subject:"Re\: A license check tool offered by Apache SkyWalking Community"

Re: A license check tool offered by Apache SkyWalking Community

2022-08-24 Thread Justin Mclean

Hi,

> In terms of binary dependency, if those “dependencies used by our 
> dependencies” (usually called transitive dependencies) are not mentioned in 
> the using dependencies, we can also detect and list the transitive 
> dependencies in our license file as they are finally bundled in our binary 
> too (mostly). But if you mean our dependency uses third party source code 
> without mentioning it, that’s a bit troublesome. 

A lot of code does indeed do this and there's no real simple automated way to 
detect that. This tool I believe may be based on a misconception, the LICENSE 
file doesn’t contain a list of licenses of the dependencies but the licences of 
what code that is bundled in the release. The license of the dependancies only 
matter if they are not compatible with the Apache license e.g. GPL or other 
category X license.

Kind Regards,
Justin
-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: A license check tool offered by Apache SkyWalking Community

2022-08-24 Thread kezhenxu94

Hi Justin

> In my experience dependancies can also include other differently licensed 3rd 
> party code and can fail to mention it.

In terms of binary dependency, if those “dependencies used by our dependencies” 
(usually called transitive dependencies) are not mentioned in the using 
dependencies, we can also detect and list the transitive dependencies in our 
license file as they are finally bundled in our binary too (mostly). But if you 
mean our dependency uses third party source code without mentioning it, that’s 
a bit troublesome. 


> Kind Regards,
> Justin
> 
> 
> 
> -
> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
> For additional commands, e-mail: general-h...@incubator.apache.org
> 

-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: A license check tool offered by Apache SkyWalking Community

2022-08-24 Thread kezhenxu94

Hi Vladimir Sitnikov thanks for sharing!Yes overriding a dependencies license is important when the tool cannot identify it, and we have this feature too > 18. Declare the dependency licenses which cannot be identified by this tool.apache/skywalking-eyes: A full-featured license tool to check and fix license headers and resolve dependencies' licenses.github.comCurrently license eye supports Golang, maven, npm, and Rust cargo, while gradle is in my roadmap too. Glad to see your tool!On Aug 25, 2022, at 00:02, Vladimir Sitnikov  wrote:I have a similar tool in form of a Gradle plugin:https://github.com/vlsi/vlsi-release-plugins/blob/45865c3186a7ecc0d30b1f88c2f31160b5e1b13a/plugins/license-gather-plugin/README.mdIt searches for LICENSE-like files in dependencies, checks if the licenseis A-B-X compatible,and generates the final license file (with all the LICENSE-like files fromthe dependencies).I've created it for Apache JMeter and Apache Calcite:https://github.com/apache/jmeter/blob/b73f69074f8b3b5d71767ab0fedb52f16a1e55d6/src/licenses/build.gradle.ktshttps://github.com/apache/calcite/blob/b9c2099ea92a575084b55a206efc5dd341c0df62/release/build.gradle.kts#L101-L121From my experience, it is important to be able to "override the detectedlicense"as many dependencies do not properly declare the actual license,and sometimes dependencies fail to include license texts in their releaseartifacts.Vladimir

Re: A license check tool offered by Apache SkyWalking Community

2022-08-24 Thread Justin Mclean

Hi,

In my experience dependancies can also include other differently licensed 3rd 
party code and can fail to mention it.

Kind Regards,
Justin



-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: A license check tool offered by Apache SkyWalking Community

2022-08-24 Thread Vladimir Sitnikov

I have a similar tool in form of a Gradle plugin:
https://github.com/vlsi/vlsi-release-plugins/blob/45865c3186a7ecc0d30b1f88c2f31160b5e1b13a/plugins/license-gather-plugin/README.md

It searches for LICENSE-like files in dependencies, checks if the license
is A-B-X compatible,
and generates the final license file (with all the LICENSE-like files from
the dependencies).

I've created it for Apache JMeter and Apache Calcite:
https://github.com/apache/jmeter/blob/b73f69074f8b3b5d71767ab0fedb52f16a1e55d6/src/licenses/build.gradle.kts
https://github.com/apache/calcite/blob/b9c2099ea92a575084b55a206efc5dd341c0df62/release/build.gradle.kts#L101-L121

>From my experience, it is important to be able to "override the detected
license"
as many dependencies do not properly declare the actual license,
and sometimes dependencies fail to include license texts in their release
artifacts.

