-
Notifications
You must be signed in to change notification settings - Fork 33
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Some feedback, running dash-license on Eclipse Theia main repo #19
Comments
Might have missed a few - we have more than 1000 dependencies and by default I think the tool stops at 1000. |
There's 1,259 lines in the file. Do you think that there's more than that? The tool sends the dependency lists in batches of 1,000. My best guess is the log will indicate that two batches were sent. |
Either that, or a single CQ that contains all of the "suspicious" dependencies together with a combined source attachment (be sure to include the ClearDefined IDs in a comment so that we can set up the mapping for the tool). By way of expectation management, I'm on vacation for the next two weeks, so the mapping won't get set up until the week of August 10. |
Makes sense - I indeed noted that no new dependency was found when using a bigger batch size. So the 33 "suspicious" dependencies are it ATM. |
Nice - a single CQ sounds good. I'll proceed this way.
👍 thanks for the info. I'll probably be going on vacation myself in a couple of weeks. IMHO we'll be well placed to adopt Sample result: |
Hi!
The Eclipse Theia project has been using an experimental Intellectual Property Clearance Approach, that was proposed by the Foundation to help deal with our numerous and often updated production dependencies. I think this was the precursor to this tool here.
I've tried
dash-license
for the first time on Theia's main repo. The results are interesting (in a positive way) and not that far from what we were obtaining manually.dash-licenses
catches some dependencies that pass the manual process. I think for the most part this is due to the fact that this tool is more strict: it looks at thediscovered
license(s) while we were visually inspecting, on theclearlydefined desktop
, thedeclared
license(s) field that's visible without expanding each dependency. Also we were not considering the "confidence" levels.In total, we have ~35 production dependencies, that previously passed our manual check, but do not pass
dash-licenses
.Here's the
DEPENDENCIES
file I obtained (renamed so GitHub lets me upload it here)DEPENDENCIES.TXT
Next step: Should we open one CQ per "suspicious" dependency?
The text was updated successfully, but these errors were encountered: