Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [orbit-dev] ClearlyDefined Now Supported

Close. Our understanding of how to use ClearlyDefined has evolved a little since we spoke at EclipseCon.

Per the handbook:

If third-party content is not known to IPZilla, then ClearlyDefined can be used. When an entry is known to ClearlyDefined and has a score of at least 75 and all discovered licenses are on the Eclipse Foundation’s approved licenses list, then the content can be used without further action.

As I look at this, I realize that it's not quite right. As you suggested, the effective license score is what we're most interested in, and both the declared and discovered licenses need to match. I'll update this. Note that we've discussed dropping the threshold. 

Now that Eclipse Orbit has a Maven-based build, you can actually use the Dash License Tool to determine whether or not a CQ is required. I ran the tool on the build and discovered a few gaps in our data that I've filled. Note that the build identifies a small number of Eclipse GlassFish/Jakarta dependencies that we can safely ignore. I also noticed that the tool fails to parse a couple of funky version numbers, so I'm working on a fix for that. I noticed a handful of other build dependencies that I may need help with. 

Note that the tool works off a dependency list. It's up to you to determine how to build that dependency list. You can, for example, run the tool on Maven dependency information generated for a single directory in the Orbit build:

[wayne@localhost icu4j]$ mvn dependency:list | grep -Poh "\S+:(system|provided|compile)" | sort | uniq | java -jar /gitroot/dash/org.eclipse.dash.license/target/org.eclipse.dash.licenses-0.0.1-SNAPSHOT.jar -
Querying Eclipse Foundation for license data for 1 items.
Found 1 items.
Vetted license information was found for all content. No further investigation is required.
[wayne@localhost icu4j]$ _


[wayne@localhost apache]$ mvn dependency:list | grep -Poh "\S+:(system|provided|compile)" | sort | uniq | java -jar /gitroot/dash/org.eclipse.dash.license/target/org.eclipse.dash.licenses-0.0.1-SNAPSHOT.jar -
Querying Eclipse Foundation for license data for 189 items.
Found 87 items.
Querying ClearlyDefined for license data for 102 items.
Found 91 items.
License information could not automatically verified for the following content:

maven/mavencentral/ (null)
maven/mavencentral/com.sun.activation/jakarta.activation/1.2.1 (null)
maven/mavencentral/org.junit.platform/junit-platform-commons/1.2.0 (null)
maven/mavencentral/org.python/jython/2.7.0 (null)
maven/mavencentral/com.sun.mail/jakarta.mail/1.6.4 (null)
maven/mavencentral/org.junit.platform/junit-platform-engine/1.2.0 (null)
maven/mavencentral/org.junit.platform/junit-platform-launcher/1.2.0 (null)
maven/mavencentral/jdepend/jdepend/2.9.1 (null)
maven/mavencentral/ (null)
maven/mavencentral/commons-net/commons-net/3.6 (null)
maven/mavencentral/org.tukaani/xz/1.2 (null)

Please create contribution questionnaires for this content.
[wayne@localhost apache]$ _

In the ./apache case, jakarta.mail is actually from an Eclipse project, so you can skip that one (I'll see if I can further tune the script to remove it automatically). I'm pretty sure that the JUnit ones come from a minor version of JUnit 5 that has not been vetted by the IP Team (or fully harvested by ClearlyDefined). In fact, the JUnit ones are great examples of how the ClearlyDefined score is misleading (the source has not actually been scanned, so the license list is showing NOASSERTION).

It could be that some of these dependencies are "build and test" dependencies. If you can identify them as such, then no further investigation is required.

I talked a bit about creating the dependency list to feed the tool in a recent blog post.



On Wed, Jul 29, 2020 at 2:52 PM Roland Grunberg <rgrunber@xxxxxxxxxx> wrote:
Hello all,

In Orbit, we now support ClearlyDefined as a source for licensing
information. Once contributed to the ip_log.xml of a bundle [1], the
data will appear on the downloads page with the text 'ClearlyDefined'
that links to the information.

It has been mentioned in the past [2] that you can consider the content
acceptable if its effective score is above 50. I would think this
applies to the effective score for licensing, and not overall, since
I've seen cases [3] where the overall score is above 50, with no
licensing information at all.

I'll update our README in orbit-recipes as well as documentation to
reflect this.

Roland Grunberg


orbit-dev mailing list
To unsubscribe from this list, visit


Wayne Beaton

Director of Open Source Projects | Eclipse Foundation, Inc.

Join us at our virtual event: EclipseCon 2020 - October 20-22

Back to the top