Comments (5)
The point of raising this repeatedly is this: if I need a compliance tool, and basic self-tests fail, I do not immediately understand whether I can use the tool to check compliance on my own software, or whether it will skip important details.
Unfortunately, that's not a good start.
from ort.
Thanks for the report. However, I'm not sure I can follow your argumentation here. Running these tests is a tool for developers to check against regressions in code changes they make. No pure user of a compliance tool would ever run them. So why do you insist it's crucial to make a developer tool work for the end user? I basically was already asking the same question over here, but unfortunately you did not reply.
from ort.
Here, I'll give it to you as a user story triplet:
As a developer or development manager,
In order to ensure compliance,
I want to know that my compliance check tool works.
from ort.
But running developer tests in order to check that the tool works for users is bogus. Sure, functional tests try to resemble what a user would do, but you can't say anything about the outcome of the tests unless you put ultimate trust into the people who wrote the tests, and believe that they took great care of reasonable coverage, to test the right things, and in the end not only have hard-coded a "BUILD SUCCESSFUL" console message. And if you put ultimate trust into these people anyway, you can just as well just run the tool and try it out (yay!).
Also, if due to your missing tools say 70% of the tests would be skipped, what confidence does that give you if the remaining tests pass? Are you now 30% certain the tool works? Or 100% certain it works for your use-case? What is you use-case? Is it covered by tests at all?
I'm sorry, but to me your argumentation is broken and artificial. The only way to check if the compliance tool works for you is to try it out, and not to run its developer checks.
from ort.
But - again, speaking as a developer or development manager - if I evaluate tools, they have to fulfil certain criteria before I even try them out:
- They need to be sufficiently documented (you have some gaps there)
- They need to self-test correctly (that's currently not the case)
- They're actively maintained (seems to be the case)
- etc.
Only after these checks are passed, do I bother trying them out or looking at the code base. These are very basic "smells" that I don't want to deal with in anything my business relies on. And these criteria actually follow an order as well:
- Testing and compliance tools are judged the harshest.
- Compilers.
- Basic frameworks and essential libraries.
- Optional libraries can fail a few criteria because they're easily replaced.
This is roughly in line with how damaging a failure of the tool is to the business.
I'm not even saying you're wrong per se, all you arguments are true. I just question the perspective. From the perspective of someone evaluating the reliability of tools in order to base their business interests on them, your tool currently fails pre-selection, and doesn't even qualify for being tried out.
You don't have to agree, and can feel free to close this issue, of course. I'm not invested into this more than trying to help a friend here.
from ort.
Related Issues (20)
- Enable ORT to generate CycloneDX 1.6 SBOMs HOT 2
- FileNotFoundException for some dependencies with ScanCode plugin and npm repository HOT 5
- Wrong type and provider in Request-URL for Curations from ClearyDefined
- Make further database connection (pool) parameters configurable for Postgres based storages
- best solution to scan a project separately and combine results to a final report HOT 6
- declared_license_mapping curations are not applied in git repo projects
- Make VCS plugins configurable
- PURL encoding for SwiftPM is invalid as PURL specification. HOT 1
- [BUG] Cargo: submodules and local packages are being skipped HOT 3
- tests: Turn assets into resources HOT 1
- FossID: improve the error reporting when the credentials are wrong
- FossID: Scanner option `fetchSnippetMatchedLines` should be removed
- Docker image for version 22.3.0 does not contain the `scancode` executable anymore HOT 8
- Invalid expires attribute date on setting Cookies during Analyzer HOT 2
- Gemfile parsing for Bundler (Ruby) doesn't correctly take into account platforms (ruby, java etc.) HOT 5
- Consider using `testcontainers-git` to test authentication with Git servers
- Mention the ORT version the report was created with.
- Generated package configuration path excludes does not respect vcs path curations HOT 1
- Effective license of `BSD-3-Clause AND BSD-3-Clause`
- Support getting Node-related tooling versions from the `frontend-gradle-plugin`
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ort.