Dependency on net.jcip:jcip-annotations library creates licensing issues

Issue #180 resolved
Allen Hadden created an issue

We'd like to use Nimbus-JOSE-JWT in a project, but cannot get legal approval as it is because it currently depends on net.jcip:jcip-annotations, which has a Creative Commons Attribution license. This license is not recommended for software products (see https://creativecommons.org/faq/#can-i-apply-a-creative-commons-license-to-software).

There is at least one project that has worked around this issue for jcip-annotations by clean-rooming an implementation based on the JavaDocs. See https://github.com/stephenc/jcip-annotations

We can force our project to use that clean-roomed implementation instead of the "real" one as a workaround, but I thought I'd raise this as an issue to see if you have any interest in either using the alternate library, or perhaps removing the usage of the library.

I wasn't sure whether to log this as a bug or an enhancement.

Comments (6)

  1. Allen Hadden reporter

    It does appear to be a 1:1 impl. Note that they're just simple annotations. There's no "real" code in that JAR.

    It seems that the annotations are referenced in a book (Java Concurrency in Practice). I just read part of the book in Safari Online and it seems that they're used for documenting the intended thread-safe behavior of a class.

    I looked in our project (which is fairly large) and we have about 5 different implementation of all of those annotations in various packages. It seems like these other projects that we include noticed the issue and just made their own version of the annotations, since the annotations are really just used to document intended behavior.

    What a mess, possibly started by an oversight in how the original library was licensed.

  2. Vladimir Dzhuvinov

    Hi Allen,

    The JCIP licensing issue is closed now, check out the new v4.17 (should be on Maven Central shortly).

    Thanks,

    Vlad

  3. Log in to comment