Pil0tXia commented on code in PR #4831:
URL: https://github.com/apache/eventmesh/pull/4831#discussion_r1574930744
##########
build.gradle:
##########
@@ -252,6 +251,107 @@ tasks.register('printProjects') {
})
}
+cyclonedxBom {
+ includeConfigs = ["runtimeClasspath"]
+}
+
+tasks.register('generateDistLicense') {
+ dependsOn('cyclonedxBom') // Task from 'org.cyclonedx.bom' plugin
+ doLast {
+ // Inputs
+ def bomFile = file("$buildDir/reports/bom.json")
+ def bom = new JsonSlurper().parseText(bomFile.text)
+ def projectLicenseText = file('LICENSE').text
+
+ // Outputs
+ def distLicenseFile = file('tools/dist-license/LICENSE')
+ def licensesDir = file('tools/dist-license/licenses/java/')
+ if (licensesDir.exists()) {
+ licensesDir.eachFile { it.delete() }
+ } else {
+ licensesDir.mkdirs()
+ }
+
+ List<Map<String, String>> thirdPartyArtifacts = new
ArrayList<Map<String, String>>()
+ // Parse BOM
+ bom.components.each { component ->
+ // Exclude project modules
+ if (!component.group.startsWith('org.apache.eventmesh')) {
+ component.licenses.each { artifactLicense ->
+ if (artifactLicense.license != null) {
+ Map<String, String> artifact = new HashMap<String,
String>()
+ artifact.put("name", component.name)
+ artifact.put("version", component.version)
+ if (artifactLicense.license.id != null) {
+ artifact.put("license", artifactLicense.license.id)
+ if (artifactLicense.license.text != null) {
+ artifact.put("licenseContent", new
String(artifactLicense.license.text.content.decodeBase64()))
+ }
+ } else {
+ artifact.put("license",
artifactLicense.license.name)
+ artifact.put("licenseContent",
artifactLicense.license.url)
+ }
+ thirdPartyArtifacts.add(artifact)
+ }
+ }
+ }
+ }
+ thirdPartyArtifacts.sort { a, b ->
+ def nameComparison = a.name <=> b.name
+ if (nameComparison == 0) {
+ return a.version <=> b.version
+ } else {
+ return nameComparison
+ }
+ }
+
+ def distLicenseText = projectLicenseText +
"\n=======================================================================\n" +
+ "This distribution contains the following third-party
artifacts:\n\n"
+ thirdPartyArtifacts.each { artifact ->
+ // Write licenses
+ def artifactLicenseFilename = artifact.license.replaceAll("/",
"-") + ".txt"
+ def artifactLicenseFile = new File(licensesDir,
artifactLicenseFilename)
Review Comment:
>When it comes to artifacts that don't comply with SPDX, in my humble
opinion, they should not be included in an Open Source distribution until a
lawyer has reviewed the license.
The majority of artifacts that don't fully comply with SPDX are usually
compatible. For example, the "ASL" license of `jna` and the "AL 2.0" license of
`amqp-client` are essentially the same as Apache-2.0. However, the Amazon
Software License, which is also an ASL, is not compatible. Therefore, we must
treat artifacts differently based on whether they use SPDX identifiers or
custom names (which has been addressed in this pull request by handling
`license.id` and `license.name` separately).
>These artifacts can be found in the `tools/dist-license/licenses/java`
folder of this pull request.
The `generateDistLicense` Gradle task does not guarantee that the Release
Manager can completely ignore license checks. It is the responsibility of the
RM to ensure the compatibility of all licenses. The purpose of submitting this
PR is to reduce the workload of the RM and ensure that the licenses of all
project dependencies are included in the distribution and not overlooked.
If the logic of the `generateDistLicense` task is changed to a whitelist
mode, it would mean that every time we release, we would have to manually
approve all dependencies from the past six months by creating new files and
pasting the license contents, and remove licenses that are no longer included
in this version.
If we maintain the existing logic of this PR, the RM would **only need to
check for newly added files in Git** and confirm compatibility with the added
licenses. Compared to the former approach, I believe the latter is easier and
equally secure. Therefore, I think maintaining the existing generation logic of
this PR is sufficient.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscr...@eventmesh.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@eventmesh.apache.org
For additional commands, e-mail: issues-h...@eventmesh.apache.org
