Re: RFC: Maven License Verifier Plugin
One important thing for me: It should be possible to define the configuration/license descriptors in my company pom. Then every dependent project should use the default configuration provided by the company pom. But it also should be possible to override/change/extend that configuration. Sample: Those two projects have the same company pom: - Library/reusable project that must not depend on artifacts under GPL. - Internal project that may depend on GPL Thanks, Johannes Karl Heinz Marbaise wrote: > Hi there, > > i have started with implementing some parts of a new Maven Plugin. > > The Maven License Verifier Plugin (MLV for short). > > I would present you the idea of the plugin and would like to know if > someone has some suggestions, idea's, comments etc. > > > The basic idea is to check every dependency which is used (incl. > transitive dependencies) of a build (during a mvn ..) and see if all > artifacts have licenses which are based on the policy (of a company > etc.) are allowed ...that's often a point in companies...Some companies > says only allowed is the Apache License (for example)... > > > The Plugin will use a configuration file which defines different > categories of Licenses > (http://site.supose.org/maven-licenses-verifier-plugin/licenses.html). > > The default configuration will not break a build it will just warn about > artifacts which don't have a license defined or which in a particular > category (WARN, INVALID or none of them). > > About what I'm unsure about is where to define the license.xml file (or > multiple of them): > > Option 1: > Use a particular folder: src/main/licenses/ and put one or more files in > there which will be automatically be loaded. > > Option 2: > Give a single or multiple locations for license.xml files in the > configuration section for the plugin. > > Option 3: > Use an URL to define where to download the license.xml file or may be > multiple URL's. This could be usefull in Companies to have central > location where maintain such files which can be used for every project > in a company...(May be it's possible to store that in a repository > manager like Nexus ?) > > Option 4: > Use an Artifact which can be created and stored into a Maven repository ? > > Of course the plugin is configurable in that way to brake the build if > you do ...(e.g. failOnWarning like ?)... > > > The other question is how to behave in a reactor build (Multi Module > build): > - Just have a single Configuration (e.g. in Root) and put the > configuration file(s) there (not sure how to handle this technically)... > > > And what is needed as well is to be able to exclude particular artifacts > from being checked ().. (I have to check how > to implement this but this is an other question)... > > > Kind regards > Karl Heinz Marbaise - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: RFC: Maven License Verifier Plugin
Hi Dmitry, Dmitry Katsubo wrote: > It would be nice to have a plugin, that for each dependency checks the > META-INF\manifest.mf for "Bundle-License" entry or tries to guess the > licence type from META-INF\LICENSE.txt or META-INF\license files. It > would be nice, if plugin takes care of "autodetecting" of licences of > "leave" dependencies, which are not under our control, but for which we > would like to check the license "compatibility". It can warn the user, > if the license type is not detected and can, for example, allow you to > set the license for a given groupId/artifactId (and make this setting > project-wide from parent pom).The first step of implementing is (may be i > call it release 1.0) to check the entries which are made in the pom of the > artifacts...but this is a really good idea...I have to think about > this Dmitry Katsubo wrote: > That would be a dream :) Or is it a reality already?Only partially ;-) And > not that aside the point... Thanks for your idea... Kind Regards Karl Heinz Marbaise -- View this message in context: http://old.nabble.com/RFC%3A-Maven-License-Verifier-Plugin-tp27445231p27451222.html Sent from the Maven - Users mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: RFC: Maven License Verifier Plugin
Hi Anders, Anders Hammar wrote: > Lots of people > don't think of that I we need to help them not doing bad things...The > outcome of this is to remove the option for using an URL... Thanks for you comments.. Kind Regards Karl Heinz Marbaise -- View this message in context: http://old.nabble.com/RFC%3A-Maven-License-Verifier-Plugin-tp27445231p27451163.html Sent from the Maven - Users mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: RFC: Maven License Verifier Plugin
Hi Karl! It would be nice to have a plugin, that for each dependency checks the META-INF\manifest.mf for "Bundle-License" entry or tries to guess the licence type from META-INF\LICENSE.txt or META-INF\license files. It would be nice, if plugin takes care of "autodetecting" of licences of "leave" dependencies, which are not under our control, but for which we would like to check the license "compatibility". It can warn the user, if the license type is not detected and can, for example, allow you to set the license for a given groupId/artifactId (and make this setting project-wide from parent pom). That would be a dream :) Or is it a reality already? Karl Heinz Marbaise wrote on 04/02/2010 00:15: > Hi there, > > i have started with implementing some parts of a new Maven Plugin. > > The Maven License Verifier Plugin (MLV for short). > > I would present you the idea of the plugin and would like to know if > someone has some