Re: [orbit-dev] ClearlyDefined Now Supported

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [orbit-dev] ClearlyDefined Now Supported

From: Wayne Beaton <wayne.beaton@xxxxxxxxxxxxxxxxxxxxxx>
Date: Tue, 18 Aug 2020 15:05:57 -0400
Delivered-to: orbit-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/orbit-dev>
List-help: <mailto:orbit-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/orbit-dev>, <mailto:orbit-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/orbit-dev>, <mailto:orbit-dev-request@eclipse.org?subject=unsubscribe>

Close. Our understanding of how to use ClearlyDefined has evolved a little since we spoke at EclipseCon.

If third-party content is not known to IPZilla, then ClearlyDefined can be used. When an entry is known to ClearlyDefined and has a score of at least 75 and all discovered licenses are on the Eclipse Foundation’s approved licenses list, then the content can be used without further action.

As I look at this, I realize that it's not quite right. As you suggested, the effective license score is what we're most interested in, and both the declared and discovered licenses need to match. I'll update this. Note that we've discussed dropping the threshold.

Now that Eclipse Orbit has a Maven-based build, you can actually use the Dash License Tool to determine whether or not a CQ is required. I ran the tool on the build and discovered a few gaps in our data that I've filled. Note that the build identifies a small number of Eclipse GlassFish/Jakarta dependencies that we can safely ignore. I also noticed that the tool fails to parse a couple of funky version numbers, so I'm working on a fix for that. I noticed a handful of other build dependencies that I may need help with.

Note that the tool works off a dependency list. It's up to you to determine how to build that dependency list. You can, for example, run the tool on Maven dependency information generated for a single directory in the Orbit build:

[wayne@localhost icu4j]$ mvn dependency:list | grep -Poh "\S+:(system|provided|compile)" | sort | uniq | java -jar /gitroot/dash/org.eclipse.dash.license/target/org.eclipse.dash.licenses-0.0.1-SNAPSHOT.jar -
Querying Eclipse Foundation for license data for 1 items.
Found 1 items.
Vetted license information was found for all content. No further investigation is required.
[wayne@localhost icu4j]$ _

Or...

[wayne@localhost apache]$ mvn dependency:list | grep -Poh "\S+:(system|provided|compile)" | sort | uniq | java -jar /gitroot/dash/org.eclipse.dash.license/target/org.eclipse.dash.licenses-0.0.1-SNAPSHOT.jar -
Querying Eclipse Foundation for license data for 189 items.
Found 87 items.
Querying ClearlyDefined for license data for 102 items.
Rejected: https://clearlydefined.io/definitions/maven/mavencentral/com.sun.activation/jakarta.activation/1.2.1
Rejected: https://clearlydefined.io/definitions/maven/mavencentral/org.junit.platform/junit-platform-commons/1.2.0
Rejected: https://clearlydefined.io/definitions/maven/mavencentral/com.sun.mail/jakarta.mail/1.6.4
Rejected: https://clearlydefined.io/definitions/maven/mavencentral/org.junit.platform/junit-platform-engine/1.2.0
Rejected: https://clearlydefined.io/definitions/maven/mavencentral/org.junit.platform/junit-platform-launcher/1.2.0
Rejected: https://clearlydefined.io/definitions/maven/mavencentral/jdepend/jdepend/2.9.1
Rejected: https://clearlydefined.io/definitions/maven/mavencentral/commons-net/commons-net/3.6
Rejected: https://clearlydefined.io/definitions/maven/mavencentral/org.tukaani/xz/1.2
Rejected: https://clearlydefined.io/definitions/maven/mavencentral/org.python/jython/2.7.0
Rejected: https://clearlydefined.io/definitions/maven/mavencentral/com.sun.media/jai-codec/1.1.3
Rejected: https://clearlydefined.io/definitions/maven/mavencentral/javax.media/jai-core/1.1.3
Found 91 items.
License information could not automatically verified for the following content:

maven/mavencentral/com.sun.media/jai-codec/1.1.3 (null)
maven/mavencentral/com.sun.activation/jakarta.activation/1.2.1 (null)
maven/mavencentral/org.junit.platform/junit-platform-commons/1.2.0 (null)
maven/mavencentral/org.python/jython/2.7.0 (null)
maven/mavencentral/com.sun.mail/jakarta.mail/1.6.4 (null)
maven/mavencentral/org.junit.platform/junit-platform-engine/1.2.0 (null)
maven/mavencentral/org.junit.platform/junit-platform-launcher/1.2.0 (null)
maven/mavencentral/jdepend/jdepend/2.9.1 (null)
maven/mavencentral/javax.media/jai-core/1.1.3 (null)
maven/mavencentral/commons-net/commons-net/3.6 (null)
maven/mavencentral/org.tukaani/xz/1.2 (null)

Please create contribution questionnaires for this content.
[wayne@localhost apache]$ _

In the ./apache case, jakarta.mail is actually from an Eclipse project, so you can skip that one (I'll see if I can further tune the script to remove it automatically). I'm pretty sure that the JUnit ones come from a minor version of JUnit 5 that has not been vetted by the IP Team (or fully harvested by ClearlyDefined). In fact, the JUnit ones are great examples of how the ClearlyDefined score is misleading (the source has not actually been scanned, so the license list is showing NOASSERTION).

It could be that some of these dependencies are "build and test" dependencies. If you can identify them as such, then no further investigation is required.

I talked a bit about creating the dependency list to feed the tool in a recent blog post.

HTH,

Wayne

On Wed, Jul 29, 2020 at 2:52 PM Roland Grunberg <rgrunber@xxxxxxxxxx> wrote:

Hello all,

In Orbit, we now support ClearlyDefined as a source for licensing
information. Once contributed to the ip_log.xml of a bundle [1], the
data will appear on the downloads page with the text 'ClearlyDefined'
that links to the information.

It has been mentioned in the past [2] that you can consider the content
acceptable if its effective score is above 50. I would think this
applies to the effective score for licensing, and not overall, since
I've seen cases [3] where the overall score is above 50, with no
licensing information at all.

I'll update our README in orbit-recipes as well as documentation to
reflect this.

--
Roland Grunberg

[1] https://git.eclipse.org/r/c/orbit/orbit-recipes/+/166807/2/antlr/org.antlr.runtime_3.5.2/src/eclipse/ip_log.xml
[2] https://www.eclipse.org/lists/orbit-dev/msg05242.html
[3] https://clearlydefined.io/definitions/maven/mavencentral/com.glazedlists/glazedlists/1.11.0

_______________________________________________
orbit-dev mailing list
orbit-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/orbit-dev

Wayne Beaton

Director of Open Source Projects | Eclipse Foundation, Inc.

Join us at our virtual event: EclipseCon 2020 - October 20-22

Follow-Ups:
- Re: [orbit-dev] ClearlyDefined Now Supported
  - From: Roland Grunberg

References:
- [orbit-dev] ClearlyDefined Now Supported
  - From: Roland Grunberg

Prev by Date: [orbit-dev] Declaring Build: S20200817205214 (2020-09 M3)
Next by Date: Re: [orbit-dev] ClearlyDefined Now Supported
Previous by thread: [orbit-dev] ClearlyDefined Now Supported
Next by thread: Re: [orbit-dev] ClearlyDefined Now Supported
Index(es):
- Date
- Thread

Breadcrumbs