Gradle 2.4-rc1 introduces a non-free dependency

mizdebsk · April 27, 2015, 8:50am

During licensing review of Gradle 2.4 in Fedora we found out that it introduces a new dependency, aws-java-sdk, which is non-free.

Most of the code in aws-java-sdk is licensed under Apache License Version 2, just like Gradle, but a few utility classes used for JSON support are non-free. These classes contain a clause that contains usage restrictions (“The Software shall be used for Good, not Evil.”), see the license file and source of class com.amazonaws.util.json.JSONArray.

Such usage restriction makes the license incompatible with The Open Source Definition and The Free Software Definition. Because Gradle binary distribution includes this software, it effectively becomes proprietary software itself.

I think this is a serious issue and should be fixed ASAP.

Rene · April 27, 2015, 9:04am

Thanks for reporting. Investigating…

luke_daley · April 28, 2015, 6:32am

Hi @mizdebsk,

The distribution of Gradle included in Fedora is already different (e.g. version of Ivy library used is changed). Would it be possible for 2.4 to simply exclude the AWS support?

We started a discussion internally on what we’d need to do in order to modify our build and release process to make it easier to create a Fedora compatible Gradle. That is, we’d add switches/flags to the build to omit functionality. Effectively, pushing the changes you upstream to us. We’d then incorporate testing of this distribution to our QA processes. It’s not clear yet what this would mean for us, but we are discussing it.

However, we’d really like to avoid holding up the release of 2.4 any longer. As such, we can’t put something like this in place for 2.4.

Please let me know your thoughts.

luke_daley · April 28, 2015, 6:39am

As for how you might do this…

The implicitly loaded plugins at runtime are controlled by the generated gradle-plugins.properties file, that is expected to be part of the gradle-core-«version».jar file in the lib directory of the distribution. The plugin gradle-resources-s3 will need to removed from that file.

You could either modify this file after the fact, or likely better, modify the build script to remove the s3 project here:

github.com

gradle/gradle/blob/master/build.gradle#L91-91


distributedPerformanceExperiments {
    tasks "performance:distributedPerformanceExperiment"
}


distributedFullPerformanceTests {
    tasks "performance:distributedFullPerformanceTest"
}


// Used for cross version tests on CI
allVersionsCrossVersionTest {
    tasks "allVersionsCrossVersionTests"
}


quickFeedbackCrossVersionTest {
    tasks "quickFeedbackCrossVersionTests"
}


// Used to build production distros and smoke test them
packageBuild {
    tasks "verifyIsProductionBuildEnvironment", "clean", "buildDists", "distributions:integTest"
}

mizdebsk · April 28, 2015, 9:30am

Hi @luke_daley,
thank you for your reply.

I understand that it may be too late to fix this in Gradle 2.4 and I hope this problem will be addressed in future releases.

Building Gradle in Fedora is not a problem. I was wondering whether I should build it with S3 plugin disabled or work on patching AWS code to remove non-free JSON classes, but now I think I will go with the first I solution. (I’m also working on upstreaming some of patches we carry in Fedora, I’m hoping to submit some pull requests next week.)

luke_daley · April 29, 2015, 12:00am

There’s an open PR on the AWS SDK to remove this dependency:

You could add some weight (e.g. +1 comment) to that PR.

Adrian_Kelly · May 24, 2016, 7:58am

It’s been removed in v1.11 of the AWS SDK. We should consider upgrading.

st_oehme · June 8, 2016, 10:14am

This will be fixed in Gradle 3.0.