Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dependency to org.json in 0.10.0 #144

Open
wetneb opened this issue Dec 30, 2021 · 10 comments
Open

Dependency to org.json in 0.10.0 #144

wetneb opened this issue Dec 30, 2021 · 10 comments
Labels
good first issue Good for newcomers help wanted Extra attention is needed

Comments

@wetneb
Copy link
Contributor

wetneb commented Dec 30, 2021

Version 0.10.0 depends on org.json:json:20190722.

The license of this library is the "JSON license", which is not OSI compliant: http://json.org/license.html.

See for instance https://lwn.net/Articles/707510/ for an explanation of this issue.

@svanteschubert
Copy link
Contributor

Oh, I feel(ed) safe as using the following Apache release auditing tool: https://creadur.apache.org/
mvn install -Ppedantic

The library was used by OpenXChange to handle the JSON for the ODF operations being dispatched.
If someone likes to exchange the lib than I would love to have one with JSON Objects as well capsulated with the Map interface and the sequences with the List interface so the serialization type does not have to be "hard coded" - perhaps there are different ways as well, just remembering when making this note. :-)

@apoleon
Copy link

apoleon commented May 23, 2022

Hi, maintainer of OpenRefine in Debian here. I just wanted to let you know that the non-free dependency of the org.json:json artifact prevents upgrades to newer versions of odfdom in Debian. There are several alternatives available like json-simple or jackson. There is also a cleanroom reimplementation from Google's Android SDK, e.g. https://mvnrepository.com/artifact/com.vaadin.external.google/android-json/0.0.20131108.vaadin1.

See also https://wiki.debian.org/qa.debian.org/jsonevil

I tried to replace org.json:json with this one because it is almost a drop-in-replacement. However it requires a lot of modifications in regard to adding new JSONExceptions hence why I didn't pursue this goal further. However I wanted to attach a preliminary patch just to show that the rest seems pretty much straightforward.

https://gist.github.com/apoleon/2a7118b5ce05cc45d9fb59a4f0f341a8

@mistmist mistmist added help wanted Extra attention is needed good first issue Good for newcomers labels May 23, 2022
@svanteschubert
Copy link
Contributor

svanteschubert commented May 23, 2022 via email

@apoleon
Copy link

apoleon commented May 23, 2022

Oh, I did change the dependency in pom.xml of course. This is probably a misunderstanding. I meant the JSONException class is new when I compared the free reimplementation from Google with org.json:json and that has to be fixed by adding new throws or try/catch blocks in your code.

@svanteschubert
Copy link
Contributor

@apoleon Hej Markus, the pom.xml was not listed in the files of
https://gist.github.com/apoleon/2a7118b5ce05cc45d9fb59a4f0f341a8
that's why I mentioned it and btw I could not apply this patch, neither with 'git am'.
If there is an applicable patch that builds with no test failing, be sure that I am more than willing to merge it! :-)

@apoleon
Copy link

apoleon commented May 23, 2022

Hey, yeah, I tried with

com.vaadin.external.google android-json 0.0.20131108.vaadin1

and Debian's version of https://packages.debian.org/sid/libandroid-json-java. Unfortunately there is no corresponding artifact on maven.org (yet). The preliminary patch is based on odfdom 0.9.0~RC2. I guess the goal is to get rid of org.json:json but keep the changes as minimal as possible. I can try again in a few weeks and will base the final patch on git master then.

@svanteschubert
Copy link
Contributor

Cool thanks!
There was quite a change between 0.9.0 and 0.10.0 - AFAIR only the latter includes the JSON lib.
As you said a new branch based on the current master would be the best idea!

No hurry from my side and good luck! :-)

@apoleon
Copy link

apoleon commented Dec 17, 2023

@wetneb @svanteschubert Hi all, sorry for not informing you sooner but I believe this issue has resolved itself. In August 2022 the original author of org.json json, Douglas Crockford, decided to change the license and put the code into the public domain. This was the relevant commit. It was already pointed out by other people that "public domain" is not a world-wide accepted concept in all jurisdictions. However as far as Debian is concerned, software in the public domain, is DFSG-free software and thus accepted into the main distribution of Debian. Other vendors handle it the same way. Hence I believe this issue has been resolved and a code change in odftoolkit is not necessary anymore. I also made sure that the master branch of odftoolkit depends on an up-to-date artifact of org.json:json that contains the license change. @wetneb I suggest to update odftoolkit in OpenRefine to this version or the next release, presumably 0.12.0. Note that 0.11.0 still depends on an older artifact which is still licensed under the non-free license.

@wetneb
Copy link
Contributor Author

wetneb commented Dec 17, 2023

Thanks for the heads up! @svanteschubert do you have any estimate of when 0.12.0 should be published?

@svanteschubert
Copy link
Contributor

@wetneb I'll talk with Michael Stahl tomorrow. We could release a version with all the new dependencies and current fixes. But not before I finished my taxes! ;-)
Regarding the larger upcoming release: I am a bit stuck with the generation update (some paid task was interleaving and now I procrastinate a bit to wrap my head around that complexity) - perhaps ahead / during FOSDEM with these major changes of generation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
good first issue Good for newcomers help wanted Extra attention is needed
Projects
None yet
Development

No branches or pull requests

4 participants