Thanks for your input, Jim.
It may well be time to revisit the requirement
that the PMC approve CQs (especially with the recent
changes to the IP Policy). TBH, I'm concerned that
the PMC is not engaging; as part of the project
leadership chain, we depend on the PMC to help
ensure that project teams are implementing the
process.
We've had a streamlined process for version
upgrades for some time. We have, however, been
wrestling with a bug that's been putting CQs into
the wrong state. I'll forward your bug list to the
IP team to ask that they process them and then
investigate why they're not in the right state.
More generally, recent changes in the IP Policy
(at least partially motivated by your experience) is
moving us in a direction where hopefully most (in
some cases, all) CQs are not required. Rather than
CQs being a means of tracking content, we're
changing them to be purely concerned with vetting
content that has not previously been vetted.
A few weeks ago, I posted on this list about a
tool that
we've developed in-house (and are contributing
to the Eclipse Dash project) that checks the trusted
sources of license information that we have
available to us (IPzilla and ClearlyDefined). The
tool reports that we have trusted license
information for
org.apache.accumulo:accumulo-core:2.0.0,
org.apache.commons:commons-configuration2:2.5, and
org.apache.zookeeper:zookeeper:3.4.14, so (assuming
that I've correctly guessed at the right Maven
coordinates) three of the CQs that you've listed
aren't required (I couldn't map
org.apache.htrace:htrace-core:3.2, so that CQ is
required).
The tool can be used to test a single CQ, e.g.:
$ echo "org.apache.accumulo:accumulo-core:2.0.0"
| java -jar
/gitroot/dash/org.eclipse.dash.bom/target/org.eclipse.dash.licenses-0.0.1-SNAPSHOT.jar
-
Vetted license information was found for all
content. No further investigation is required.
$ _
I ran the tool on your full build (there's
instructions for this in the tool's repository's
README) and it came back with a pretty big list of
content that it couldn't map to trusted license
information. I'm pretty sure, however, that we have
CQs for most/all of that content, but don't have a
mapping between the content Id and corresponding CQ.
I'll work through those.
In the meantime, when you do create CQs, it would
be helpful if you could use the Maven id/coordinates
as the name. With that, we'll have an automatic
mapping.
It would helpful if the AC members could test
this tool on code bases that they work with and
provide feedback (issues on the GitHub repository
are welcome).
I'll vent a bit myself... we've been discussing
this on calls for some time and I did post about
this on the mailing list with a request for
assistance to develop this tool into something that
can be used to save project teams time. I have
stated repeatedly that I owe the community a few
blog posts on this topic, but I brought the AC into
the loop as far back as when we started drafting
edits to the IP Policy.
Wayne