-------- Forwarded Message --------
Okay, yeah.
Looks like if we’re not distributing HDF-Java, the whole
thing will have to be submitted for review. If we do
distribute it, then we can narrow it down to 5 JARs and
2 DLLs/SOs (I think).
Anna
Hi Anna,
No worries on the name front - you’ve
likely dealt with Sharon previously on IP matters and
just got the two names mixed up. I don’t offend that
easily J
Here’s a high level summary of our
discussion to date that may help:
There are two high level cases:
A) Dependencies you distribute; and
B) Dependencies that you do not distribute
as part of the Project. These in turn are characterized
as either: i) workswith; or ii) pre-req dependencies.
Full review is required for A and B(ii).
We document but do not review B(i).
Regarding A - In order to manage our
workload, we ask projects to reduce the scope of the
material we need to review so that only the material
they need is included (often extraneous material that is
not needed may be included in an open source
distribution). CQs would be opened for the component
parts you need, but not for those that you do not need.
In order to ensure that only code that has been
reviewed is distributed as part of your project, we
would also ask that you reduce the distribution to only
those component parts that you need and we have
reviewed.
The foregoing is relatively straightforward
in the case of A. The situation I think you began to
address in your November 19, 6:05 email was a situation
where you have a pre-requisite that a user needs to
download, but that for your Project’s purposes, only
pieces of that dependency are required. That’s not a
situation we encounter very often, or perhaps not one
that is directly highlighted very often.
Regarding B(ii) - These require full
review, and since you don’t control the download, we
would need to review the full package – which would
include the parts that your Project needs as well as
those that your Project does not need. It’s at this
point I pause and contemplate the scope of work involved
in the review. If it is massive, then it may be a
situation where we ask ourselves whether it should
reasonably be considered exempt under the policy [1].
Alternatively, if your Project (for example) only needs
3 of 40 dependencies, I may be inclined to ask you to
consider distributing the content, and we would limit
our review to the 3 dependencies.
I realize there’s a lot to take in. Feel
free to ask more questions.
Cheers,
Janet
[1] https://eclipse.org/org/documents/Eclipse_Policy_and_Procedure_for_3rd_Party_Dependencies_Final.pdf