rewrite-java-security is not available anymore

[Bananeweizen]

The previously public repository rewrite-java-security is not publicly available anymore. I'm not sure if that was on purpose, if it was renamed, or whether that was an accident. It's still referenced from the docs repository and from the recipe catalog, so I assume this was not intended. 1ab8577f2895b178aafa265168806548762295f1 is the last commit that I have in my local clone.

[timtebeek]

hi @Bananeweizen ; thanks for reaching out! This was intentional, and we'll make that clearer from the docs:

• Major adjustments to recipes with certain licenses rewrite-recipe-markdown-generator#147

For now you can see an overview of the various recipe modules and their licenses on this page:
https://docs.openrewrite.org/licensing/repository-licensing

This page shows an overview of individual Moderne recipes, in case you were missing any others:
https://docs.openrewrite.org/reference/moderne-recipes

I hope that answers the immediate question you had about unavailability. You can read more about the reasoning here:

• OpenRewrite withdraw commonhaus/foundation#218

[Bananeweizen]

Sorry, but I can't see how not participating in the commonhaus project would lead to a necessity of restricting the licenses of a major part of the OpenRewrite code. I'm deeply disappointed, since I have contributed to several of the repositories that are no longer open source.

[timtebeek]

Understandable that you're disappointed that not all recipes fall under the same licensing terms any more. The context I was referring to is under the warm farewell on that PR, copied here:

I want to once again reaffirm my admiration for the foundation and what it has set out to do, and hope you understand that we acted in good faith to find a path to inclusion. I also hope you’ll appreciate the tremendous pressure we are under as a project whose future is entwined with our livelihoods as well – a project that is in some cases being exploited commercially by larger companies with no return of value to the project. We will continue to work to find our own way in building software together in the open as much as possible.

We've done our best to sift through contributions to the repositories that were moved as much as possible, and based our judgement on those when choosing which to keep fully open, which to make source available, and which to move to private, in what we hope is a fair balance.

It's true that you have contributed to three recipes in rewrite-java-security in the past: for SecureRandom to maybe remove an import, for owasp.yml to fix a recipe name, and for DBFInsertPropertyStatementVisitor to add XMLConstants too. You can continue to use these recipes as they were at the time, but going forward we have decided to make that module private to protect the long term intertwined interests of OpenRewrite and Moderne.

While of course never easy we hope you understand that we've had to make adjustments in light of all the above.

[JLLeitschuh]

I've raised these concerns in Slack here:

https://rewriteoss.slack.com/archives/C01A843MWG5/p1735228710998069

More to come

[ljharb]

@timtebeek without a CLA, relicensing isn’t legal without explicit permission from all contributors.

[JLLeitschuh]

From the thread in slack:

[JLLeitschuh]

For the record: Here is the commit that changes the licensing on files that I and other maintainers that contributed to and continue to maintain the copyright on.

https://github.com/moderneinc/rewrite-java-security/commit/dd1dbd8b05b40dbbd7611b82cced8504ee8df029

Full Screenshot of Diff

[JLLeitschuh]

It looks like the decision to make this change was made and encoded in the licence two weeks ago: moderneinc/moderne-docs@ccd2ada#diff-450920303cec650913d28686228afb4665cd010db8f5e0f79d607e8586477f07R11-R12