[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [eclipse.org-architecture-council] License Checker Tool
|
Wayne,
Since there were only 30 CQs which had gotten a PMC -1, I took a
spin through them. A small number (including one from my project)
had incompatible licenses, a few were -1'ed in favor of piggy-back
CQs, and only 3 were -1'ed since in 2018 and after. (Half of the
30 were from one working group, most of those from one project.)
I wonder if the PMCs are considering the technical merits of
dependencies. If they are, then as a group, we've gotten pretty
good at asking for the right dependencies.
I like the idea of the technical review, but it either isn't
commonly producing rejections 'cause open source quality has gone
up or we're all just approving each others CQs...
Are there other ways we could be automating the review? I really
like the idea of managing things in the Java ecosystem by Maven
GAVs with ClearlyDefined. If we started putting together a set of
rules around that we may be able to get more lift and achieve the
goal of a technical review.
For instance, GitHub is inspecting poms and telling repo admins
about CVE vulnerabilities. In a similar vein, if we had a way to
maintain a committer-managed database of info about a given GAV,
we maybe could get some lift.
If you try to ask for a common library, maybe you could get a
suggestion about alternatives. For instance, importing Guava just
to get null checks is asking for it years down the road... Maybe
there'd be a way to search for usage of a given library. (E.g.,
could you find everyone's favorite csv library or whatnot?)
Cheers,
Jim
On 2/26/2020 4:49 PM, Wayne Beaton
wrote:
The first step is to have the tool recognise that a CQ is
required and help the committer create CQs. Having some sort
of automation would be cool.
Note that ClearlyDefined automatically harvests data, so
it's possible that subsequent invocations of the tool will
have better results. At this point, I don't know how quickly
their harvester finds new information, and expect that we're
still going to have to actually create CQs for content that we
don't have good vetted license information for.
Like I said, this is a half-baked implementation and input
is appreciated.
Wayne
--
Wayne Beaton
Director of Open Source Projects | Eclipse Foundation, Inc.
_______________________________________________
eclipse.org-architecture-council mailing list
eclipse.org-architecture-council@xxxxxxxxxxx
https://www.eclipse.org/mailman/listinfo/eclipse.org-architecture-council
IMPORTANT: Membership in this list is generated by processes internal to the Eclipse Foundation. To be permanently removed from this list, you must contact emo@xxxxxxxxxxx to request removal.