directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lécharny <>
Subject Re: LDAP API dependency & N/L
Date Mon, 03 Sep 2018 09:15:19 GMT

Le 03/09/2018 à 09:56, Kiran Ayyagari a écrit :
> On Mon, Sep 3, 2018 at 1:09 PM, Emmanuel Lécharny <>
> wrote:
>> Hi !
>> I have checked all the LDAP API dependencies this week-end. We don't
>> have many being used in the resulting package, most of them are just
>> used for tests.
>> Here are the 'compile' scope dependencies :
>> org.slf4j:slf4j-api:jar:1.7.25
>> org.slf4j:slf4j-log4j12:jar:1.7.25
>> log4j:log4j:jar:1.2.17
>> antlr:antlr:jar:2.7.7
>> org.apache.servicemix.bundles:org.apache.servicemix.bundles.
>> antlr:jar:2.7.7_5
>> org.apache.servicemix.bundles:org.apache.servicemix.bundles.
>> dom4j:jar:1.6.1_5
>> org.apache.servicemix.bundles:org.apache.servicemix.bundles.
>> xpp3:jar:1.1.4c_7
>> xml-apis:xml-apis:jar:1.0.b2
>> That means the licenses for those dependencies must be present and
>> up-todate in our N&L.
>> o slf4j 1.7.25 : we are still referencing the slf4j 1.7.10 license. I
>> changed that (note that the current version's license [1] date stops at
>> 2017, I have contacted Ceki about it)
>> o log4j 1.2.17: this is an apache project, and version 1.X has reached
>> EOL in 2015 It's about time to upgrade to 2.11.1, the latest version
>> I noticed so delay in startup time when log4j 2.x is used, I suspect that
> latest log4j version takes a bit more
> time to initialize, I have never encountered this with lg4j1.x.
> In either case I think it is a good idea to limit the scope of log4j
> dependency to tests and let the API users
> decide on the logging implementation to plug.
> It won't be an incompatible change because API code uses sl4j.

Currently, the log4j dependency is only required by the LDAP API
distribution module that generates a standalone library. In this very
case, the log4j library is necessary.

Nevertheless, we need to investigate what would be the pro and con of
switching to log4j2.

Regarding servicemix bundles, it appears they are just wrappers around
libraries that export and import packages for OSGi usage. Now, those
packages are used in our software, so we must include them in our N&L files;

Typcally the xpp3 license [4] must be included, so is the dom4j updated

Otherwise, regarding the distribution/src/main/release/NOTICE file, I do
think there are many useless packages listed there :

o we don't use ant anymore
o Maven does not need to be listed in a distribution package
o Junit does not belong to distribution either


Emmanuel Lecharny

View raw message