To be honest it
leaves a lot of holes/questions to me. Here are some things that look fuzzy
> CQs are not required for third-party
content in all cases. In the case of third-party content due diligence, CQs are
now only used to track the vetting process. What does "In
the case of third-party content due diligence, CQs are
now only used to track the vetting process. "
CQs are no longer required before third-party
content is introduced. Looks like being
listed on clearlydefined does not necessarily mean we can use it The
project, i.e. we as PMC have to make that decision and then decide whether
to file a CQ. See also above point.
What's also unclear/undefined
is the process regarding Orbit.
to be a tool that detects the dependencies but AFAIK it's not complete
yet. This would leave us in a state where we do not have a correct IP log.
Kurtakov <akurtako@xxxxxxxxxx> To:
[eclipse-pmc] Do we still need to file CQs? Sent
Last week Wayne posted some updates on
the IP process . Please pay special attention to "Leverage
other sources of license information for third-party content." and
"ClearlyDefined is a trusted source of license
information." paragraphs. It's worth noting that PB CQs are no
longer needed too. According to this I could have skipped
filing CQ for ICU4J 67.1  and rather pointed to clearlydefined.io and get it contributed to Orbit based on that. That would be a huge reduction for releng
as right now updating deps is still a lengthy and painful process involving
many steps by committer/pmc/IP team/orbit committer and etc.
Let's discuss at some of the next PMC
meetings when we have everyone.