All content must be taken through the Eclipse IP Due Diligence Process. This includes all dependencies, dependencies of dependencies, etc. [recursive].
FWIW, the operating system and virtual machine are technically dependencies, but we classify them "exempt pre-reqs" per the Guidelines for the Review of Third Party Dependencies <https://eclipse.org/org/documents/Eclipse_Policy_and_Procedure_for_3rd_Party_Dependencies_Final.pdf> (implied, because we don't bother with actual CQs). This is easy to think about in the context of a monolithic packaged deliverable. Basically anything that's in that hypothetical monolithic package must be taken through the Eclipse IP Due Diligence Process. It's a little harder to think about when you distribute, say, a Maven JAR. Strictly speaking, you are only distributing that one JAR. But in the process of resolving that JAR, the consumer will need all sorts of other third party content; this content is all "pre-req dependencies" that we need the Eclipse IP Team to review. Perhaps the most general way of thinking about it is that you need a CQ for all third party content related to your project code that will end up in a product built using your project's technology. It's on this basis that we can, for example, categorize build and test dependencies <https://wiki.eclipse.org/Development_Resources/IP/Test_and_Build_Dependencies> as "works with". I suspect, however, that I'm venturing off topic... HTH, Wayne On Tue, Sep 26, 2017 at 8:07 AM, Hudalla Kai (INST/ECS4) < [email protected]> wrote: > Hi, > > in the IoT PMC we often review CQs by projects for components which the > project relies on during runtime (not optionally but as a full pre-req). > Some of these components themselves rely on many other components. We are > often asked, whether the project needs to create CQs for all of these > transitive dependencies as well (given that they are not optional but > required during runtime). > > The project handbook [1] states that "All third-party libraries required > by project code will have to be checked and approved by the IP Team." > Following is a list of cases which constitute a "library required by the > project". That list is described as "non-exhaustive" and in fact does not > explicitly mention transitive dependencies. My understanding is that > transitive deps definitely need to be checked/approved, but I would like to > get some feedback e.g. frmo Wayne whether this is actually the case. > -- > > Mit freundlichen Grüßen / Best regards > > Kai Hudalla > Chief Software Architect > > Bosch Software Innovations GmbH > Ullsteinstraße 128 > 12109 Berlin > GERMANY > www.bosch-si.com > > Registered Office: Berlin, Registration Court: Amtsgericht Charlottenburg; > HRB 148411 B > Chairman of the Supervisory Board: Dr.-Ing. Thorsten Lücke; Managing > Directors: Dr.-Ing. Rainer Kallenbach, Michael Hahn > > [image: EclipseCon Europe 2017] <http://www.eclipsecon.org/europe2017> > > _______________________________________________ > incubation mailing list > [email protected] > To change your delivery options, retrieve your password, or unsubscribe > from this list, visit > https://dev.eclipse.org/mailman/listinfo/incubation > > -- Wayne Beaton Director of Open Source Projects The Eclipse Foundation
_______________________________________________ incubation mailing list [email protected] To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/incubation
