Re: [incubation] Project downloads scanner

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [incubation] Project downloads scanner

From: Wayne Beaton <wayne@xxxxxxxxxxx>
Date: Wed, 4 May 2016 13:58:56 -0400
Delivered-to: incubation@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/incubation>
List-help: <mailto:incubation-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/incubation>, <mailto:incubation-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/incubation>, <mailto:incubation-request@eclipse.org?subject=unsubscribe>
Organization: The Eclipse Foundation
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.7.1

Hi Ed.

Ultimately, it's up to you to make sure that you have the right set of CQs for the third party libraries that your project uses.

The scanner detects that you're distributing code from other Eclipse projects and will give a pass to third-party libraries for which one of those included projects has a CQ. The implementation obviously has limited "smarts".

Again, the tool is intended to assist with the assessment process. It is imperfect and it is unlikely that--given the very dynamic nature of technology used and distribution schemes--it every will be perfect.

In the specific case of Guava where dependencies are 12.0.0 to 19.0.0, does that require 7 piggy-back CQs?

Theoretically, if you project will work with any of those versions, then yes. Strictly speaking, you should probably have just one CQ for one version of Guava and then a works-with CQ for all other versions. I believe, however, that it is enough that you have a CQ for those versions that you actually use.

I am hopeful that sometime this quarter, I'll be able to automatically detect the use of some third-party JARs and provide the equivalent of piggyback CQs in IP Logs [1]. Getting to a point where projects can just use stuff out of Orbit and have it automatically tracked in the IP Log is my first goal.

HTH,

Wayne

[1] https://bugs.eclipse.org/bugs/show_bug.cgi?id=475400

On 04/05/16 01:49 AM, Ed Willink wrote:

Hi Wayne

On 04/05/2016 04:34, Wayne Beaton wrote:

We have started work on a new version of the tool that will do a far better job.

I am delighted that my projects have no RED but I think you are encouraging a false sense of security since your tool's 'used' is actually 'ever redistributed'.

In https://waynebeaton.wordpress.com/2011/09/09/is-a-cq-required/ 'used' is 'directly referenced'.

So I expect to see Guava in RED since I haven't bothered to raise a piggy-back CQ since versions change so often and I await the auto-re-piggy-back of approved CQs. Last time I looked it appeared that 90% of projects that have an old Guava piggy-back CQ had not re-piggy-backed.

In the specific case of Guava where dependencies are 12.0.0 to 19.0.0, does that require 7 piggy-back CQs?

Re-piggy-back:

IMHO if Orbit has CQs for version X and Y, and a project has a piggy-back CQ for X, then it has an auto-re-piggy-back for Y.

Regards

Ed Willink
_______________________________________________
incubation mailing list
incubation@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/incubation

--
Wayne Beaton
@waynebeaton
The Eclipse Foundation

References:
- [incubation] Project downloads scanner
  - From: Wayne Beaton
- Re: [incubation] Project downloads scanner
  - From: Ed Willink

Prev by Date: Re: [incubation] Project downloads scanner
Next by Date: Re: [incubation] Project downloads scanner
Previous by thread: Re: [incubation] Project downloads scanner
Next by thread: [incubation] project space for release downloads?
Index(es):
- Date
- Thread

Breadcrumbs