSM uses javax.annotation and includes its sources in the source JAR.
In Debian Bug #1053542 one of the Debian FTP masters pointed out that the CC-BY-2.5 license is considered non-free.
From https://wiki.debian.org/DFSGLicenses:
In contrast to the CC BY-SA 1.0 license, version 3.0 is considered to be compatible to the DFSG. In addition, the version 2.0 and 2.5 are NOT transitively compatible because of clause 4b, since that only allows redistribution of derivative works under later versions of the license.
Can we switch to jakarta.annotation which uses EPL-2.0 or GPL-2.0 with Classpath-exception-2.0?
These are the only two import in the JOSM sources:
import javax.annotation.Nonnull; import javax.annotation.Nullable;
jakarta.annotation also provides Nonull and Nullable.
Attachments (2)
Change History (20)
by , 12 months ago
Attachment: | use-jakarta-annotation.patch added |
---|
comment:1 by , 12 months ago
The attached patch seems to work, JOSM can read and write a PBF file just fine with jakarta.annotation which is the largest user:
$ grep javax.annotation src/org/openstreetmap/ -r src/org/openstreetmap/josm/data/osm/pbf/Blob.java:import javax.annotation.Nonnull; src/org/openstreetmap/josm/data/osm/pbf/Blob.java:import javax.annotation.Nullable; src/org/openstreetmap/josm/data/osm/pbf/HeaderBlock.java:import javax.annotation.Nonnull; src/org/openstreetmap/josm/data/osm/pbf/HeaderBlock.java:import javax.annotation.Nullable; src/org/openstreetmap/josm/data/osm/pbf/BlobHeader.java:import javax.annotation.Nonnull; src/org/openstreetmap/josm/data/osm/pbf/BlobHeader.java:import javax.annotation.Nullable; src/org/openstreetmap/josm/data/osm/pbf/Info.java:import javax.annotation.Nullable; src/org/openstreetmap/josm/data/notes/Note.java:import javax.annotation.Nullable; src/org/openstreetmap/josm/io/OsmPbfReader.java:import javax.annotation.Nonnull; src/org/openstreetmap/josm/io/OsmPbfReader.java:import javax.annotation.Nullable; src/org/openstreetmap/josm/io/auth/CredentialsAgent.java:import javax.annotation.Nullable; src/org/openstreetmap/josm/gui/util/imagery/CameraPlane.java:import javax.annotation.Nullable; src/org/openstreetmap/josm/gui/layer/geoimage/viewers/projections/Equirectangular.java:import javax.annotation.Nonnull; src/org/openstreetmap/josm/gui/layer/geoimage/viewers/projections/Equirectangular.java:import javax.annotation.Nullable;
Downloading notes likewise works.
Plugins likely also need to be updated to use jakarta.annotation.
by , 12 months ago
Attachment: | 0001-Use-jakarta.annotation-instead-of-javax.annotation.patch added |
---|
Use jakarta.annotation instead of javax.annotation in plugins.
comment:2 by , 12 months ago
Plugins likely also need to be updated to use jakarta.annotation.
Only the imageio plugin uses javax.annotation.
comment:3 by , 12 months ago
javax.annotation
is not included in ivy.xml
, it seems to be picked up automatically.
If that doesn't apply to jakarta.annotation
you likely also need this change:
--- a/ivy.xml +++ b/ivy.xml @@ -21,6 +21,7 @@ <dependencies> <!-- api->default --> <dependency conf="api->default" org="org.openstreetmap.jmapviewer" name="jmapviewer" rev="2.16"/> + <dependency conf="api->default" org="jakarta.annotation" name="jakarta.annotation-api" rev="2.1.1"/> <!-- The javax json dependencies should be removed sometime in 2024 --> <dependency conf="api->default" org="javax.json" name="javax.json-api" rev="1.1.4"/> <dependency conf="api->default" org="org.glassfish" name="javax.json" rev="1.1.4"/> @@ -40,6 +41,7 @@ <dependency conf="api->default" org="org.webjars.npm" name="tag2link" rev="2022.11.28"/> <!-- sources->sources --> <dependency conf="sources->sources" org="org.openstreetmap.jmapviewer" name="jmapviewer" rev="2.16"/> + <dependency conf="sources->sources" org="jakarta.annotation" name="jakarta.annotation-api" rev="2.1.1"/> <dependency conf="sources->sources" org="javax.json" name="javax.json-api" rev="1.1.4"/> <dependency conf="sources->sources" org="org.glassfish" name="javax.json" rev="1.1.4"/> <dependency conf="sources->sources" org="jakarta.json" name="jakarta.json-api" rev="2.1.2"/>
comment:4 by , 12 months ago
Cc: | added |
---|
comment:5 by , 12 months ago
FWIW, the CC-BY-2.5 licensed code is limited to the javax.annotation.concurrent sources which are not included in jakarta.annotation.
follow-up: 8 comment:6 by , 12 months ago
The javax.annotation package and subpackages comes from JSR305. The pom.xml file distributed in the JAR has the license as Apache 2.0.
