You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@pekko.apache.org by "mdedetrich (via GitHub)" <gi...@apache.org> on 2023/02/08 16:25:47 UTC

[GitHub] [incubator-pekko] mdedetrich opened a new issue, #151: Investigate how to scan for problematic licenses

mdedetrich opened a new issue, #151:
URL: https://github.com/apache/incubator-pekko/issues/151

   One place to look is Apache Daffodil which is another Scala/SBT Apache project that uses Apache Rat via sbt to check for licenses, see https://github.com/Apache/daffodil#license-check


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org
For additional commands, e-mail: notifications-help@pekko.apache.org

[GitHub] [incubator-pekko] mdedetrich commented on issue #151: Investigate how to scan for problematic licenses

Posted by "mdedetrich (via GitHub)" <gi...@apache.org>.
mdedetrich commented on issue #151:
URL: https://github.com/apache/incubator-pekko/issues/151#issuecomment-1566070547

   Yes, I don't have time to fully fix this.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org
For additional commands, e-mail: notifications-help@pekko.apache.org

[GitHub] [incubator-pekko] justinmclean commented on issue #151: Investigate how to scan for problematic licenses

Posted by "justinmclean (via GitHub)" <gi...@apache.org>.
justinmclean commented on issue #151:
URL: https://github.com/apache/incubator-pekko/issues/151#issuecomment-1423606020

   HI,
   
   It very likely that Incubator PMC members will use rat when voting on your releases.
   
   Kind Regards,
   Justin


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org
For additional commands, e-mail: notifications-help@pekko.apache.org

[GitHub] [incubator-pekko] mdedetrich commented on issue #151: Investigate how to scan for problematic licenses

Posted by "mdedetrich (via GitHub)" <gi...@apache.org>.
mdedetrich commented on issue #151:
URL: https://github.com/apache/incubator-pekko/issues/151#issuecomment-1423865583

   So I am under the impression that rat and sbt-header are solving different problems. sbt-header is just checking for license text within the project as well as updating license headers when a file is touched (typical example of this is bumping the copyright year). On the other hand Apache Rat is for checking licenses although from their website it isn't clear how this is done (I haven't actually used Apache Rat), i.e. if its actually checking for dependencies (direct and transitive).
   
   If we are talking about checking for the licenses of dependencies (direct and transitive) there is also another option, [sbt-license-report](https://github.com/sbt/sbt-license-report). I have used this before in open source projects as well as companies and can vouch for it. Its configurable, both in how it does license detection and also what the generated report looks like
   
   In any case I wouldn't throw away sbt-header, its already set up and working and most importantly we know its working because its actually found cases of incorrect headers and its also integrated into our CI to make sure that no one can commit incorrect headers. If sbt-rat (which uses Apache Rat underneath) helps us get through the Incubator PMC we can look into it but depending on how Apache Rat does "license detection" there may be far simpler solutions.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org
For additional commands, e-mail: notifications-help@pekko.apache.org

Re: [I] Investigate how to scan for problematic licenses [incubator-pekko]

Posted by "pjfanning (via GitHub)" <gi...@apache.org>.
pjfanning closed issue #151: Investigate how to scan for problematic licenses
URL: https://github.com/apache/incubator-pekko/issues/151


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org
For additional commands, e-mail: notifications-help@pekko.apache.org

Re: [I] Investigate how to scan for problematic licenses [incubator-pekko]

Posted by "pjfanning (via GitHub)" <gi...@apache.org>.
pjfanning commented on issue #151:
URL: https://github.com/apache/incubator-pekko/issues/151#issuecomment-1774056386

   sure - seems to be ok to close


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org
For additional commands, e-mail: notifications-help@pekko.apache.org

[GitHub] [incubator-pekko] jrudolph commented on issue #151: Investigate how to scan for problematic licenses

Posted by "jrudolph (via GitHub)" <gi...@apache.org>.
jrudolph commented on issue #151:
URL: https://github.com/apache/incubator-pekko/issues/151#issuecomment-1446511381

   There's also the built-in `dependencyLicenseInfo` (merged from my sbt-dependency-graph plugin into sbt itself), which we could adapt to whatever we'd like.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org
For additional commands, e-mail: notifications-help@pekko.apache.org

[GitHub] [incubator-pekko] pjfanning commented on issue #151: Investigate how to scan for problematic licenses

