Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

spring-boot-starter-logging 2.7.18 has a dependency containing LGPL-2.1-only #39063

Closed
artursouza opened this issue Jan 9, 2024 · 3 comments
Closed
Labels
status: invalid An issue that we don't feel is valid

Comments

@artursouza
Copy link

Springboot version 2.7.8, 2.7.18 (and probably all in between) are being flagged by FOSSA on license violation by a transitive dependency: ch.qos.logback:logback-classic (1.12.2) - it contains "LGPL-2.1-only".

Can org.springframework.boot:spring-boot-starter-logging depend on a "non-GPL" alternative library?

spring-boot-starter-web (2.7.18):
org.springframework.boot:spring-boot-starter-web -> org.springframework.boot:spring-boot-starter -> org.springframework.boot:spring-boot-starter-logging -> ch.qos.logback:logback-classic

@mhalbritter
Copy link
Contributor

Why is a LGPL licensed library a problem for you?

You can switch from Logback to Log4J or Java Util Logging if you like.

Please note that Spring Boot 2.7.x is out of OSS support, you should upgrade or consider commercial support.

@mhalbritter mhalbritter added status: invalid An issue that we don't feel is valid and removed status: waiting-for-triage An issue we've not yet triaged labels Jan 9, 2024
@mhalbritter mhalbritter closed this as not planned Won't fix, can't repro, duplicate, stale Jan 9, 2024
@bclozel
Copy link
Member

bclozel commented Jan 9, 2024

@artursouza additionnally, this should be reported to the FOSSA tool, as the library is released under a dual license: https://logback.qos.ch/license.html and https://github.com/qos-ch/logback/blob/master/LICENSE.txt

Maven Central does detect this dual license situation just fine.

@artursouza
Copy link
Author

Thanks for the responses, I will report it in FOSSA.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
status: invalid An issue that we don't feel is valid
Projects
None yet
Development

No branches or pull requests

4 participants