| Re: [theia-dev] Failing license checks on PR's |
|
Hi Thomas,
I think something like this [1] may be happening with the newly failing dependency. TL;DR: probably the clearlydefined licensing "score" momentarily dropped below the threshold for automatic approval. No big deal - an IP request ticket was automatically opened
on the EF Gitlab to deal with it, after which it should pass the check consistently, since it will not only rely on the clearlydefined score.
Good question about releasing while having a dependency that has not passed the "dash-licenses" IP check. We are given a bit of leeway in interpreting the results of the license check - dash-licenses is a tool to help us, not our overlord
๐. I had to dig, but I found a quote from Wayne Beaton (in cc) to that effect:
"Keep in mind that the tool is intended to help, not be the authority. One of the things that we need to consider is adding an "ignore" list to the tool so that committers can override it in those cases where they know better." [2]
Looking into this particular case I do not think there is an issue with the dependency. Falling back to our old manual process, directly using clearlydefined.io [3] [4] and also looking for mentions of licenses in the git
repo[5], I conclude it's licensed under MIT without ambiguity. I expect the EF IP team will come to the same conclusion when they have time to look at the ticket. Furthermore, this is a development-time dependency [6], which makes it less likely to be a problem,
even if we were wrong about the conclusion above, since we are not distributing it (could be approved for our project as "works with").
In such a case, what we have done in the past is to add the dependency in question as an entry into our repo's "ignore list" file, "dependency-check-baseline.json", that lives in the repo root. The entry should mention
that this dependency is still under review. This shows that we included it on purpose, and also this will make the license check pass. I suggest that we do that just before the release tomorrow, if the dependency has not yet been approved.
Sounds like a plan?
Regards,
Marc
P.S. a counterexample, where I think we would not want to proceed with a release without a 3PP being approved by the EF IP team, is when we have a new version of Electron, even if it passes the "dash-licenses" check. This may change if we get
the green light here [7].
[4] "ClearlyDefined is a
trusted source of license information"
https://www.eclipse.org/projects/handbook/#ip-history-2019
[6] i.e. no result when running this command in Theia repo root: "yarn list --prod | grep openapi-types"
From: theia-dev <theia-dev-bounces@xxxxxxxxxxx> on behalf of Thomas Mรคder <t.s.maeder@xxxxxxxxx>
Sent: Wednesday, March 29, 2023 9:23 AM To: theia developer discussions <theia-dev@xxxxxxxxxxx> Subject: Re: [theia-dev] Failing license checks on PR's Merging PRs is fine, but I would expect the foundation would frown upon doing a release with the IP checks failing, no? Isn't it up to the foundation to say if it's a false positive or not in this process?
/Thomas
------ Original Message ------
From "Marc Dumais" <marc.dumais@xxxxxxxxxxxx>
To "theia developer discussions" <theia-dev@xxxxxxxxxxx>; "Thomas Mรคder" <t.s.maeder@xxxxxxxxx>
Date 29/03/2023 15:14:52
Subject Re: [theia-dev] Failing license checks on PR's
From: theia-dev <theia-dev-bounces@xxxxxxxxxxx> on behalf of Thomas Mรคder <t.s.maeder@xxxxxxxxx>
Sent: Wednesday, March 29, 2023 9:23 AM To: theia developer discussions <theia-dev@xxxxxxxxxxx> Subject: Re: [theia-dev] Failing license checks on PR's Merging PRs is fine, but I would expect the foundation would frown upon doing a release with the IP checks failing, no? Isn't it up to the foundation to say if it's a false positive or not in this process?
/Thomas
------ Original Message ------
From "Marc Dumais" <marc.dumais@xxxxxxxxxxxx>
To "theia developer discussions" <theia-dev@xxxxxxxxxxx>; "Thomas Mรคder" <t.s.maeder@xxxxxxxxx>
Date 29/03/2023 15:14:52
Subject Re: [theia-dev] Failing license checks on PR's
|