Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [eclipse.org-architecture-council] Revising the Eclipse IP Policy: Third Party Content

Regarding dependencies of Tycho builds I tried this with EGit and it seems to work:

 

$ mvn dependency:tree

 

here e.g. the output for org.eclipse.egit.core:

 

[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ org.eclipse.egit.core ---

[INFO] org.eclipse.egit:org.eclipse.egit.core:eclipse-plugin:5.6.0-SNAPSHOT

[INFO] +- p2.eclipse-plugin:com.google.gson:jar:2.8.2.v20180104-1110:system

[INFO] +- p2.eclipse-plugin:com.ibm.icu.base:jar:58.2.0.v20181010-1334:system

[INFO] +- p2.eclipse-plugin:com.jcraft.jsch:jar:0.1.55.v20190404-1902:system

[INFO] +- p2.eclipse-plugin:javaewah:jar:1.1.6.v20160919-1400:system

[INFO] +- p2.eclipse-plugin:org.eclipse.osgi:jar:3.11.3.v20170209-1843:system

[INFO] +- p2.eclipse-plugin:net.i2p.crypto.eddsa:jar:0.3.0.v20181102-1323:system

[INFO] +- p2.eclipse-plugin:org.apache.commons.codec:jar:1.10.0.v20180409-1845:system

[INFO] +- p2.eclipse-plugin:org.apache.commons.logging:jar:1.2.0.v20180409-1502:system

[INFO] +- p2.eclipse-plugin:org.apache.httpcomponents.httpcore:jar:4.4.10.v20190123-2214:system

[INFO] +- p2.eclipse-plugin:org.apache.httpcomponents.httpclient:jar:4.5.6.v20190503-0009:system

[INFO] +- p2.eclipse-plugin:org.apache.sshd.osgi:jar:2.2.0.v20190425-2127:system

[INFO] +- p2.eclipse-plugin:org.slf4j.api:jar:1.7.10.v20170428-1633:system

[INFO] +- p2.eclipse-plugin:org.apache.sshd.sftp:jar:2.2.0.v20190425-2127:system

[INFO] +- p2.eclipse-plugin:org.bouncycastle.bcpg:jar:1.61.0.v20190602-1335:system

[INFO] +- p2.eclipse-plugin:org.bouncycastle.bcprov:jar:1.61.0.v20190602-1335:system

[INFO] +- p2.eclipse-plugin:org.eclipse.compare.core:jar:3.6.0.v20160418-1534:system

[INFO] +- p2.eclipse-plugin:org.eclipse.core.runtime:jar:3.12.0.v20160606-1342:system

[INFO] +- p2.eclipse-plugin:org.eclipse.core.commands:jar:3.8.1.v20161221-1651:system

[INFO] +- p2.eclipse-plugin:org.eclipse.equinox.common:jar:3.8.0.v20160509-1230:system

[INFO] +- p2.eclipse-plugin:org.eclipse.core.contenttype:jar:3.5.100.v20160418-1621:system

[INFO] +- p2.eclipse-plugin:org.eclipse.equinox.preferences:jar:3.6.1.v20160815-1406:system

[INFO] +- p2.eclipse-plugin:org.eclipse.equinox.registry:jar:3.6.100.v20160223-2218:system

[INFO] +- p2.eclipse-plugin:org.eclipse.core.expressions:jar:3.5.100.v20160418-1621:system

[INFO] +- p2.eclipse-plugin:org.eclipse.core.filebuffers:jar:3.6.0.v20160503-1849:system

[INFO] +- p2.eclipse-plugin:org.eclipse.text:jar:3.6.0.v20160503-1849:system

[INFO] +- p2.eclipse-plugin:org.eclipse.core.filesystem:jar:1.6.1.v20161113-2349:system

[INFO] +- p2.eclipse-plugin:org.eclipse.core.jobs:jar:3.8.0.v20160509-0411:system

[INFO] +- p2.eclipse-plugin:org.eclipse.core.net:jar:1.3.0.v20160418-1534:system

[INFO] +- p2.eclipse-plugin:org.eclipse.equinox.security:jar:1.2.200.v20150715-1528:system

[INFO] +- p2.eclipse-plugin:org.eclipse.core.resources:jar:3.11.1.v20161107-2032:system

