Hi all,
its been on my TODO list for a while to remove JSR-305 annotations from core.
the reason behind this is
1) the framework is deader than a dodo
2) the annotations have a questionable licence
3) the annotations are in the reserved javax namespace and there is no public release of the spec (nor is there ever likely to be see point 1).
The natural replacement is SpotBugs, however there are a couple of missing annotations that have no mapping.
- javax.annotation.concurrent.GuardedBy (14 occurrences)
- javax.annotation.concurrent.Immutable (2 occurrences)
- javax.annotation.Nonnegative (3 occurrences)
The first 2 annotations have some possible replacements in Checker Framework, Error Prone, and JCIP annotations.
The last only appears to have a replacement in Checker Framework, or in java Beans validation.
The licence of JCIP annotations means we are likely not able to use it, whilst there is a Clean room implementation by Stephen Connolly I recall finding a bug in it the other week as it was not up to date.
So there are a few possibilities, use annotations from error-prone and ignore the non negative, include annotations from checker-framework.
If we start using either error prone or checker framework annotations the existing spotbugs tooling will not report on any violations - (they support jcip only today).
So as I see it we have a few alternatives
1) do nothing (I do not think this is wise due to the points at the start of this mail)
2) use an alternative annotation which is not checked and for documentation only
3) use an alternative annotation and checking framework (unclear if there is a replacement for findsec-bugs)
What do people think?
/James