Hey folks!
There is a tool accessible from your project page that provides a
list (generated from your project downloads) of the third-party
libraries that are used by your project. The scanner searches
through everything in project's directory on the download server,
including archive files. For every JAR file it finds, it attempts to
identify a corresponding CQ. Any file that cannot be mapped to a CQ
is highlighted in red. Click on an entry to show where that file is
located.
e.g.
https://www.eclipse.org/projects/tools/downloads.php?id=technology.dash
The tool only considers JAR files and it does its best work with
OSGi bundles that follow the standard OSGi bundle naming pattern.
The tool is intended to
assist with the process of ensuring
that projects are distributing only approved libraries. It is far
from perfect. The tool does report--at least for some projects--many
false negatives (especially for JAR files that do not include
version information in the file name).
Don't panic if your
project page shows a lot of red. This is one of the reasons why we
make this page accessible only to committers and don't advertise it
widely. If something jumps out at you, please try to mitigate. I'll
help with mitigation when the time comes to do your first/next
release. If something that you know you know is approved is showing
up red, let me know.
You can access the tool from your project's "PMI" page by expanding
the "Committer Tools" section and clicking on the "Review Downloads"
link (you'll have to login). It takes you here:
https://www.eclipse.org/projects/tools/downloads.php?id=<project.name>
(where <project.name> is your project's full id, e.g.
'technology.dash')
We have started work on a new version of the tool that will do a far
better job.
Note that the approval of third-party libraries is version-specific.
If your project has approval for one version of a library but your
build pulls in a newer version, you must either fix your build to
pull only the approved version, or create a CQ for the new version.
There is more information about contribution questionnaires (CQs) in
the Eclipse Project Handbook [1] (and the PolarSys [2] and
LocationTech [3] variants).
HTH,
Wayne
[1]
https://www.eclipse.org/projects/handbook/#ip-cq
[2]
https://www.eclipse.org/projects/handbook/polarsys.html#ip-cq
[3]
https://www.locationtech.org/documentation/handbook#ip-cq
--
Wayne Beaton
@waynebeaton
The Eclipse Foundation
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
