Not to be critical of your attempts to help us, but when I look at something like https://www.eclipse.org/projects/tools/downloads.php?id=eclipse it has a LOT of jars which are "inside" OSGi bundles. So many, that I am not sure the tool is all that helpful.
Plus, aren't there also a lot of third party jars that ARE in OSGi form, and must still have a CQ? Am I missing something, or do people just learn to plod through it, and ignore the ones that are sort of obviously not third party? Or, is it a bug? :) Also, would do you scan through p2 repositories? Or, just "download zips"? I ask since some things go into repositories that do not go into zips. From: Wayne Beaton <[email protected]> To: [email protected], Date: 05/03/2016 11:39 PM Subject: [incubation] Project downloads scanner Sent by: [email protected] Hey folks! There is a tool accessible from your project page that provides a list (generated from your project downloads) of the third-party libraries that are used by your project. The scanner searches through everything in project's directory on the download server, including archive files. For every JAR file it finds, it attempts to identify a corresponding CQ. Any file that cannot be mapped to a CQ is highlighted in red. Click on an entry to show where that file is located. e.g. https://www.eclipse.org/projects/tools/downloads.php?id=technology.dash The tool only considers JAR files and it does its best work with OSGi bundles that follow the standard OSGi bundle naming pattern. The tool is intended to assist with the process of ensuring that projects are distributing only approved libraries. It is far from perfect. The tool does report--at least for some projects--many false negatives (especially for JAR files that do not include version information in the file name). Don't panic if your project page shows a lot of red. This is one of the reasons why we make this page accessible only to committers and don't advertise it widely. If something jumps out at you, please try to mitigate. I'll help with mitigation when the time comes to do your first/next release. If something that you know you know is approved is showing up red, let me know. You can access the tool from your project's "PMI" page by expanding the "Committer Tools" section and clicking on the "Review Downloads" link (you'll have to login). It takes you here: https://www.eclipse.org/projects/tools/downloads.php?id=<project.name> (where <project.name> is your project's full id, e.g. 'technology.dash') We have started work on a new version of the tool that will do a far better job. Note that the approval of third-party libraries is version-specific. If your project has approval for one version of a library but your build pulls in a newer version, you must either fix your build to pull only the approved version, or create a CQ for the new version. There is more information about contribution questionnaires (CQs) in the Eclipse Project Handbook [1] (and the PolarSys [2] and LocationTech [3] variants). HTH, Wayne [1] https://www.eclipse.org/projects/handbook/#ip-cq [2] https://www.eclipse.org/projects/handbook/polarsys.html#ip-cq [3] https://www.locationtech.org/documentation/handbook#ip-cq -- Wayne Beaton @waynebeaton The Eclipse Foundation _______________________________________________ incubation mailing list [email protected] To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/incubation
_______________________________________________ incubation mailing list [email protected] To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/incubation
