As I said, the tool is intended to help with the process.
I just plod through it. The results for some projects are better
than others.
One optimization that I'd like to make is to have it consider the
the full path for those JARs that are inside bundles. The new
implementation that I'm working on does this.
The scanner walks through the project's download directory and digs
into any compressed archives. It doesn't know about p2 repositories,
just files.
Wayne
On 04/05/16 01:31 AM, David M Williams
wrote:
Not to be critical of
your attempts to
help us, but when I look at something like
https://www.eclipse.org/projects/tools/downloads.php?id=eclipse
it has a LOT of jars which are
"inside"
OSGi bundles. So many, that I am not sure the tool is all that
helpful.
Plus, aren't there also a lot of
third
party jars that ARE in OSGi form, and must still have a CQ?
Am I missing something, or do
people
just learn to plod through it, and ignore the ones that are sort
of obviously
not third party?
Or, is it a bug? :)
Also, would do you scan through
p2 repositories?
Or, just "download zips"? I ask since some things go into
repositories
that do not go into zips.
From:
Wayne Beaton
<wayne@xxxxxxxxxxx>
To:
incubation@xxxxxxxxxxx,
Date:
05/03/2016 11:39 PM
Subject:
[incubation]
Project downloads scanner
Sent by:
incubation-bounces@xxxxxxxxxxx
Hey folks!
There is a tool accessible from your project page that provides
a list
(generated from your project downloads) of the third-party
libraries that
are used by your project. The scanner searches through
everything in project's
directory on the download server, including archive files. For
every JAR
file it finds, it attempts to identify a corresponding CQ. Any
file that
cannot be mapped to a CQ is highlighted in red. Click on an
entry to show
where that file is located.
e.g.
https://www.eclipse.org/projects/tools/downloads.php?id=technology.dash
The tool only considers JAR files and it does its best work with
OSGi bundles
that follow the standard OSGi bundle naming pattern.
The tool is intended to assist with the process of
ensuring that
projects are distributing only approved libraries. It is far
from perfect.
The tool does report--at least for some projects--many false
negatives
(especially for JAR files that do not include version
information in the
file name). Don't panic if your project page shows a lot
of red.
This is one of the reasons why we make this page accessible only
to committers
and don't advertise it widely. If something jumps out at you,
please try
to mitigate. I'll help with mitigation when the time comes to do
your first/next
release. If something that you know you know is approved is
showing up
red, let me know.
You can access the tool from your project's "PMI" page by
expanding
the "Committer Tools" section and clicking on the "Review
Downloads" link (you'll have to login). It takes you here:
https://www.eclipse.org/projects/tools/downloads.php?id=<project.name>
(where <project.name> is your project's full id, e.g.
'technology.dash')
We have started work on a new version of the tool that will do a
far better
job.
Note that the approval of third-party libraries is
version-specific. If
your project has approval for one version of a library but your
build pulls
in a newer version, you must either fix your build to pull only
the approved
version, or create a CQ for the new version.
There is more information about contribution questionnaires
(CQs) in the
Eclipse Project Handbook [1] (and the PolarSys [2] and
LocationTech [3]
variants).
HTH,
Wayne
[1] https://www.eclipse.org/projects/handbook/#ip-cq
[2] https://www.eclipse.org/projects/handbook/polarsys.html#ip-cq
[3] https://www.locationtech.org/documentation/handbook#ip-cq
--
Wayne Beaton
@waynebeaton
The Eclipse Foundation
_______________________________________________
incubation mailing list
incubation@xxxxxxxxxxx
To change your delivery options, retrieve your password, or
unsubscribe
from this list, visit
https://dev.eclipse.org/mailman/listinfo/incubation
_______________________________________________
incubation mailing list
incubation@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/incubation
--
Wayne Beaton
@waynebeaton
The Eclipse Foundation
|