suggestions, idea's, comments etc. > > > The basic idea is to check every dependency which is used (incl. > transitive dependencies) of a build (during a mvn ..) and see if all > artifacts have licenses which are based on the policy (of a company > etc.) are allowed ...that's often a point in companies...Some companies > says only allowed is the Apache License (for example)... > > > The Plugin will use a configuration file which defines different > categories of Licenses > (http://site.supose.org/maven-licenses-verifier-plugin/licenses.html). > > The default configuration will not break a build it will just warn about > artifacts which don't have a license defined or which in a particular > category (WARN, INVALID or none of them). > > About what I'm unsure about is where to define the license.xml file (or > multiple of them): > > Option 1: > Use a particular folder: src/main/licenses/ and put one or more files in > there which will be automatically be loaded. > > Option 2: > Give a single or multiple locations for license.xml files in the > configuration section for the plugin. > > Option 3: > Use an URL to define where to download the license.xml file or may be > multiple URL's. This could be usefull in Companies to have central > location where maintain such files which can be used for every project > in a company...(May be it's possible to store that in a repository > manager like Nexus ?) > > Option 4: > Use an Artifact which can be created and stored into a Maven repository ? > > Of course the plugin is configurable in that way to brake the build if > you do ...(e.g. failOnWarning like ?)... > > > The other question is how to behave in a reactor build (Multi Module > build): > - Just have a single Configuration (e.g. in Root) and put the > configuration file(s) there (not sure how to handle this technically)... > > > And what is needed as well is to be able to exclude particular artifacts > from being checked ().. (I have to check how > to implement this but this is an other question)... > > > Kind regards > Karl Heinz Marbaise -- With best regards, Dmitry - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: RFC: Maven License Verifier Plugin
Your comment about reproducible builds is VERY important. Lots of people don't think of that I we need to help them not doing bad things... /Anders On Thu, Feb 4, 2010 at 10:37, Karl Heinz Marbaise wrote: > > Hi, > > > Anders Hammar wrote: > > > > Maybe have a look how the assembly plugin works with descriptors? Having > > pre-defined configs that can be referenced by id/name could be handy. > Good hint... > > > Anders Hammar wrote: > > However, I'm not sure if using a URL to download the descriptor/config is > > a > > good idea. I'm thinking that that could be misused by linking to configs > > outside your environment that change or can't sometimes be > downloaded.Yeah > > that's that thought about as well...This means someone could define URL > > outside of the build environment > and that could cause a none reproducible build. Which is bad... > > > Anders Hammar wrote: > > > > I would start simple and then add new possibilities. What would be very > > nice, is if you implement this in modules so that the functionality can > be > > used by other types of plugins as well, such as a Nexus plugin to verify > > this centrally in a repo manager. This is not a big problem to separate > > the code from the plugin functionality... > > > Anders Hammar wrote: > > But I guess you could re-factor that later on. > This is of course possible as well... > > Many thanks for you hints and comments. > > Kind Regards > Karl Heinz Marbaise > -- > View this message in context: > http://old.nabble.com/RFC%3A-Maven-License-Verifier-Plugin-tp27445231p27449954.html > Sent from the Maven - Users mailing list archive at Nabble.com. > > > - > To unsubscribe, e-mail: users-unsubscr...@maven.apache.org > For additional commands, e-mail: users-h...@maven.apache.org > >
Re: RFC: Maven License Verifier Plugin
Hi, Anders Hammar wrote: > > Maybe have a look how the assembly plugin works with descriptors? Having > pre-defined configs that can be referenced by id/name could be handy. Good hint... Anders Hammar wrote: > However, I'm not sure if using a URL to download the descriptor/config is > a > good idea. I'm thinking that that could be misused by linking to configs > outside your environment that change or can't sometimes be downloaded.Yeah > that's that thought about as well...This means someone could define URL > outside of the build environment and that could cause a none reproducible build. Which is bad... Anders Hammar wrote: > > I would start simple and then add new possibilities. What would be very > nice, is if you implement this in modules so that the functionality can be > used by other types of plugins as well, such as a Nexus plugin to verify > this centrally in a repo manager. This is not a big problem to separate > the code from the plugin functionality... Anders Hammar wrote: > But I guess you could re-factor that later on. This is of course possible as well... Many thanks for you hints and comments. Kind Regards Karl Heinz Marbaise -- View this message in context: http://old.nabble.com/RFC%3A-Maven-License-Verifier-Plugin-tp27445231p27449954.html Sent from the Maven - Users mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: RFC: Maven License Verifier Plugin