Vladimir

Re: A license check tool offered by Apache SkyWalking Community

2022-08-24 Thread kezhenxu94

We have this 
https://github.com/apache/skywalking-eyes#check-dependencies-licenses to check 
license compatibility, now we only offer compatibility matrix with Apache 
license 2.0

> On Aug 24, 2022, at 14:01, Sheng Wu  wrote:
> 
> AFAIK, we haven't done this. But in theory, we could introduce Apache
> Catalog A/B/X to support the compatibility check.
> If you want to help the project to support this, submit an issue here,
> https://github.com/apache/skywalking/issues.
> 
> Sheng Wu 吴晟
> Twitter, wusheng1108
> 
> Xiaofeng  于2022年8月24日周三 13:33写道：
>> 
>> Hi,
>> 
>> Will checking license compatible be a feature in the future?
>> 
>> Regards,
>> Xiaofeng
>> 
>> Justin Mclean  于 2022年8月23日周二 16:13写道：
>> 
>>> Hi,
>>> 
>>> So taking a quick look at a SkyWalking release [1] I can see a couple of
>>> minor issues with LICNSE and NOTICE. You may want to fix these.
>>> 
>>> Hints:
>>> Is OpenCensus mentioned in LICENSE?
>>> Does prometheus client_model have a NOTICE file?
>>> Does mavin-wrapper have a NOTICE file?
>>> 
>>> Also there is a compiled code (a jar) in the source release. Source
>>> release cannot include compiled code.
>>> 
>>> Kind Regards,
>>> Justin
>>> 
>>> 1.
>>> https://www.apache.org/dyn/closer.cgi/skywalking/9.1.0/apache-skywalking-apm-9.1.0-src.tgz
>>> <
>>> https://www.apache.org/dyn/closer.cgi/skywalking/9.1.0/apache-skywalking-apm-9.1.0-src.tgz
 
>>> 
>>>

Re: A license check tool offered by Apache SkyWalking Community

2022-08-24 Thread Sheng Wu

AFAIK, we haven't done this. But in theory, we could introduce Apache
Catalog A/B/X to support the compatibility check.
If you want to help the project to support this, submit an issue here,
https://github.com/apache/skywalking/issues.

Sheng Wu 吴晟
Twitter, wusheng1108

Xiaofeng  于2022年8月24日周三 13:33写道：
>
> Hi,
>
> Will checking license compatible be a feature in the future?
>
> Regards,
> Xiaofeng
>
> Justin Mclean  于 2022年8月23日周二 16:13写道：
>
> > Hi,
> >
> > So taking a quick look at a SkyWalking release [1] I can see a couple of
> > minor issues with LICNSE and NOTICE. You may want to fix these.
> >
> > Hints:
> > Is OpenCensus mentioned in LICENSE?
> > Does prometheus client_model have a NOTICE file?
> > Does mavin-wrapper have a NOTICE file?
> >
> > Also there is a compiled code (a jar) in the source release. Source
> > release cannot include compiled code.
> >
> > Kind Regards,
> > Justin
> >
> > 1.
> > https://www.apache.org/dyn/closer.cgi/skywalking/9.1.0/apache-skywalking-apm-9.1.0-src.tgz
> > <
> > https://www.apache.org/dyn/closer.cgi/skywalking/9.1.0/apache-skywalking-apm-9.1.0-src.tgz
> > >
> >
> >

-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: A license check tool offered by Apache SkyWalking Community

2022-08-23 Thread Xiaofeng

Hi,

Will checking license compatible be a feature in the future?

Regards,
Xiaofeng

Justin Mclean  于 2022年8月23日周二 16:13写道：

> Hi,
>
> So taking a quick look at a SkyWalking release [1] I can see a couple of
> minor issues with LICNSE and NOTICE. You may want to fix these.
>
> Hints:
> Is OpenCensus mentioned in LICENSE?
> Does prometheus client_model have a NOTICE file?
> Does mavin-wrapper have a NOTICE file?
>
> Also there is a compiled code (a jar) in the source release. Source
> release cannot include compiled code.
>
> Kind Regards,
> Justin
>
> 1.
> https://www.apache.org/dyn/closer.cgi/skywalking/9.1.0/apache-skywalking-apm-9.1.0-src.tgz
> <
> https://www.apache.org/dyn/closer.cgi/skywalking/9.1.0/apache-skywalking-apm-9.1.0-src.tgz
> >
>
>

Re: A license check tool offered by Apache SkyWalking Community

2022-08-23 Thread Justin Mclean

Hi,

So taking a quick look at a SkyWalking release [1] I can see a couple of minor 
issues with LICNSE and NOTICE. You may want to fix these.

Hints:
Is OpenCensus mentioned in LICENSE?
Does prometheus client_model have a NOTICE file?
Does mavin-wrapper have a NOTICE file?

Also there is a compiled code (a jar) in the source release. Source release 
cannot include compiled code.