I'd really like to know why they think the files are CC-BY-2.5. I've been meaning to open a ticket for changing to something else like the checker framework (the JSR305 jar has other problems). Unfortunately I would still need to keep the dependency around for awhile, since some plugins use the annotations from it.
comment:7 by , 12 months ago
Cc: | added |
---|
It looks like the javax.annotation.concurrent files are under the CC-By-2.5 license based off of the source code. I don't know if the author (Brian Goetz) gave special permission to the JSR305 jar file authors or not to dual license it with apache 2.0. For safety, I'll assume not.
@stoecker: What do you think about switching annotation dependencies?
The current major annotation frameworks are as follows:
- Checker Framework
- I've played around with this one before; of specific note is an annotation for units, an annotation for deterministic/side effect free methods, and an annotation for methods that affect the GUI
- Jakarta Annotations
- This seems like it might be the closest 1:1 transfer
- JetBrains Annotations
- This is licensed under the Apache 2.0 license, not proprietary
comment:8 by , 12 months ago
Replying to taylor.smock:
Unfortunately I would still need to keep the dependency around for awhile, since some plugins use the annotations from it.
Which plugins are those? I only found the imageio plugin.
comment:9 by , 12 months ago
We have a ant task for checking binary compatibility, ant check-plugins
. I think you need to be running it with Java 8. It also isn't a very fast job, IIRC.
Anyway, of the plugins which we control, these additional plugins use annotations from the JSR305 jar:
- Mapillary
- Streetside
- MapRoulette
- MapWithAI
- Wikipedia
As a general rule, I tend to prefer to give plugins some time to update before breaking compatibility. For example, I added the jakarta.json
dependencies in r18723 (2023-05-10), with the intention of removing the javax.json dependencies in December (see #22941). There are also a bunch of @Deprecated
methods that we still have in JOSM that were deprecated years ago.
So once we decide which annotations library to use instead of JSR305, there will be at least 6 months before we completely remove the JSR305 annotations from the distributed jar file.
comment:10 by , 12 months ago
@stoecker: Do you have any preference for the annotation library we switch to?
Sizes:
- checker: 219kb
- jakarta: 25.5kb
- jetbrains: 29.9kb
comment:13 by , 12 months ago
Milestone: | 23.10 → 24.06 |
---|---|
Version: | tested |
comment:17 by , 2 months ago
Replying to taylor.smock:
In 19148/josm:
The javax dependencies are still present in the sources section, patch:
--- a/ivy.xml +++ b/ivy.xml @@ -36,15 +36,11 @@ <dependency conf="api->default" org="org.webjars.npm" name="tag2link" rev="2024.7.8"/> <!-- sources->sources --> <dependency conf="sources->sources" org="org.openstreetmap.jmapviewer" name="jmapviewer" rev="2.20"/> - <dependency conf="sources->sources" org="javax.json" name="javax.json-api" rev="1.1.4"/> - <dependency conf="sources->sources" org="org.glassfish" name="javax.json" rev="1.1.4"/> <dependency conf="sources->sources" org="jakarta.json" name="jakarta.json-api" rev="2.1.3"/> <dependency conf="sources->sources" org="org.eclipse.parsson" name="parsson" rev="1.1.6"/> <dependency conf="sources->sources" org="org.apache.commons" name="commons-jcs3-core" rev="3.2.1"/> <dependency conf="sources->sources" org="org.apache.commons" name="commons-compress" rev="1.26.2"/> <dependency conf="sources->sources" org="jakarta.annotation" name="jakarta.annotation-api" rev="2.1.1" /> - <!-- jsr305 has some source files with non-free CC-BY-2.5 license. Remove after 2024-06-01 to give plugins time to migrate. See #23220 for details --> - <dependency conf="sources->sources" org="com.google.code.findbugs" name="jsr305" rev="3.0.2"/> <dependency conf="sources->sources" org="org.tukaani" name="xz" rev="1.9"/> <dependency conf="sources->sources" org="com.adobe.xmp" name="xmpcore" rev="6.1.11"/> <dependency conf="sources->sources" org="com.drewnoakes" name="metadata-extractor" rev="2.19.0" transitive="false"/>
Use jakarta.annotation instead of javax.annotation.