Claudenw commented on issue #312: URL: https://github.com/apache/tooling-trusted-releases/issues/312#issuecomment-3536180829
The latest release of RAT 0.18 reads the archives in place, extracting files as necessary to process them. We have also modified the configuration substantially so that licenses are defined in XML document(s) and not in code, thus adding additional license definitions is trivial. We have abstracted the UI (CLI, Ant, Maven) so that they automatically adjust to new CLI properties and made the shift to CLI first. So new options are added to the CLI and then automatically picked up by the UIs. In some cases the UI may need "tuning". We have not thought about "server" mode, though I would be interested in hearing the requirements. @Jarek Potiuk ***@***.***> I would be interested to understand what Airflow packages do not work. We utilise Tika to do the analysis of the file properties (media type, encoding, etc). It may be because we are still on an old version of Tika (that is changing for 1.0.0) or it may be that Tika does not understand Airflow packaging. Additionally it could be a mapping problem with how we work with a specific mime type. We have a proposal to extend RAT by allowing multiple processes to operate on the file stream. Currently we only look for licenses, but there has been discussion around a plugin to validate NOTICE files to ensure that licenses that require notice are mentioned properly, a plugin to check library files for both license conflicts and CVE issues. My thought on this is that we are already scanning through the project files in a language and IDE agnostic but aware fashion, we should see what else we can check at the same time. We would gladly accept contributions and ideas around these topics. We are interested in exploring how we might be able to contribute to the trusted tooling initiative. At the moment we have a focus on cleaning up the code base and adding a Gradle UI in order to establish a clean 1.0.0 release. Claude On Fri, Nov 14, 2025 at 3:43 PM Jarek Potiuk ***@***.***> wrote: > *potiuk* left a comment (apache/tooling-trusted-releases#312) > <https://github.com/apache/tooling-trusted-releases/issues/312#issuecomment-3533361627> > > I think ultimately projects are so heavily invested in RAT already that > we'll probably need to make it work, and should ditch the lightweight > Python checks. > > I think it's worth it - and the RAT team would be delighted to hear they > are used more and more and that it becomes THE default check for RAT. I am > sure @Claudenw <https://github.com/Claudenw> would be super happy to hear > that - they revamped the whole experience recently with more focus on the > CLI to work, and possibly they could even do something else - have a local > server" version of RAT - so that you can (on the RAT server) run RAT in a > "server" mode and send it archives to verify. Recent version of RAT can > automatically decompress and verify the archives. There are still some > issues there - not all formats are supported and Airlfow packages for some > reason do not work, but this would make it much faster if locally you just > pass to rat the archive path, and it could decompress it in memory and do > verification there, without having to decompress it locally and send many > files somewhere. > > — > Reply to this email directly, view it on GitHub > <https://github.com/apache/tooling-trusted-releases/issues/312#issuecomment-3533361627>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/AASTVHWB3G3QCUPHVLO5LMT34X2ANAVCNFSM6AAAAACMD7XPOKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTKMZTGM3DCNRSG4> > . > You are receiving this because you were mentioned.Message ID: > ***@***.***> > -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