[INFO] +- p2.eclipse-plugin:org.eclipse.equinox.app:jar:1.3.400.v20150715-1528:system

[INFO] +- p2.eclipse-plugin:org.eclipse.core.variables:jar:3.3.0.v20160419-1720:system

[INFO] +- p2.eclipse-plugin:org.eclipse.team.core:jar:3.8.0.v20160418-1534:system

[INFO] +- p2.eclipse-plugin:org.eclipse.jgit:jar:5.6.0.201910121209:system

[INFO] +- p2.eclipse-plugin:org.eclipse.jgit.lfs:jar:5.6.0.201910121209:system

[INFO] +- p2.eclipse-plugin:org.eclipse.jgit.http.apache:jar:5.6.0.201910121209:system

[INFO] +- p2.eclipse-plugin:org.eclipse.jgit.ssh.apache:jar:5.6.0.201910121209:system

[INFO] \- p2.eclipse-plugin:org.eclipse.jsch.core:jar:1.3.0.v20160422-1917:system

 

See https://stackoverflow.com/questions/12092576/dependency-report-for-tycho-based-build

 

-Matthias

 

From: <eclipse.org-architecture-council-bounces@xxxxxxxxxxx> on behalf of Wayne Beaton <wayne.beaton@xxxxxxxxxxxxxxxxxxxxxx>
Reply to: "eclipse.org-architecture-council" <eclipse.org-architecture-council@xxxxxxxxxxx>
Date: Thursday, 10. October 2019 at 18:57
To: "eclipse.org-architecture-council" <eclipse.org-architecture-council@xxxxxxxxxxx>
Subject: [eclipse.org-architecture-council] Revising the Eclipse IP Policy: Third Party Content

 

Hey folks...

 

This is not my best work, but I figured getting the information out was better than another few days of wordsmithing...

 

https://waynebeaton.wordpress.com/2019/10/09/revising-the-eclipse-ip-policy-third-party-content/

 

By way of specific example, I ran the prototype tool discussed in this post on the Eclipse Sprotty code. When I naively ran "npm install" on sprotty, it pulled in 680 different NPM libraries (Sprotty has a yarn.lock file that narrows this list considerable, but I was going for it). Of those 680 dependencies, the tool identified six that required further scrutiny from the IP Team (which I submitted as a single CQ). We resolved those six, fed the results back into the system, and when we now re-run the prototype tool, it comes back with 100% pass. With the IP Policy changes that we're proposing in place, Sprotty is basically done after creating a single CQ (FWIW, we did also independently validate the intellectual property via the process that we currently have in place to implement the IP Policy as it exists today).

 

The intention is that CQs will become the manner in which project teams engage with the IP Team only when they encounter problematic content.

 

The prototype tool is something that I hacked together in PHP that only runs on our system. I'm in the process of migrating it to a Java library that can operate independently. My hope is that I'll have it far enough along to contribute it to the Eclipse Dash project and solicit your input before I get on the plane to attend EclipseCon.

 

Here are some thoughts to seed future discussion...

 

A means of capturing dependencies for various technologies. I've got regular Maven builds and NPM sorted out. I'm not quite sure what to do with Tycho builds since the Maven Dependency plugin doesn't seem to consistently work on those builds (I'm not actually sure if this is a real problem as the dependencies that are hard to determine tend to come from Eclipse p2 repositories which, I think, we can make a reasonable claim are likely pretty clean from an IP POV; this requires further investigation). For some technologies (e.g., C make files, I think that we're just going to have to have project teams manually assemble and maintain a list of dependencies.


The prototype tool just generates a list based on the input. We can make it do useful things like create CQs based on problematic content that it identifies. There's an opportunity to create a Maven plugin that integrates this into a build.

 

You'll notice that we're working with the ClearlyDefined project. I'll discuss this relationship and how we're leveraging (and adding to) their work as part of this.


Eliminating and replacing IPzilla is on our to-do list for 2020.

 

We have a BoF scheduled to discuss changes to the IP Policy on Tuesday night at EclipseCon. This topic will otherwise be my main focus during the conference, so please feel free to connect with me outside of scheduled sessions.

 

Comments welcome.


Thanks,

 

Wayne

 

--

Wayne Beaton

Director of Open Source Projects | Eclipse Foundation, Inc.

Image removed by sender.


Back to the top