vy commented on issue #4720: URL: https://github.com/apache/eventmesh/issues/4720#issuecomment-1878979544
If I understand it right, for a particular dependency (e.g., Log4j), these four locations must be aligned: 1. [build.gradle](/apache/eventmesh/blob/master/build.gradle#L490) 2. [tools/third-party-licenses/NOTICE#L626](/apache/eventmesh/blob/master/tools/third-party-licenses/NOTICE#L626) 3. [tools/dependency-check/known-dependencies.txt](https://github.com/apache/eventmesh/blob/master/tools/dependency-check/known-dependencies.txt#L145) 4. [tools/third-party-licenses/licenses/java/LICENSE-log4j-api.txt](https://github.com/apache/eventmesh/blob/master/tools/third-party-licenses/licenses/java/LICENSE-log4j-api.txt) _[Please correct me if I am missing any above.]_ You can follow a strategy as follows: 1. Break down the `tools/third-party-licenses/NOTICE` file into multiple `tools/third-party-licenses/notices/*/NOTICE-*.txt` files. This is similar to what you already have for licenses, i.e., `tools/third-party-licenses/licenses/*/LICENSE-*.txt`. 2. Enrich `known-dependencies.txt` to contain the _link patterns formatted by version_ to external NOTICE and LICENSE files. For instance, you can use the following link pattern for the Log4j NOTICE file: `https://github.com/apache/logging-log4j2/blob/rel/<version>/NOTICE.txt`. 3. Implement a `dependabot`-specific GHA workflow such that if NOTICE and LICENSE files still do match and tests pass, update the version in `build.gradle` and `known-dependencies.txt` files. If you are interested in, I can implement this as a contractor and contribute to EventMesh. **Disclaimer:** I am a long time Log4j contributor and Apache Logging Services (log4j, log4cxx, etc.) PMC Chair. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
