On 21/10/2023 22:51, Bruno Kinoshita wrote:
Thanks Andy!
I had a go at the UI dependencies upgrade, and found some deprecation
warnings (from vite I think) and e2e tests that need to be fixed. I'm doing
those tasks for the jena5 branch.
Great - thank you.
It's time to get 4.10.0 out and switch over.
Will also try to look at the BOM issues as I may need that for $work
(future EU regulations and all).
tl;dr:
Let's publish CycloneDX and hold back on SPDX for now.
There's a lot going on in ASF and the picture will become clearer.
UI don't think Jena is special or different in its requirements.
Starting to provide a format, then stopping, is not very helpful.
CycloneDX is easier to produce and has more uoptake in ASF.
The US gov accepts CycloneDX as well as SPDX and Software Identification
(SWID) tag.
I'd be surprised if the EU does not align,
----
SPDX is quite detailed. It was originally for license management. I'm
begining to think it is less useful for simple machine generation and
expects manual configuration to at least check all it's deductions, and
probably change them. Having some coverage of license information but
not full coverage seems like a bad idea for both us and users.
Interestingly, RAT has a class "SpdxBuilder".
Combining SPDX with RAT could be useful.
In ASF, only Commons is producing SPDX that I can find.
Links I have found useful:
https://www.activestate.com/blog/why-the-us-government-is-mandating-software-bill-of-materials-sbom/
IN ASF:
https://cwiki.apache.org/confluence/display/COMDEV/SBOM
Discussion on
https://github.com/apache/logging-log4j2/issues/1707
-- worth tracking
and e.g.
https://github.com/apache/spark/pull/39401
Dongjoon Hyun has been doing quite a few of the PRs
for adding CylconeDX to projects so his work is getting
wide review.
Andy
PS SPDX can be RDF!, and in fact the maven plugin uses Jena!
Jena 3.10.0 :-(
Cheers,
Bruno
On Fri, 20 Oct 2023 at 11:56, Andy Seaborne <a...@apache.org> wrote:
On 19/10/2023 22:21, Bruno Kinoshita wrote:
Great progress Andy!
I saw that you created several issues for Jena5.
Sorry - because it's a branch, github hasn't closed them when the PR was
merged.
https://github.com/apache/jena/issues?q=is%3Aissue+is%3Aopen+label%3AJena5
should make things clearer
There's always a lot of things that would be nice but that then delays
the release.
I'm going through my notes and I'll raise issues.
+ There is one "must" change: normalization of language tags.
https://github.com/apache/jena/issues/2039
because that impacts on-disc data.
+ The SBOM SPDX files don't look very good - too many NOASSERTION.
https://repository.apache.org/content/groups/snapshots/org/apache/jena/jena-arq/5.0.0-SNAPSHOT/jena-arq-5.0.0-20231018.142515-1.spdx.json
but maybe that is just how it is. I'm not sure what "good practice" in
ASF is or what "good practice" is generally (e.g. SBOMs for every
artifact is best or are they just clutter?).
Many projects produce CycloneDX files but not SPDX.
> Are there any easy ones that you need help with?
2048 maybe
Should we do a general update of dependencies in FusekiUI?
Andy
Cheers
Bruno
On Wed, 18 Oct 2023 at 17:15, Andy Seaborne <a...@apache.org> wrote:
On 12/10/2023 10:05, Andy Seaborne wrote:
On 06/10/2023 11:47, Andy Seaborne wrote:
There's a large PR for a new branch "jena5"
https://github.com/apache/jena/pull/2029
of what I've managed to do so far.
It's not finished.
Andy
I'd like to bring the PR in as a branch and setup Jenkins to produce
snapshot artifacts.
Branch setup, code merged to branch "jena5"
There will be forced pushes due to rebasing to "main".
This will end when Jena 4.10.0 is released which makes a nice, clear
point at which to create a jena4 and make main jena5 development.
There are one or two items that need to go into 4.10.0 ebfore that can
be released.
Jenkins is deploying 5.0.0-SNAPSHOT to the Apache snapshots repository.
https://repository.apache.org/content/repositories/snapshots/
Andy
