Comments (4)
waynebeaton
commented on June 26, 2024
ClearlyDefined is the common format. For our purposes, the five part identifier is sufficient as an identifier for content. e.g., "maven/mavencentral/commons-httpclient/commons-httpclient/3.0.1" unambiguously identifies content.
Given a identifier, we can query ClearlyDefined (or the Eclipse IPZilla) and get more information. ClearlyDefined provides the sourceURL, for example, in the results from their API. In at least a few different cases, I've changed the sourceURL in the ClearlyDefined data to point to a commit in a Git repository rather than the default pointer to the source JAR in Maven central. So these sourceURLs may change as better information becomes available.
This tool can easily be extended to include this information in the output if desired by an adopter (since we don't need that information, we'd have to make including it in the output optional).
At least theoretically, content with a similar identifier, e.g. "maven/eclipseNexus/commons-httpclient/commons-httpclient/3.0.1" (assuming that we make "eclipseNexus" meaningful) could actually be different. At least theoretically, content from some random Nexus instance could be entirely different content, or include significant additional intellectual property. If we decide that there is value in doing so, we will point the ClearlyDefined harvester at our Nexus instances and have it add that distinctiveness to its own.
From the perspective of implementing the Eclipse IP Policy, we only care about the content that is identified as "workswith" and IPZilla can provide us with this information (we have some work to do to make this work, but we have the data). From our perspective, dependencies of a workswith can just be trimmed from the dependency list. It would be great if usage information can be used to trim the list before the content is delivered to the tool. My feeling is this will manifest as best practices.
Flagging workswith content in the output is something that we should do.
For example the Eclipse Foundation host several maven repositories under https://repo.eclipse.org/ and having a dependency coming from an other Eclipse project induces less checks from the IP point of view.
Not true.
from dash-licenses.
jmini
commented on June 26, 2024
I found an interesting case today.
The clearlydefined simplification of the maven coordinates might be dangerous. The maven classifier matters and should not be dropped.
The lib has following dependencies:
jffi-1.2.16.jarjffi-1.2.16-native.jar
In the POM:
<dependency>
<groupId>com.github.jnr</groupId>
<artifactId>jffi</artifactId>
<version>1.2.16</version>
</dependency>
<dependency>
<groupId>com.github.jnr</groupId>
<artifactId>jffi</artifactId>
<version>1.2.16</version>
<classifier>native</classifier>
</dependency>Both are sharing the same POM, but if you need to check that the code of those jar is conform, it is dangerous to map them to one entry, because you need to verify bothβ¦
from dash-licenses.
boaks
commented on June 26, 2024
Let me add:
Executing
mvn dependency:liston linux, I get:
org.openjfx:javafx-base:jar:14:compile
org.openjfx:javafx-base:jar:linux:14:compile
on windows, I get
org.openjfx:javafx-base:jar:14:compile
org.openjfx:javafx-base:jar:win:14:compile
That will make it hard to include "all".
from dash-licenses.
waynebeaton
commented on June 26, 2024
I've opened an issue on ClearlyDefined to ask about how we can represent classifiers. clearlydefined/service#786
from dash-licenses.
Related Issues (20)
- lpg.generator HOT 5
- Add OSGi Metadata
- Problem parsing `yarn.lock` modified by `npm install`? HOT 5
- Don't shade the base artifact HOT 1
- Wrong example package detected in package-lock.json HOT 3
- Remapping of package name is not detected in package-lock.json HOT 3
- mavenLicenseCheck GH workflow is triggered (and immediately skipped) on every issue comment HOT 1
- Correctly parse crates version names HOT 2
- Reduce calls to clearlydefined HOT 2
- Move this repository to to the eclipse-dash organisation HOT 6
- The tool has built-in support for go.sum files
- Cyclic error reported for a bundle with fragment HOT 1
- Source bundles are present in dependencies after upgrading to Tycho 4.0.5. HOT 1
- Too many dependencies are present after upgrading to Tycho 4.0.5. HOT 3
- Download of latest dash-licenses jar is currently not working HOT 1
- Support the Conan C/C++ Package Manager
- dash-licenses does not understand npm Workspaces
- dotnet instructions feedback
- "Plugin not found in any plugin repository" HOT 2
- False positive on call-mvn-license-check github workflow HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dash-licenses.