Re: ideas for automation
On 08/15/11 02:32, Marshall Schor wrote: yes, it's entirely manual at the moment. -Marshall On 8/13/2011 10:30 AM, Stefan Bodewig wrote: On 2011-08-08, Marshall Schor wrote: We recently did an exercise whereby for some projects for which we distribute binaries that include dependencies, we looked inside the dependency Jars being distributed to see if there was any unusual license and notice (and other) files, and we found several; we then manually merged these into the binary distribution's License and Notice files. I assume this has been some sort of manual process, right? Or is there already anything that could be the seed for some tooling? Assembling applications consumed by end users and composed from numerous component libraries is the use case which led to me to Whisker. Apache James 3.0 contains over 150 libraries. Manually maintaining correct LICENSE, CRYPTO and NOTICE documents is error prone and time consuming. Whisker currently uses an XML document to store licensing data matching license meta-data to artifacts. In generative mode, velocity templates are used to generate LICENSE and NOTICE documents. In validation mode, the meta-data is checked against the contents. So, Whisker could help with maintenance but not discovery. Robert
Re: ideas for automation
On 08/23/11 21:10, Jochen Wiedmann wrote: On Tue, Aug 23, 2011 at 9:56 PM, Robert Burrell Donkin rdon...@apache.org wrote: (Apologies for dropping the ball on this one: been recovering and rebuilding my development boxes) Hi, Robert; Hi Jochen when it comes to recovering, I fear to currently beating you. See https://plus.google.com/109601534018793668119/posts/E25jTKKgakj Oh no! All the best and get well soon! Robert
Re: ideas for automation
On 08/13/11 02:28, Gavin McDonald wrote:
-Original Message-
From: Marshall Schor [mailto:m...@schor.com]
Sent: Tuesday, 9 August 2011 6:20 AM
To: rat-dev@incubator.apache.org
Subject: ideas for automation
We recently did an exercise whereby for some projects for which we
distribute binaries that include dependencies, we looked inside the
dependency Jars being distributed to see if there was any unusual license
and notice (and other) files, and we found several; we then manually
merged these into the binary distribution's License and Notice files.
We even found one where there was a crypto notice - which of course
required that we add a crypto notice (and update the
apache.org/licenses/exports page).
Some kind of tooling that helps with this process would be a nice addition
-
basically it has to open up dependent Jars that ship with a distribution
and
see if finds anything interesting there. It would also be nice if it
mostly
automatically merged the Licenses and Notices while eliminating
duplicates.
Hi Marshall,
thanks, I think if no-one replies soon, it's likely it isn't their itch
'currently' and
best to open a RAT jira ticket so that these ideas don't get lost.
(Apologies for dropping the ball on this one: been recovering and
rebuilding my development boxes)
I recently commit a new component ('Whisker') for this space developed
to help release Apache James 3.0 when we found it too difficult to
manually maintain the legal stuff.
I'll follow up with some more details soon.
Robert
Re: ideas for automation
On Tue, Aug 23, 2011 at 9:56 PM, Robert Burrell Donkin rdon...@apache.org wrote: (Apologies for dropping the ball on this one: been recovering and rebuilding my development boxes) Hi, Robert; when it comes to recovering, I fear to currently beating you. See https://plus.google.com/109601534018793668119/posts/E25jTKKgakj -- Capitalism is the astounding belief that the most wickedest of men will do the most wickedest of things for the greatest good of everyone. John Maynard Keynes (http://en.wikiquote.org/wiki/Keynes)
Re: ideas for automation
I looked for licenses/notice/crypto stuff in the Jar by unzipping it, and looking at the top level and within META-INF directory for LICENSE*, NOTICE*, README* (anycase). On another note - another RAT check might be also to check that the Jars that your project is building have LICENSE/NOTICE files in one of these spots. I'm not sure about the need to check Jars you're depending on but not building for the existence of LICENSE/NOTICE files. One more complication: some builds create OSGi bundles which are a kind of Jar file. One style of packaging for these bundles includes within the outer Jar (bundle), a directory (typically called lib/ but could be called anything), which contains Jar files. For this, the outer Jar file ought to have LICENSE/NOTICE/crypto stuff which includes the amalgamation of all the Jars contained within. -Marshall On 8/15/2011 1:08 AM, Stefan Bodewig wrote: On 2011-08-15, Marshall Schor wrote: yes, it's entirely manual at the moment. OK, thanks. Can you describe what you've done, where you've looked for licenses, notices, cryprto notices et al? META-INF or in other places as well? Stefan
Re: ideas for automation
yes, it's entirely manual at the moment. -Marshall On 8/13/2011 10:30 AM, Stefan Bodewig wrote: On 2011-08-08, Marshall Schor wrote: We recently did an exercise whereby for some projects for which we distribute binaries that include dependencies, we looked inside the dependency Jars being distributed to see if there was any unusual license and notice (and other) files, and we found several; we then manually merged these into the binary distribution's License and Notice files. I assume this has been some sort of manual process, right? Or is there already anything that could be the seed for some tooling? Stefan
Re: ideas for automation
On 2011-08-15, Marshall Schor wrote: yes, it's entirely manual at the moment. OK, thanks. Can you describe what you've done, where you've looked for licenses, notices, cryprto notices et al? META-INF or in other places as well? Stefan
Re: ideas for automation
On 2011-08-08, Marshall Schor wrote: We recently did an exercise whereby for some projects for which we distribute binaries that include dependencies, we looked inside the dependency Jars being distributed to see if there was any unusual license and notice (and other) files, and we found several; we then manually merged these into the binary distribution's License and Notice files. I assume this has been some sort of manual process, right? Or is there already anything that could be the seed for some tooling? Stefan
RE: ideas for automation
-Original Message- From: Marshall Schor [mailto:m...@schor.com] Sent: Tuesday, 9 August 2011 6:20 AM To: rat-dev@incubator.apache.org Subject: ideas for automation We recently did an exercise whereby for some projects for which we distribute binaries that include dependencies, we looked inside the dependency Jars being distributed to see if there was any unusual license and notice (and other) files, and we found several; we then manually merged these into the binary distribution's License and Notice files. We even found one where there was a crypto notice - which of course required that we add a crypto notice (and update the apache.org/licenses/exports page). Some kind of tooling that helps with this process would be a nice addition - basically it has to open up dependent Jars that ship with a distribution and see if finds anything interesting there. It would also be nice if it mostly automatically merged the Licenses and Notices while eliminating duplicates. Hi Marshall, thanks, I think if no-one replies soon, it's likely it isn't their itch 'currently' and best to open a RAT jira ticket so that these ideas don't get lost. Gav... -Marshall