Maybe have a look how the assembly plugin works with descriptors? Having pre-defined configs that can be referenced by id/name could be handy. However, I'm not sure if using a URL to download the descriptor/config is a good idea. I'm thinking that that could be misused by linking to configs outside your environment that change or can't sometimes be downloaded. I would start simple and then add new possibilities. What would be very nice, is if you implement this in modules so that the functionality can be used by other types of plugins as well, such as a Nexus plugin to verify this centrally in a repo manager. But I guess you could re-factor that later on. /Anders On Thu, Feb 4, 2010 at 00:15, Karl Heinz Marbaise wrote: > Hi there, > > i have started with implementing some parts of a new Maven Plugin. > > The Maven License Verifier Plugin (MLV for short). > > I would present you the idea of the plugin and would like to know if > someone has some suggestions, idea's, comments etc. > > > The basic idea is to check every dependency which is used (incl. transitive > dependencies) of a build (during a mvn ..) and see if all artifacts have > licenses which are based on the policy (of a company etc.) are allowed > ...that's often a point in companies...Some companies says only allowed is > the Apache License (for example)... > > > The Plugin will use a configuration file which defines different categories > of Licenses ( > http://site.supose.org/maven-licenses-verifier-plugin/licenses.html). > > The default configuration will not break a build it will just warn about > artifacts which don't have a license defined or which in a particular > category (WARN, INVALID or none of them). > > About what I'm unsure about is where to define the license.xml file (or > multiple of them): > > Option 1: > Use a particular folder: src/main/licenses/ and put one or more files in > there which will be automatically be loaded. > > Option 2: > Give a single or multiple locations for license.xml files in the > configuration section for the plugin. > > Option 3: > Use an URL to define where to download the license.xml file or may be > multiple URL's. This could be usefull in Companies to have central location > where maintain such files which can be used for every project in a > company...(May be it's possible to store that in a repository manager like > Nexus ?) > > Option 4: > Use an Artifact which can be created and stored into a Maven repository ? > > Of course the plugin is configurable in that way to brake the build if you > do ...(e.g. failOnWarning like ?)... > > > The other question is how to behave in a reactor build (Multi Module > build): > - Just have a single Configuration (e.g. in Root) and put the > configuration file(s) there (not sure how to handle this technically)... > > > And what is needed as well is to be able to exclude particular artifacts > from being checked ().. (I have to check how to > implement this but this is an other question)... > > > Kind regards > Karl Heinz Marbaise > -- > SoftwareEntwicklung Beratung SchulungTel.: +49 (0) 2405 / 415 893 > Dipl.Ing.(FH) Karl Heinz MarbaiseICQ#: 135949029 > Hauptstrasse 177 USt.IdNr: DE191347579 > 52146 Würselen http://www.soebes.de > > - > To unsubscribe, e-mail: users-unsubscr...@maven.apache.org > For additional commands, e-mail: users-h...@maven.apache.org > >
RFC: Maven License Verifier Plugin
Hi there, i have started with implementing some parts of a new Maven Plugin. The Maven License Verifier Plugin (MLV for short). I would present you the idea of the plugin and would like to know if someone has some suggestions, idea's, comments etc. The basic idea is to check every dependency which is used (incl. transitive dependencies) of a build (during a mvn ..) and see if all artifacts have licenses which are based on the policy (of a company etc.) are allowed ...that's often a point in companies...Some companies says only allowed is the Apache License (for example)... The Plugin will use a configuration file which defines different categories of Licenses (http://site.supose.org/maven-licenses-verifier-plugin/licenses.html). The default configuration will not break a build it will just warn about artifacts which don't have a license defined or which in a particular category (WARN, INVALID or none of them). About what I'm unsure about is where to define the license.xml file (or multiple of them): Option 1: Use a particular folder: src/main/licenses/ and put one or more files in there which will be automatically be loaded. Option 2: Give a single or multiple locations for license.xml files in the configuration section for the plugin. Option 3: Use an URL to define where to download the license.xml file or may be multiple URL's. This could be usefull in Companies to have central location where maintain such files which can be used for every project in a company...(May be it's possible to store that in a repository manager like Nexus ?) Option 4: Use an Artifact which can be created and stored into a Maven repository ? Of course the plugin is configurable in that way to brake the build if you do ...(e.g. failOnWarning like ?)... The other question is how to behave in a reactor build (Multi Module build): - Just have a single Configuration (e.g. in Root) and put the configuration file(s) there (not sure how to handle this technically)... And what is needed as well is to be able to exclude particular artifacts from being checked ().. (I have to check how to implement this but this is an other question)... Kind regards Karl Heinz Marbaise -- SoftwareEntwicklung Beratung SchulungTel.: +49 (0) 2405 / 415 893 Dipl.Ing.(FH) Karl Heinz MarbaiseICQ#: 135949029 Hauptstrasse 177 USt.IdNr: DE191347579 52146 Würselen http://www.soebes.de - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
