Re: [lyo-dev] [IMPORTANT] Lyo 2.3.0 IP Due Diligence Type correction

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [lyo-dev] [IMPORTANT] Lyo 2.3.0 IP Due Diligence Type correction

From: Andrii Berezovskyi <andriib@xxxxxx>
Date: Wed, 15 Aug 2018 12:05:36 +0000
Accept-language: en-GB, en-US, sv-SE
Delivered-to: lyo-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/lyo-dev>
List-help: <mailto:lyo-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/lyo-dev>, <mailto:lyo-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/lyo-dev>, <mailto:lyo-dev-request@eclipse.org?subject=unsubscribe>
Thread-index: AQHUNAwar6KpX3NAI0yMsWpdQFHv/KTAiDgAgAAMNYCAAAKAAA==
Thread-topic: [lyo-dev] [IMPORTANT] Lyo 2.3.0 IP Due Diligence Type correction

Legend for the illustration:

green arrows point to the groupId that contain only Type B artefacts (the only exception is the arrow next to the ‘oslc-trs’, it is a “stray” artefact in the upper ‘org.eclipse.lyo’ groupId)
pink border denotes the particular (Type B) artifacts that get delivered as part of the release (parent modules ‘lyo-server-build’, ‘oslc4j-core-build’, and ’store-parent’ get published automatically but have no JARs inside)

–Andrew.

2018-08-15 kl. 13:56 skrev Andrii Berezovskyi <andriib@xxxxxx>:

Jim,

Don’t get me wrong but I have doubt that there are many orgs that even understand the difference between Eclipse Type A & Type B release, let alone to prefer one over another :)

With respect to the groupId, please find a quick illustration of Type A/B groupId’s and artifactId’s:

<Inklistrad_bild_2018-08-15__13_43.png>

We can move both lyo-validation and lyo-store under the ‘org.eclipse.lyo.contrib’ group to clearly mark that it is going to be the designated place for Type A content. Please let me know if that (and having all releases marked as Type A) will be OK for your process.

Again, I am not hearing any users from other companies speaking up about importance of Type B IP check as opposed to a Type A check (as a reminder, we got zero replies from the community on the Type A suggestion I started a while ago).

–Andrew.

2018-08-15 kl. 13:12 skrev Jim Amsden <jamsden@xxxxxxxxxx>:

Andrew,
When evaluating product dependencies, IBM (and likely other) companies rely on the eclipse process to understand the potential legal impact of including a particular component. Depending on the due diligence type, users of dependent components may need to do additional scans themselves, leading to additional costs and potential delays.

Currently an eclipse/Lyo "release" is considered a single thing, with type B due diligence as captured in the IP log. IBM relies on this information to simplify the IP assessment of eclipse components.

If an eclipse/Lyo release actually includes multiple things, maybe even delivered on different release cycles, then we need to clearly distinguish them and their provenance. If multiple things are all delivered as maven components, then group ids might with release notes might be adequate.

Jim Amsden, Senior Technical Staff Member
OSLC and Linked Lifecycle Data
919-525-6575

From: Andrii Berezovskyi <andriib@xxxxxx>
To: Lyo project developer discussions <lyo-dev@xxxxxxxxxxx>
Cc: Sharon Corbett <sharon.corbett@xxxxxxxxxxxxxxxxxxxxxx>, Wayne Beaton <wayne.beaton@xxxxxxxxxxxxxxxxxxxxxx>
Date: 08/14/2018 04:19 PM
Subject: [lyo-dev] [IMPORTANT] Lyo 2.3.0 IP Due Diligence Type correction
Sent by: lyo-dev-bounces@xxxxxxxxxxx

Dear Lyo users,

Unfortunately, the Lyo release v2.3.0 contained artefacts that only had their license checked and full code scanning was not carried out. As a result of a discussion with the Eclipse IP team, we are markingthe Lyo 2.3.0 release as “Type A” checked.

All previous releases remain Type B checked. You can find more about the Type A/B here. We apologise for any inconvenience it may have caused you. The only component that had Type A dependencies what lyo.validation, but we had to downgrade the whole release.

I would also like to use this opportunity to re-open Type A/B discussion in the light of a new suggestion from Wayne (CC). He suggested that we mark the releases from now on as Type A checked but clearly indicate in the release notes the packages and/or groupId’s of the components that only depend on Type B content. Would that inconvenience any of you?

–Andrew.
_______________________________________________ lyo-dev mailing list lyo-dev@xxxxxxxxxxx To change your delivery options, retrieve your password, or unsubscribe from this list, visithttps://dev.eclipse.org/mailman/listinfo/lyo-dev

_______________________________________________
lyo-dev mailing list
lyo-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/lyo-dev

_______________________________________________
lyo-dev mailing list
lyo-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/lyo-dev

Follow-Ups:
- Re: [lyo-dev] [IMPORTANT] Lyo 2.3.0 IP Due Diligence Type correction
  - From: Jad El-Khoury

References:
- [lyo-dev] [IMPORTANT] Lyo 2.3.0 IP Due Diligence Type correction
  - From: Andrii Berezovskyi
- Re: [lyo-dev] [IMPORTANT] Lyo 2.3.0 IP Due Diligence Type correction
  - From: Jim Amsden
- Re: [lyo-dev] [IMPORTANT] Lyo 2.3.0 IP Due Diligence Type correction
  - From: Andrii Berezovskyi

Prev by Date: Re: [lyo-dev] [IMPORTANT] Lyo 2.3.0 IP Due Diligence Type correction
Next by Date: Re: [lyo-dev] [IMPORTANT] Lyo 2.3.0 IP Due Diligence Type correction
Previous by thread: Re: [lyo-dev] [IMPORTANT] Lyo 2.3.0 IP Due Diligence Type correction
Next by thread: Re: [lyo-dev] [IMPORTANT] Lyo 2.3.0 IP Due Diligence Type correction
Index(es):
- Date
- Thread

Breadcrumbs