Hi Ed.
Ultimately, it's up to you to make sure that you have the right set of
CQs for the third party libraries that your project uses.
The scanner detects that you're distributing code from other Eclipse
projects and will give a pass to third-party libraries for which one of
those included projects has a CQ. The implementation obviously has
limited "smarts".
Again, the tool is intended to assist with the assessment process. It is
imperfect and it is unlikely that--given the very dynamic nature of
technology used and distribution schemes--it every will be perfect.
In the specific case of Guava where dependencies are 12.0.0 to 19.0.0,
does that require 7 piggy-back CQs?
Theoretically, if you project will work with any of those versions, then
yes. Strictly speaking, you should probably have just one CQ for one
version of Guava and then a works-with CQ for all other versions. I
believe, however, that it is enough that you have a CQ for those
versions that you actually use.
I am hopeful that sometime this quarter, I'll be able to automatically
detect the use of some third-party JARs and provide the equivalent of
piggyback CQs in IP Logs [1]. Getting to a point where projects can just
use stuff out of Orbit and have it automatically tracked in the IP Log
is my first goal.
HTH,
Wayne
[1] https://bugs.eclipse.org/bugs/show_bug.cgi?id=475400
On 04/05/16 01:49 AM, Ed Willink wrote:
Hi Wayne
On 04/05/2016 04:34, Wayne Beaton wrote:
We have started work on a new version of the tool that will do a far
better job.
I am delighted that my projects have no RED but I think you are
encouraging a false sense of security since your tool's 'used' is
actually 'ever redistributed'.
In https://waynebeaton.wordpress.com/2011/09/09/is-a-cq-required/
'used' is 'directly referenced'.
So I expect to see Guava in RED since I haven't bothered to raise a
piggy-back CQ since versions change so often and I await the
auto-re-piggy-back of approved CQs. Last time I looked it appeared
that 90% of projects that have an old Guava piggy-back CQ had not
re-piggy-backed.
In the specific case of Guava where dependencies are 12.0.0 to 19.0.0,
does that require 7 piggy-back CQs?
Re-piggy-back:
IMHO if Orbit has CQs for version X and Y, and a project has a
piggy-back CQ for X, then it has an auto-re-piggy-back for Y.
Regards
Ed Willink
_______________________________________________
incubation mailing list
[email protected]
To change your delivery options, retrieve your password, or
unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/incubation
--
Wayne Beaton
@waynebeaton
The Eclipse Foundation
EclipseCon France 2016 <http://www.eclipsecon.org/france2016>
_______________________________________________
incubation mailing list
[email protected]
To change your delivery options, retrieve your password, or unsubscribe from
this list, visit
https://dev.eclipse.org/mailman/listinfo/incubation
