As I said, the tool is intended to help with the process.
I just plod through it. The results for some projects are better than
others.
One optimization that I'd like to make is to have it consider the the
full path for those JARs that are inside bundles. The new implementation
that I'm working on does this.
The scanner walks through the project's download directory and digs into
any compressed archives. It doesn't know about p2 repositories, just files.
Wayne
On 04/05/16 01:31 AM, David M Williams wrote:
Not to be critical of your attempts to help us, but when I look at
something like
https://www.eclipse.org/projects/tools/downloads.php?id=eclipse
it has a LOT of jars which are "inside" OSGi bundles. So many, that I
am not sure the tool is all that helpful.
Plus, aren't there also a lot of third party jars that ARE in OSGi
form, and must still have a CQ?
Am I missing something, or do people just learn to plod through it,
and ignore the ones that are sort of obviously not third party?
Or, is it a bug? :)
Also, would do you scan through p2 repositories? Or, just "download
zips"? I ask since some things go into repositories that do not go
into zips.
From: Wayne Beaton <[email protected]>
To: [email protected],
Date: 05/03/2016 11:39 PM
Subject: [incubation] Project downloads scanner
Sent by: [email protected]
------------------------------------------------------------------------
Hey folks!
There is a tool accessible from your project page that provides a list
(generated from your project downloads) of the third-party libraries
that are used by your project. The scanner searches through everything
in project's directory on the download server, including archive
files. For every JAR file it finds, it attempts to identify a
corresponding CQ. Any file that cannot be mapped to a CQ is
highlighted in red. Click on an entry to show where that file is located.
e.g.
_
__https://www.eclipse.org/projects/tools/downloads.php?id=technology.dash_
The tool only considers JAR files and it does its best work with OSGi
bundles that follow the standard OSGi bundle naming pattern.
The tool is intended to *assist* with the process of ensuring that
projects are distributing only approved libraries. It is far from
perfect. The tool does report--at least for some projects--many false
negatives (especially for JAR files that do not include version
information in the file name). *Don't panic* if your project page
shows a lot of red. This is one of the reasons why we make this page
accessible only to committers and don't advertise it widely. If
something jumps out at you, please try to mitigate. I'll help with
mitigation when the time comes to do your first/next release. If
something that you know you know is approved is showing up red, let me
know.
You can access the tool from your project's "PMI" page by expanding
the "Committer Tools" section and clicking on the "Review Downloads"
link (you'll have to login). It takes you here:
_
__https://www.eclipse.org/projects/tools/downloads.php?id=_<project.name>
(where <project.name> is your project's full id, e.g. 'technology.dash')
We have started work on a new version of the tool that will do a far
better job.
Note that the approval of third-party libraries is version-specific.
If your project has approval for one version of a library but your
build pulls in a newer version, you must either fix your build to pull
only the approved version, or create a CQ for the new version.
There is more information about contribution questionnaires (CQs) in
the Eclipse Project Handbook [1] (and the PolarSys [2] and
LocationTech [3] variants).
HTH,
Wayne
[1] _https://www.eclipse.org/projects/handbook/#ip-cq_
[2] _https://www.eclipse.org/projects/handbook/polarsys.html#ip-cq_
[3] _https://www.locationtech.org/documentation/handbook#ip-cq_
--
Wayne Beaton
@waynebeaton
The Eclipse Foundation_
_EclipseCon France 2016
<http://www.eclipsecon.org/france2016>_______________________________________________
incubation mailing list
[email protected]
To change your delivery options, retrieve your password, or
unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/incubation
_______________________________________________
incubation mailing list
[email protected]
To change your delivery options, retrieve your password, or unsubscribe from
this list, visit
https://dev.eclipse.org/mailman/listinfo/incubation
--
Wayne Beaton
@waynebeaton
The Eclipse Foundation
EclipseCon France 2016 <http://www.eclipsecon.org/france2016>
_______________________________________________
incubation mailing list
[email protected]
To change your delivery options, retrieve your password, or unsubscribe from
this list, visit
https://dev.eclipse.org/mailman/listinfo/incubation
