vy commented on issue #4720: URL: https://github.com/apache/eventmesh/issues/4720#issuecomment-1882808024
> In your experience and knowledge, do you think our LICENSE and dependency management are excessively configured? @Pil0tXia, I wouldn't say so. There are no plug-n-play tooling to make the life easier for 1) Gradle/Maven application developers 2) that need to provide a binary distribution 3) complying with the [ASF distribution requirements](https://infra.apache.org/licensing-howto.html#bundled-vs-non-bundled). Airflow, Kafka, etc. they all roll out their own solutions. These efforts are mostly manual, that is, people occasionally check the validity of these files and update them as they see fit. Note that point (2) – that is, the fact that you distribute binaries – is crucial. For instance, Log4j doesn't distribute binaries containing dependencies. Hence, there, we don't have this problem. We only maintain a `NOTICE` manually, which is almost fixed for decades. > For example, we attach a txt file for every third-party dependency (e.g., `tools/third-party-licenses/licenses/java/LICENSE-log4j-api.txt`). Is it necessary to declare the licenses of these dependencies again in `tools/third-party-licenses/LICENSE`? No, I don't think so. > Regarding dependency management, I haven't seen any other projects using the `tools/dependency-check/known-dependencies.txt` file. The RocketMQ project doesn't perform dependency checks, while Kafka uses [a Gradle plugin](https://github.com/apache/kafka/blob/cce63274f2fdf9a4db014e2bae8019677b2cd7b2/build.gradle#L755-L758) with minimal configuration. Does this mean that the `tools/dependency-check/known-dependencies.txt` file is redundant? I don't think so. You have license check as a part of the build. This is great. You also partially implemented a framework to _automatically_ include the LICENSE, etc. files while creating a distribution. But updates to this framework are not automated yet. In conclusion, I don't think you are over-engineering. I think you are trying to do the right thing. I will consult to `[email protected]` on this matter and see if we can simplify the process before getting down to implement an automation pipeline around it. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
