On 17/05/2024 07:42, Claude Warren wrote:
Greetings,
I saw a note from Andy awhile back about exploring SPDX tag usage in Rat.
I am currently working on Rat to make it much more configurable. Recent
changes include the ability to detect SPDX license statements and an
upcoming change that will check licenses found in archives (e.g. jars in a
lib dir).
My question is, Is there something, some knob or lever or action, that
could be added to Rat, that would help process the Jena releases?
What I have been wondering is whether we should add the SPDX license type
SPDX-License-Identifier: Apache-2.0
I don't know what common practice is currently across Apache projects.
The thing to avoid is repeated churn, and especially removing some new
piece of information or feature when a few downstream might have started
using the information.
c.f. CycloneDX and or SPDX SBOM.
Is there any such change for any other project you are working on?
At £job, we're in a phase of developing checking workflows and if we
find anything for dependencies (Jena is a dependency) that would improve
anything, we'll feed it back.
Note: there have been lots of changes. Defining licenses is now simply
including a configuration file, licenses can be excluded, Copyright and
SPDX specific tests can be added to license checks. Checks can be either
required or prohibited. Checks can be grouped with "all" or "any".
Jena uses "build-files/rat-exclusions.txt" which has improved managing
RAT configuration from when it was in the POM.
It does sound there are more RAT changes which can be used to do a
better job for the W3C test files which would be nice.
Any input would be appreciated.
Claude