Posted by "pjfanning (via GitHub)" <gi...@apache.org>.
pjfanning commented on issue #151:
URL: https://github.com/apache/incubator-pekko/issues/151#issuecomment-1566070034

   @mdedetrich Can we remove this from the 1.0.0 milestone? It's useful but in the end, voters on the releases will have their own mechanisms to check. And having it in the milestone makes it look like a blocker.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org
For additional commands, e-mail: notifications-help@pekko.apache.org

[GitHub] [incubator-pekko] justinmclean commented on issue #151: Investigate how to scan for problematic licenses

Posted by "justinmclean (via GitHub)" <gi...@apache.org>.
justinmclean commented on issue #151:
URL: https://github.com/apache/incubator-pekko/issues/151#issuecomment-1423876140

   Hi,
   
   Rat is just a simple tool to help, it doesn’t remove the need for manual checking.
   
   From its help output:
   Rat is really little more than a grep ATM
   Rat is also rather memory hungry ATM
   Rat is very basic ATM
   Rat highlights possible issues
   Rat reports require intepretation
   Rat often requires some tuning before it runs well against a project
   Rat relies on heuristics: it may miss issues
   
   I have however used it to check more than an 1000 ASF releases and it's useful.
   
   Kind Regards,
   Justin


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org
For additional commands, e-mail: notifications-help@pekko.apache.org

[GitHub] [incubator-pekko] mdedetrich commented on issue #151: Investigate how to scan for problematic licenses

Posted by "mdedetrich (via GitHub)" <gi...@apache.org>.
mdedetrich commented on issue #151:
URL: https://github.com/apache/incubator-pekko/issues/151#issuecomment-1509762285

   So I created a PR against https://github.com/sbt/sbt-license-report/pull/55 which when merged would allow us to generate a report of all of the aggregated licenses for all of the transitive dependencies for this project which we can then inspect to make sure we don't see something weird. The plugin also lets us configure what Ivy scopes we want to generate the licenses for (see `licenseConfigurations`) so its possible to, for example, only generate licenses for the `compile` scope (if we don't care about licenses used for `test`)
   
   Its also possible to add functionality that will "break" the build if it picks up a problematic license (i.e. similar to `dependencyCheckFailBuildOnCVSS` for https://github.com/albuch/sbt-dependency-check).


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org
For additional commands, e-mail: notifications-help@pekko.apache.org

[GitHub] [incubator-pekko] pjfanning commented on issue #151: Investigate how to scan for problematic licenses

Posted by "pjfanning (via GitHub)" <gi...@apache.org>.
pjfanning commented on issue #151:
URL: https://github.com/apache/incubator-pekko/issues/151#issuecomment-1423155682

   Don't we already have sbt-header and https://github.com/apache/incubator-pekko/blob/main/project/CopyrightHeader.scala? Maybe we could fill any missing functionality?
   
   One example is that the .md files don't have Apache licenses and apparently, sbt-header can be configured to check these files as well as the .scala files.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org
For additional commands, e-mail: notifications-help@pekko.apache.org

[GitHub] [incubator-pekko] mdedetrich commented on issue #151: Investigate how to scan for problematic licenses

Posted by "mdedetrich (via GitHub)" <gi...@apache.org>.
mdedetrich commented on issue #151:
URL: https://github.com/apache/incubator-pekko/issues/151#issuecomment-1554253443

   Should I go ahead and close this issue since sbt-license-report has already been integrated (see https://github.com/apache/incubator-pekko/pull/319)? While it may not report if a license is problematic, it generates an entire report of all of the licenses for all of the transitive dependencies (and it does it correctly since it uses the same dependency resolution that sbt uses).
   
   Regarding licenses within this project we have sbt-header for this, its already been configured to not accept any source headers for code that isn't explicitly required.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org
For additional commands, e-mail: notifications-help@pekko.apache.org

Re: [I] Investigate how to scan for problematic licenses [incubator-pekko]

Posted by "mdedetrich (via GitHub)" <gi...@apache.org>.
mdedetrich commented on issue #151:
URL: https://github.com/apache/incubator-pekko/issues/151#issuecomment-1774031003

   @pjfanning Shall we close this? I think that sbt-license-report should solve this well enough.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org
For additional commands, e-mail: notifications-help@pekko.apache.org