Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Don't use JSR-305 dependency #51

Closed
aalmiray opened this issue Mar 25, 2023 · 1 comment
Closed

Don't use JSR-305 dependency #51

aalmiray opened this issue Mar 25, 2023 · 1 comment
Labels
dependencies Pull requests that update a dependency file
Milestone
1.6.0

Comments

@aalmiray
Copy link
Contributor

From rsocket/rsocket-java#423

There are several issues with using jsr305.jar by RSocket.

JSR-305 is dormant, has been for a long while and shows no hope of ever producing an agreed set of annotations in our lifetime. Further more these annotations use javax. packages which it is not possible to use according to the Oracle Java binary licence, so applications can not use and ship these dependencies along with a JRE without violating the Oracle licence agreement.

F. JAVA TECHNOLOGY RESTRICTIONS. You may not create, modify, or change the behavior of, or authorize your licensees to create, modify, or change the behavior of, classes, interfaces, or subpackages that are in any way identified as "java", "javax", "sun", “oracle” or similar convention as specified by Oracle in any naming convention designation.

The JSR-305 group has not defined any official releases according to its jsr page so the only implementations is a seemingly random implementation provided by the FindBugs team. Even if the team where experts on the JSR (which some where) they are not official as there has been no vote and are not available from the JSR hompage - so the javax package name restriction still applies.

Using jsr305 causes additional issues, if RSocket is used in a modular JDK9 applications, because it puts the annotations into javax.annotation package, which is also used by a couple of other JAR-s (including the officially released JSR-250) and a legacy JDK module java.xml.ws.annotation. If one wants to create a modular JDK9 application that depends on both JSR-305 and JSR-250, Java 9 refuses to compile it.

Findbugs has been rebooted as Spotbugs and they are going to make a switch from JSR-305 to their own internal annotations in version 4.0.0 that do not break anything:

spotbugs/spotbugs#180

I think RSocket should consider switching to them in order not to pollute application dependencies with jsr305 JAR.

Spotbugs appears to be a suitable alternative.
@sbaudoin sbaudoin added this to the 1.6.0 milestone Nov 2, 2023
@sbaudoin sbaudoin added the enhancement New feature or request label Nov 2, 2023
@sbaudoin
Copy link
Owner

sbaudoin commented Nov 7, 2023
edited
Loading

Will just get rid of JSR305 and Findbugs. Thanks for pointing out. The API will lack understandability, though.

sbaudoin added a commit that referenced this issue Nov 7, 2023
@sbaudoin
Removed Findbugs (issue #51)
bc018e9
sbaudoin added a commit that referenced this issue Nov 7, 2023
@sbaudoin
Removed use of JSR305 and Findbugs (issue #51)
dfa319d
sbaudoin added a commit that referenced this issue Nov 7, 2023
@sbaudoin
Removed use of JSR305 and Findbugs (issue #51)
ffd4d91
@sbaudoin sbaudoin closed this as completed Nov 7, 2023
@sbaudoin sbaudoin added dependencies Pull requests that update a dependency file and removed enhancement New feature or request labels Nov 7, 2023
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
1.6.0
Development

No branches or pull requests
2 participants
@aalmiray @sbaudoin