Some feedback, running dash-license on Eclipse Theia main repo

[marcdumais-work]

Hi!

The Eclipse Theia project has been using an experimental Intellectual Property Clearance Approach, that was proposed by the Foundation to help deal with our numerous and often updated production dependencies. I think this was the precursor to this tool here.

I've tried dash-license for the first time on Theia's main repo. The results are interesting (in a positive way) and not that far from what we were obtaining manually.

dash-licenses catches some dependencies that pass the manual process. I think for the most part this is due to the fact that this tool is more strict: it looks at the discovered license(s) while we were visually inspecting, on the clearlydefined desktop, the declared license(s) field that's visible without expanding each dependency. Also we were not considering the "confidence" levels.

In total, we have ~35 production dependencies, that previously passed our manual check, but do not pass dash-licenses.

Here's the DEPENDENCIES file I obtained (renamed so GitHub lets me upload it here)
DEPENDENCIES.TXT

Next step: Should we open one CQ per "suspicious" dependency?

[marcdumais-work]

In total, we have ~35 production dependencies, that previously passed our manual check, but do not pass dash-licenses

Might have missed a few - we have more than 1000 dependencies and by default I think the tool stops at 1000.

[waynebeaton]

In total, we have ~35 production dependencies, that previously passed our manual check, but do not pass dash-licenses

Might have missed a few - we have more than 1000 dependencies and by default I think the tool stops at 1000.

There's 1,259 lines in the file. Do you think that there's more than that?

The tool sends the dependency lists in batches of 1,000. My best guess is the log will indicate that two batches were sent.

[waynebeaton]

Next step: Should we open one CQ per "suspicious" dependency?

Either that, or a single CQ that contains all of the "suspicious" dependencies together with a combined source attachment (be sure to include the ClearDefined IDs in a comment so that we can set up the mapping for the tool).

By way of expectation management, I'm on vacation for the next two weeks, so the mapping won't get set up until the week of August 10.

[marcdumais-work]

Might have missed a few - we have more than 1000 dependencies and by default I think the tool stops at 1000.

There's 1,259 lines in the file. Do you think that there's more than that?

The tool sends the dependency lists in batches of 1,000. My best guess is the log will indicate that two batches were sent.

Makes sense - I indeed noted that no new dependency was found when using a bigger batch size. So the 33 "suspicious" dependencies are it ATM.

[marcdumais-work]

Next step: Should we open one CQ per "suspicious" dependency?

Either that, or a single CQ that contains all of the "suspicious" dependencies together with a combined source attachment (be sure to include the ClearDefined IDs in a comment so that we can set up the mapping for the tool).

Nice - a single CQ sounds good. I'll proceed this way.

By way of expectation management, I'm on vacation for the next two weeks, so the mapping won't get set up until the week of August 10.

👍 thanks for the info. I'll probably be going on vacation myself in a couple of weeks.

IMHO we'll be well placed to adopt dash-licenses in the fall - I think we will save a lot of time and improve our license checks. I have started to prototype adding this tool to our CI:

Sample result:
https://travis-ci.org/github/marcdumais-work/theia/jobs/711605338#L1421-L1455