|
| 1 | +--- |
| 2 | +slug: copyleft-licensed-software-java-app |
| 3 | +title: Using Copyleft-licensed software components in a Java application |
| 4 | +authors: [team] |
| 5 | +tags: [copyleft, java, license compliance] |
| 6 | +hide_table_of_contents: false |
| 7 | +--- |
| 8 | + |
| 9 | +Key considerations while using Copyleft-licensed software components in a Java application. |
| 10 | + |
| 11 | + |
| 12 | + |
| 13 | +This document explains some key considerations for the use of Copyleft-licensed software components in a Java application in two contexts: |
| 14 | + |
| 15 | +- Execution of the Java code in a shared JVM. |
| 16 | +- Combining class files in a shared executable JAR – and by extension in a Combined JAR (e.g. uber-jar or fat jar). |
| 17 | + |
| 18 | +For this document, “JAR” refers specifically to an executable Java library that is a collection of `.class` files packaged into a file with the `.jar` extension; it does not refer to the use of a `.jar` file as an archive file only (such as for packaging source files for a Java library). |
| 19 | + |
| 20 | +The purpose of this document is to present a “conservative” interpretation of what linking, or interaction may mean in the Java context. It is not based on any particular product or application and we are not aware of any specific license compliance enforcement actions in this area. |
| 21 | + |
| 22 | +## “Strong” Copyleft-licensed Components |
| 23 | + |
| 24 | +The execution of any software component licensed under GPL (or another “strong” Copyleft license such as AGPL, SleepyCat, etc.) in a JVM effectively links that component with all other software components in that JVM process and therefore those other components become subject to GPL license obligations including redistribution of source code. |
| 25 | + |
| 26 | +The net impact of this interaction inside a JVM is that you should not Deploy any GPL-licensed code in a commercial Java-based product, unless that GPL-licensed code is executed in a separate JVM. This use case is possible, but quite rare in practice. |
| 27 | + |
| 28 | +In such rare cases, the GPL-licensed component should be used as-is and un-modified. |
| 29 | + |
| 30 | +If a modification is absolutely required, the purpose of the modification must not be to expose some privileged way to communicate with this library from proprietary code such as exposing a socket interface or other API for the sole benefit of avoiding a direct call to the Copyleft-licensed library. |
| 31 | + |
| 32 | +Such modifications would be considered as essentially similar to running the Copyleft-licensed library in the same JVM process and making direct calls so that the Copyleft obligation would still apply. |
| 33 | + |
| 34 | +## “Limited” Copyleft-licensed Components |
| 35 | + |
| 36 | +Any code included within a JAR can be considered to be statically linked with any other code in that JAR, even though strictly-speaking there is no such concept of “static linking” in Java technology. |
| 37 | + |
| 38 | +The primary logic here is that a JAR is an executable program and all of the files inside it interact within that context. |
| 39 | + |
| 40 | +Clearly there are many programming-level differences between: |
| 41 | + |
| 42 | +1. the process of compiling and linking C/C++ source files into an executable program and |
| 43 | +2. the process of converting .java or other source files (such as Scala) into `.class` files and packaging them into a JAR. |
| 44 | + |
| 45 | +But there are more similarities than differences. The net impact of this interaction inside a JAR is that you should not deploy any Copyleft-licensed code in a JAR in combination with any proprietary code. |
| 46 | + |
| 47 | +The impact of software interaction of `.class` files within a JAR varies according to the specific subtype of limited Copyleft license. There are three primary subtypes to consider: |
| 48 | + |
| 49 | +1. LGPL |
| 50 | +2. GPL with Classpath Exception |
| 51 | +3. “Public” or file-based licenses (CDDL, EPL, MPL) |
| 52 | + |
| 53 | +## 1) LGPL |
| 54 | + |
| 55 | +The LGPL version 2 and version 3 licenses are quite different, but in both cases there are specific terms and conditions related to software interaction and these provide the strongest case that combining `.class` files in an executable `.jar` is a form of static linking. |
| 56 | + |
| 57 | +## 2) GPL with Classpath Exception |
| 58 | + |
| 59 | +This license permits static linking of “independent modules”, but it may be hard to argue that `.class` files combined into a single JAR are independent. |
| 60 | + |
