Hi Jaime, We discussed with Sonatype and found this was a false positive. How CLM decides what version of a package a file belongs to is by checking the checksum of said file and comparing it to their database and then reporting the lowest version the file exists in as the version that the file belongs to.
There was 2 js files graceful.js and keep.js in the tmp package that was not changed since version 0.0.16 so falsely flagged them as incompatible GPL code instead of the MIT license which is used in newer versions of this package. With that said we went ahead and released Carbon last week. Sorry for the confusion and thanks for looking into this. Regards, Thanh On Mon, May 29, 2017 at 6:59 AM, Jaime Caamaño Ruiz < [email protected]> wrote: > Hello Thanh > > I looked for references of this tmp version 16 and like you, could not > find any in the whole distro. > > I looked also into the CLM report but I could not pinpoint exactly how > and where did it obtain this reference from. Do you know? > > BR > Jaime. > > On vie, 2017-05-26 at 09:28 -0400, Thanh Ha wrote: > > Hi sfc-devs, > > > > We're investigating a CLM violation on the node package tmp 0.0.16 > > [0] > > which accordingto CLM SFC is pulling in. The problem with this > > specific > > version of tmp is that it's GPL 2.0. Every version of tmp from 0.0.17 > > and > > onwards is MIT license which is fine so we're looking to figure out > > if SFC > > is really pulling in the 0.0.16 version of this bundle. > > > > If you pull sfc-ui-bundle jar [1] however and inspect it's > > package.json > > file for tmp it says the version of tmp packaged is 0.0.23 which is > > an ok > > version for us. Is there anyone on the SFC team whom can help us > > investigate this to determine where 0.0.16 is being pulled in? > > > > Thanks, > > Thanh > > > > [0] > > https://clm.opendaylight.org/assets/index.html#/reports/distribution/ > > 8670358dbf074c03b57ee49a25c1da19 > > [1] > > https://nexus.opendaylight.org/content/repositories/opendaylight.rele > > ase/org/opendaylight/sfc/sfc-ui-bundle/0.5.0-Carbon/ > > _______________________________________________ > > sfc-dev mailing list > > [email protected] > > https://lists.opendaylight.org/mailman/listinfo/sfc-dev
_______________________________________________ sfc-dev mailing list [email protected] https://lists.opendaylight.org/mailman/listinfo/sfc-dev
