Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [incubation] CQs for Maven dependencies


The GeoMesa project has been following these guidelines:

1. Any direct or transitive compile scope dependency require a full CQ
2. Any direct provided scope dependency requires a 'works-with' CQ
3. Any direct test scope dependencies require a single 'test' CQ
4. Any transitive provided or test dependencies can be disregarded for IP purposes

Direct here means a top-level dependency declared in your pom, transitive means that you don't declare it in your pom but it's brought in by another dependency.

We don't track maven plugins. And AFAIK you need a new CQ even for a bug fix version, but usually you can request an 'incremental' review (this is less of an issue with license-only CQs).

If it's helpful, we wrote a bash script to generate our dependencies using the maven dependency tree:



On 11/23/19 4:09 AM, Christian Kaltepoth wrote:
Hi all,

I have a few questions about CQs, especially in the context of Maven dependencies. I'm working on a guideline which I will publish in the project wiki and which other committers of the project can use if they want to add new dependencies. 

I would love to get your feedback about whether the following assumptions are correct.
  • If the dependency is "test"-scoped, it is always a Test and Build dependency and therefore treated as a workswith.
  • If the dependency is "provided"-scoped, it is only used at build-time but not really "distributed" in any way. Instead, it must be provided by the environment in which the corresponding Eclipse project is used in. Such dependencies are therefore also workswith.
  • Dependencies which are "compile"-scoped are usually prereq dependencies. However, if the dependency is part of some kind of "optional addon module" of the Eclipse project and not part of the "core functionality", it is workswith.
  • Maven plugins are usually workswith.
  • You can update to newer patch releases of a third-party dependency without filing a new CQ. So in most cases it is fine to update from something like 1.2.4 to 1.2.9, but not to 1.3.0. Of course this only works the license of the dependency didn't change.
I would love to hear your thoughts.



incubation mailing list
To change your delivery options, retrieve your password, or unsubscribe from this list, visit

Back to the top