| 61 | +## 3) “Public” or file-based licenses (CDDL, EPL, MPL) |
| 62 | + |
| 63 | +The Copyleft impact from these licenses are primarily limited to the file level so this is the best case to argue that you can combine class files into one JAR without Copyleft impact. |
| 64 | + |
| 65 | +For a component licensed under any of the Limited Copyleft licenses, you do have the option to dynamically link separate libraries (JARs) within a JVM. This is different from GPL-licensed code, as described above, because you can dynamically link libraries under a Limited Copyleft license inside a JVM without a Copyleft impact on other libraries. |
| 66 | + |
| 67 | +The recommended best practice is to Deploy any Java library under a Limited Copyleft license as a separate “dynamic” library as provisioned from the original OSS project. This is the best way to avoid Copyleft impact. |
| 68 | + |
| 69 | +## Combined JARs: uber-jars, mega-jars and fat-jars |
| 70 | + |
| 71 | +Java code is typically packaged and redistributed as pre-compiled `.class` files assembled in one or more JAR libraries. Open source Java libraries are commonly downloaded at build time from a repository such as Maven (either a private or the Maven Central public repository). |
| 72 | + |
| 73 | +The process of creating a Combined JAR is to combine the `.class` files from all of the third-party dependency JARs together with proprietary-licensed `.class` files in a single JAR. This larger Combined JAR mixes open source (and possibly Copyleft-licensed code) and proprietary code in a single JAR. |
| 74 | + |
| 75 | +Creating larger Combined JARs is typically automated as part of a product build. Maven-based build plugins and tools include Maven Shade, one-jar, fat jar and others. |
| 76 | + |
| 77 | +In most cases, this is an addition to the build that is easily reversed to revert to a multi-jar deployment approach. The technical purpose of building a Combined JAR may be to: |
| 78 | + |
| 79 | +- Simplify the deployment or configuration of some larger Java applications by reducing the number of `.jar` libraries to be deployed. |
| 80 | +- Simplify runtime configuration. In particular the Java class paths do not need to be configured to reference the dependencies since they are all contained in a single executable library. |
| 81 | +- Accelerate initial loading of the application in the JVM where startup time is critical for the application. This acceleration is likely to be minimal. |
| 82 | + |
| 83 | +In addition to the Copyleft interaction issues outlined above, some other disadvantages of using Combined JARs are: |
| 84 | + |
| 85 | +- In the process of creating a Combined JAR, some common files with the same name and path (such as NOTICE, LICENSE) may be overwritten in a Combined JAR. Only one copy of each such file will exist in the Combined JAR. The terms of most open source licenses do not permit you to remove license or notice files. |
| 86 | +- The repackaging of un-modified JARs in a Combined JAR could be considered to be a modification. Most Copyleft licenses require you to track and document changes so this repackaging may require additional documentation work for the product team. |
| 87 | +- Tracing the package-version of an individual third-party component included in a Combined JAR may be difficult, which in turn may make it difficult to comply with Copyleft license conditions that require an offer to redistribute package-version-specific source code. |
| 88 | +- When updating software, the entire Combined JAR will need to be rebuilt even if most individual third-party packages are unchanged. In particular if a single third-party component JAR needs to be updated for a vulnerability, bug or new feature fix, then the whole Combined JAR need to be redistributed to customers. |
| 89 | +- If several larger Combined JARs are created in a product, the resulting size of the executables may be larger, as the contents of every shared third-party JAR will be duplicated in each Combined JAR instead of being shared across modules. Thus, a Combined JAR can impede the possibility and flexibility of Java library reuse. |
| 90 | + |
| 91 | +In general, Combined JARs are best suited for Deployment of Java applications in an internal system/IT- or SaaS-only use case where some of their benefits are measurable and there are fewer issues related to license compliance and Copyleft-licensed component interaction. |
| 92 | + |
| 93 | +When used in a commercial product that is distributed in any way, the issues attached to larger combined JARs usually outweigh any technical benefits that they may offer. |
0 commit comments