tdf
Dependency to org.json in 0.10.0
Version 0.10.0 depends on org.json:json:20190722.
The license of this library is the "JSON license", which is not OSI compliant: http://json.org/license.html.
See for instance https://lwn.net/Articles/707510/ for an explanation of this issue.
Oh, I feel(ed) safe as using the following Apache release auditing tool: https://creadur.apache.org/ mvn install -Ppedantic
The library was used by OpenXChange to handle the JSON for the ODF operations being dispatched. If someone likes to exchange the lib than I would love to have one with JSON Objects as well capsulated with the Map interface and the sequences with the List interface so the serialization type does not have to be "hard coded" - perhaps there are different ways as well, just remembering when making this note. :-)
Hi, maintainer of OpenRefine in Debian here. I just wanted to let you know that the non-free dependency of the org.json:json artifact prevents upgrades to newer versions of odfdom in Debian. There are several alternatives available like json-simple or jackson. There is also a cleanroom reimplementation from Google's Android SDK, e.g. https://mvnrepository.com/artifact/com.vaadin.external.google/android-json/0.0.20131108.vaadin1.
See also https://wiki.debian.org/qa.debian.org/jsonevil
I tried to replace org.json:json with this one because it is almost a drop-in-replacement. However it requires a lot of modifications in regard to adding new JSONExceptions hence why I didn't pursue this goal further. However I wanted to attach a preliminary patch just to show that the rest seems pretty much straightforward.
https://gist.github.com/apoleon/2a7118b5ce05cc45d9fb59a4f0f341a8
You might need to exchange the pom.xml dependency to the JSON lib you like to change to, too. Otherwise, you won't be able to test the build. Obviously the solution of your problem, is that the JSON library has to be exchanged with a different one. The former JSON library was used by Open-XChange and it was part of their contribution and set at this time - likely they were not aware of the license problem. This won't be likely any priority of mine in the short future but I am happy to review any pull request that changes this problem.
Am Mo., 23. Mai 2022 um 14:53 Uhr schrieb Markus Koschany < @.***>:
Hi, maintainer of OpenRefine in Debian here. I just wanted to let you know that the non-free dependency of the org.json:json artifact prevents upgrades to newer versions of odfdom in Debian. There are several alternatives available like json-simple or jackson. There is also a cleanroom reimplementation from Google's Android SDK, e.g. https://mvnrepository.com/artifact/com.vaadin.external.google/android-json/0.0.20131108.vaadin1 .
See also https://wiki.debian.org/qa.debian.org/jsonevil
I tried to replace org.json:json with this one because it is almost a drop-in-replacement. However it requires a lot of modifications in regard to adding new JSONExceptions hence why I didn't pursue this goal further. However I wanted to attach a preliminary patch just to show that the rest seems pretty much straightforward.
https://gist.github.com/apoleon/2a7118b5ce05cc45d9fb59a4f0f341a8
— Reply to this email directly, view it on GitHub https://github.com/tdf/odftoolkit/issues/144#issuecomment-1134640091, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAGJNW673J6EEXIQDDYYGJDVLN5VZANCNFSM5K7ZLBVA . You are receiving this because you commented.Message ID: @.***>
Oh, I did change the dependency in pom.xml of course. This is probably a misunderstanding. I meant the JSONException class is new when I compared the free reimplementation from Google with org.json:json and that has to be fixed by adding new throws or try/catch blocks in your code.
@apoleon Hej Markus, the pom.xml was not listed in the files of https://gist.github.com/apoleon/2a7118b5ce05cc45d9fb59a4f0f341a8 that's why I mentioned it and btw I could not apply this patch, neither with 'git am'. If there is an applicable patch that builds with no test failing, be sure that I am more than willing to merge it! :-)
Hey, yeah, I tried with
and Debian's version of https://packages.debian.org/sid/libandroid-json-java. Unfortunately there is no corresponding artifact on maven.org (yet). The preliminary patch is based on odfdom 0.9.0~RC2. I guess the goal is to get rid of org.json:json but keep the changes as minimal as possible. I can try again in a few weeks and will base the final patch on git master then.
Cool thanks! There was quite a change between 0.9.0 and 0.10.0 - AFAIR only the latter includes the JSON lib. As you said a new branch based on the current master would be the best idea!
No hurry from my side and good luck! :-)
@wetneb @svanteschubert Hi all, sorry for not informing you sooner but I believe this issue has resolved itself. In August 2022 the original author of org.json json, Douglas Crockford, decided to change the license and put the code into the public domain. This was the relevant commit. It was already pointed out by other people that "public domain" is not a world-wide accepted concept in all jurisdictions. However as far as Debian is concerned, software in the public domain, is DFSG-free software and thus accepted into the main distribution of Debian. Other vendors handle it the same way. Hence I believe this issue has been resolved and a code change in odftoolkit is not necessary anymore. I also made sure that the master branch of odftoolkit depends on an up-to-date artifact of org.json:json that contains the license change. @wetneb I suggest to update odftoolkit in OpenRefine to this version or the next release, presumably 0.12.0. Note that 0.11.0 still depends on an older artifact which is still licensed under the non-free license.
Thanks for the heads up! @svanteschubert do you have any estimate of when 0.12.0 should be published?
@wetneb I'll talk with Michael Stahl tomorrow. We could release a version with all the new dependencies and current fixes. But not before I finished my taxes! ;-) Regarding the larger upcoming release: I am a bit stuck with the generation update (some paid task was interleaving and now I procrastinate a bit to wrap my head around that complexity) - perhaps ahead / during FOSDEM with these major changes of generation.
@wetneb If you take a look at the history of the license file of the JSON lib https://github.com/stleary/JSON-java/commits/master/LICENSE, you will see that the sentence quoted in your initially mentioned blog post "The Software shall be used for Good, not Evil." had been removed, and only the line "Public Domain." remains in the license file: https://github.com/stleary/JSON-java/blob/master/LICENSE Also, being part of the version we are currently using. If this license is not sufficient, I suggest raising an issue directly at https://github.com/stleary/JSON-java
If this was a problem and you managed to solve it, or you there is a patch to replace the existing JSON library, I am happy to reopen this issue.
Fingers crossed...
I think this will be solved once I get to the point to make odftoolkit fully jigsaw compatible (provide a module-info). Last I checked, json-java did not provide a module-info and some years ago the maintainer rejected two patches made by different people based on fears a module-info would break the build for people working with java 6 and it seems not much has changed. Jackson is a nice json library for java😉
@xzel23 I heard a lot of rumours about problems with the json.org maintainer, so I am happy with any patch that ends these quarrels. 🤗