Dependency to org.json in 0.10.0 #144
Comments
|
Oh, I feel(ed) safe as using the following Apache release auditing tool: https://creadur.apache.org/ The library was used by OpenXChange to handle the JSON for the ODF operations being dispatched. |
|
Hi, maintainer of OpenRefine in Debian here. I just wanted to let you know that the non-free dependency of the org.json:json artifact prevents upgrades to newer versions of odfdom in Debian. There are several alternatives available like json-simple or jackson. There is also a cleanroom reimplementation from Google's Android SDK, e.g. https://mvnrepository.com/artifact/com.vaadin.external.google/android-json/0.0.20131108.vaadin1. See also https://wiki.debian.org/qa.debian.org/jsonevil I tried to replace org.json:json with this one because it is almost a drop-in-replacement. However it requires a lot of modifications in regard to adding new JSONExceptions hence why I didn't pursue this goal further. However I wanted to attach a preliminary patch just to show that the rest seems pretty much straightforward. https://gist.github.com/apoleon/2a7118b5ce05cc45d9fb59a4f0f341a8 |
mistmist
added
help wanted
|
You might need to exchange the pom.xml dependency to the JSON lib you like
to change to, too. Otherwise, you won't be able to test the build.
Obviously the solution of your problem, is that the JSON library has to be
exchanged with a different one.
The former JSON library was used by Open-XChange and it was part of their
contribution and set at this time - likely they were not aware of the
license problem.
This won't be likely any priority of mine in the short future but I am
happy to review any pull request that changes this problem.
Am Mo., 23. Mai 2022 um 14:53 Uhr schrieb Markus Koschany <
***@***.***>:
… Hi, maintainer of OpenRefine in Debian here. I just wanted to let you know
that the non-free dependency of the org.json:json artifact prevents
upgrades to newer versions of odfdom in Debian. There are several
alternatives available like json-simple or jackson. There is also a
cleanroom reimplementation from Google's Android SDK, e.g.
https://mvnrepository.com/artifact/com.vaadin.external.google/android-json/0.0.20131108.vaadin1
.
See also https://wiki.debian.org/qa.debian.org/jsonevil
I tried to replace org.json:json with this one because it is almost a
drop-in-replacement. However it requires a lot of modifications in regard
to adding new JSONExceptions hence why I didn't pursue this goal further.
However I wanted to attach a preliminary patch just to show that the rest
seems pretty much straightforward.
https://gist.github.com/apoleon/2a7118b5ce05cc45d9fb59a4f0f341a8
—
Reply to this email directly, view it on GitHub
<#144 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAGJNW673J6EEXIQDDYYGJDVLN5VZANCNFSM5K7ZLBVA>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
|
Oh, I did change the dependency in pom.xml of course. This is probably a misunderstanding. I meant the JSONException class is new when I compared the free reimplementation from Google with org.json:json and that has to be fixed by adding new throws or try/catch blocks in your code. |
|
@apoleon Hej Markus, the pom.xml was not listed in the files of |
|
Hey, yeah, I tried with com.vaadin.external.google android-json 0.0.20131108.vaadin1and Debian's version of https://packages.debian.org/sid/libandroid-json-java. Unfortunately there is no corresponding artifact on maven.org (yet). The preliminary patch is based on odfdom 0.9.0~RC2. I guess the goal is to get rid of org.json:json but keep the changes as minimal as possible. I can try again in a few weeks and will base the final patch on git master then. |
|
Cool thanks! No hurry from my side and good luck! :-) |
|
@wetneb @svanteschubert Hi all, sorry for not informing you sooner but I believe this issue has resolved itself. In August 2022 the original author of org.json json, Douglas Crockford, decided to change the license and put the code into the public domain. This was the relevant commit. It was already pointed out by other people that "public domain" is not a world-wide accepted concept in all jurisdictions. However as far as Debian is concerned, software in the public domain, is DFSG-free software and thus accepted into the main distribution of Debian. Other vendors handle it the same way. Hence I believe this issue has been resolved and a code change in odftoolkit is not necessary anymore. I also made sure that the master branch of odftoolkit depends on an up-to-date artifact of org.json:json that contains the license change. @wetneb I suggest to update odftoolkit in OpenRefine to this version or the next release, presumably 0.12.0. Note that 0.11.0 still depends on an older artifact which is still licensed under the non-free license. |
|
Thanks for the heads up! @svanteschubert do you have any estimate of when 0.12.0 should be published? |
|
@wetneb I'll talk with Michael Stahl tomorrow. We could release a version with all the new dependencies and current fixes. But not before I finished my taxes! ;-) |
Version 0.10.0 depends on
org.json:json:20190722.The license of this library is the "JSON license", which is not OSI compliant: http://json.org/license.html.
See for instance https://lwn.net/Articles/707510/ for an explanation of this issue.
The text was updated successfully, but these errors were encountered: