Checking licenses

[Alan Williams <al...@googlemail.com>]

Hello everybody,

I am trying to use the taverna-build repository to check the licenses. 
At the moment running make is not downloading the master (Taverna 3) 
branches but is in downloading the default maintenance (2.6-SNAPSHOT) 
branches. It is also pulling down repositories such as those for biomoby 
that are unlikely to make it into Taverna 3 (without a lot of work).

So, I plan to change it to do the Taverna 3 build, as it says in the 
description. I don't think there is any gain in doing a check of the 
Taverna 2.6 licenses.

Comments? Objections?

Alan

Re: Checking licenses

[alaninmcr <al...@googlemail.com>]

Hello,

Donal and I have re-looked at the Apache Commons artifacts and almost 
all of them are actually bundles, despite what mvnrepository.com 
reports. So, I am making sure that the build uses the standard artifacts 
and not the ones from springsource.

The exception (so far) is Commons HttpClient that has been superseded by 
Apache HttpComponents Client.

We also found that the latest version of jaxen is a bundle so we can use 
that directly.

Alan

Re: Checking licenses

[Alan Williams <al...@googlemail.com>]

On 13-Jan-15 17:50, Stian Soiland-Reyes wrote:
> For pom.xml changes, please update the incubator-* repositories where they
> exist.

I'll do that once I've got it to work against github. At the moment I am 
fighting against the build breaking when I use springsource bundles as 
they are not up-to-date with the Apache latest jars. It would really 
help a lot if Apache commons were bundled :(

> If I was to merge changes in the taverna/ repositories I would
> prefer to skip the pom.xml as they have significantly changed under
> incubator-* - particularly version properties in the parent might be newer
> and already bundles. (But you are right abouy scufl2 not using bundles yet)

I think the SCUFL2 in github is now using bundles. It passed all its tests.

> Unfortunately I think its tricky to .modify the taverna-build script to get
> SOME repositories from the taverna-incubator group, but I believe there is
> a repo.txt that is concatenated in, see the "repo" target in the Makefile.

OK.

> You can tell they exist in "modern form" if they have a groupId of
> org.apache.taverna, this is true of incubator-*, taverna-engine-common* and
> taverna-plugin-component.
>
> Perhaps it would be good to run the license analysis as part of the build
> of those, e.g. add it to incubator-taverna-maven-parent.

Totally agreed.

[snip]

Alan

Re: Checking licenses

[Stian Soiland-Reyes <st...@apache.org>]

For pom.xml changes, please update the incubator-* repositories where they
exist. If I was to merge changes in the taverna/ repositories I would
prefer to skip the pom.xml as they have significantly changed under
incubator-* - particularly version properties in the parent might be newer
and already bundles. (But you are right abouy scufl2 not using bundles yet)

Unfortunately I think its tricky to .modify the taverna-build script to get
SOME repositories from the taverna-incubator group, but I believe there is
a repo.txt that is concatenated in, see the "repo" target in the Makefile.

You can tell they exist in "modern form" if they have a groupId of
org.apache.taverna, this is true of incubator-*, taverna-engine-common* and
taverna-plugin-component.

Perhaps it would be good to run the license analysis as part of the build
of those, e.g. add it to incubator-taverna-maven-parent.

I've added the rat plugin to the maven parent, but this only checks license
headers. (Adding all of those can be done semi automatically with the rat
plugin, but care must be taken to not accidentally claim as ours files like
XSDs from w3.org or embedded OWL ontologies)

We should also configure (in the parent) the licensing plugin with
permissible dependency licenses, you can get it to bail out on violation.

What I'm not sure about is how it would be able to pick up a common file
with the license mapping, as the parent has no jar or class path deployed
and we have multiple git repositories. Perhaps the mapping can be embedded
within the <configuration> in the pom.xml?
On 13 Jan 2015 17:08, "Alan Williams" <al...@googlemail.com> wrote:

> Hello again,
>
> I am having to update SCUFL2 to use bundles. Some of its dependencies were
> to ordinary jars. It needs to be bundles to fit in well with Taverna 3.
>
> Alan
>
>

Re: Checking licenses

[Alan Williams <al...@googlemail.com>]

Hello again,

I am having to update SCUFL2 to use bundles. Some of its dependencies 
were to ordinary jars. It needs to be bundles to fit in well with Taverna 3.

Alan