Hi Ed.
Ultimately, it's up to you to make sure that you have the right set
of CQs for the third party libraries that your project uses.
The scanner detects that you're distributing code from other Eclipse
projects and will give a pass to third-party libraries for which one
of those included projects has a CQ. The implementation obviously
has limited "smarts".
Again, the tool is intended to assist with the assessment process.
It is imperfect and it is unlikely that--given the very dynamic
nature of technology used and distribution schemes--it every will be
perfect.
In the specific case of Guava where
dependencies are 12.0.0 to 19.0.0, does that require 7 piggy-back
CQs?
Theoretically, if you project will work with any of those versions,
then yes. Strictly speaking, you should probably have just one CQ
for one version of Guava and then a works-with CQ for all other
versions. I believe, however, that it is enough that you have a CQ
for those versions that you actually use.
I am hopeful that sometime this quarter, I'll be able to
automatically detect the use of some third-party JARs and provide
the equivalent of piggyback CQs in IP Logs [1]. Getting to a point
where projects can just use stuff out of Orbit and have it
automatically tracked in the IP Log is my first goal.
HTH,
Wayne
[1] https://bugs.eclipse.org/bugs/show_bug.cgi?id=475400
On 04/05/16 01:49 AM, Ed Willink wrote:
Hi Wayne
On 04/05/2016 04:34, Wayne Beaton wrote:
We have started work on a new version of
the tool that will do a far better job.
I am delighted that my projects have no RED but I think you are
encouraging a false sense of security since your tool's 'used' is
actually 'ever redistributed'.
In https://waynebeaton.wordpress.com/2011/09/09/is-a-cq-required/
'used' is 'directly referenced'.
So I expect to see Guava in RED since I haven't bothered to raise
a piggy-back CQ since versions change so often and I await the
auto-re-piggy-back of approved CQs. Last time I looked it appeared
that 90% of projects that have an old Guava piggy-back CQ had not
re-piggy-backed.
In the specific case of Guava where dependencies are 12.0.0 to
19.0.0, does that require 7 piggy-back CQs?
Re-piggy-back:
IMHO if Orbit has CQs for version X and Y, and a project has a
piggy-back CQ for X, then it has an auto-re-piggy-back for Y.
Regards
Ed Willink
_______________________________________________
incubation mailing list
incubation@xxxxxxxxxxx
To change your delivery options, retrieve your password, or
unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/incubation
--
Wayne Beaton
@waynebeaton
The Eclipse Foundation
|