Kind Regards,
Justin

1. 
https://www.apache.org/dyn/closer.cgi/skywalking/9.1.0/apache-skywalking-apm-9.1.0-src.tgz

Re: A license check tool offered by Apache SkyWalking Community

2022-08-23 Thread Sheng Wu

Justin Mclean  于2022年8月23日周二 15:50写道：
>
> Hi,
>
> Also remember that it’s only code that ends up in the release and not all 
> dependancies that impact the LICENSE and NOTICE files.

Agree. The tool would not be perfect, it just reduces the workload
from a manual dependencies analysis.

Sheng Wu 吴晟
Twitter, wusheng1108

>
> Kind Regards,
> Justin
> -
> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
> For additional commands, e-mail: general-h...@incubator.apache.org
>

-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: A license check tool offered by Apache SkyWalking Community

2022-08-23 Thread Sheng Wu

Yu Xiao  于2022年8月23日周二 15:44写道：
>
> Hi
>
> It is very good.
>
> Will the following features be available in the future ：
>
> Comparison of license files with dependencies (e.g. license files with
> missing some).

It is available if you directly use GHA.
SkyWalking uses this
- GHA 
https://github.com/apache/skywalking/blob/77ba2d553d77a4acacd8b2498cb09ea983a9baf4/.github/workflows/skywalking.yaml#L57

The tool would resolve the licenses of runtime dependencies and apply
this 
template(https://github.com/apache/skywalking/blob/77ba2d553d77a4acacd8b2498cb09ea983a9baf4/.github/workflows/skywalking.yaml#L81)
to do binary license checking(use `git diff`).

Sheng Wu 吴晟
Twitter, wusheng1108

>
> Best wishes!
>
> Yu Xiao
> Apache ShenYu
>
> Sheng Wu  于2022年8月23日周二 15:00写道：
> >
> > Hi podlings
> >
> > Apache SkyWalking graduated from the incubator years ago, but we still
> > remember we were struggling to keep licenses of dependencies well
> > organized and listed correctly.
> > So, SkyWalking PMC/Committer worked with the community starting to
> > build a tool to help with the license header and dependencies checker.
> >
> > I am honored to share that, this tool is well built and widely used in
> > and out of the ASF projects.
> >
> > https://github.com/apache/skywalking-eyes
> >
> > Apache SkyWalking eyes is a full-featured license tool to check and
> > fix license headers and resolve dependencies' licenses, with various
> > languages support.
> > No matter whether your source codes are in hybrid license headers, or
> > a monorepo requires a consistent tool to check dependencies from
> > different dependency management tools. It works.
> >
> > Also, as GitHub Action is widely used in the ASF projects, SkyWalking
> > eyes provide integration with GHA, as well as binary tar and docker
> > image[1] for other CI platforms.
> >
> > We hope this project could help incubating projects, especially new
> > podlings, to analyze dependencies easier.
> >
> > [1] https://hub.docker.com/r/apache/skywalking-eyes
> >
> > Sheng Wu 吴晟
> > Twitter, wusheng1108
> >
> > -
> > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
> > For additional commands, e-mail: general-h...@incubator.apache.org
> >
>
> -
> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
> For additional commands, e-mail: general-h...@incubator.apache.org
>

-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: A license check tool offered by Apache SkyWalking Community

2022-08-23 Thread Justin Mclean

Hi,

Also remember that it’s only code that ends up in the release and not all 
dependancies that impact the LICENSE and NOTICE files. 

Kind Regards,
Justin
-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: A license check tool offered by Apache SkyWalking Community

2022-08-23 Thread Justin Mclean

Hi,

Automated tools are a great help and can reduce the time required for this 
work, but please remember they will not find every issues. I’ve see this time 
and time again in incubating projects.

Kind Regards,
Justin
-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: A license check tool offered by Apache SkyWalking Community

2022-08-23 Thread Yu Xiao

Hi

It is very good.

Will the following features be available in the future ：

Comparison of license files with dependencies (e.g. license files with
missing some).

Best wishes!

Yu Xiao
Apache ShenYu

Sheng Wu  于2022年8月23日周二 15:00写道：
>
> Hi podlings
>
> Apache SkyWalking graduated from the incubator years ago, but we still
> remember we were struggling to keep licenses of dependencies well
> organized and listed correctly.
> So, SkyWalking PMC/Committer worked with the community starting to
> build a tool to help with the license header and dependencies checker.
>
> I am honored to share that, this tool is well built and widely used in
> and out of the ASF projects.
>
> https://github.com/apache/skywalking-eyes
>
> Apache SkyWalking eyes is a full-featured license tool to check and
> fix license headers and resolve dependencies' licenses, with various
> languages support.
> No matter whether your source codes are in hybrid license headers, or
> a monorepo requires a consistent tool to check dependencies from
> different dependency management tools. It works.
>
> Also, as GitHub Action is widely used in the ASF projects, SkyWalking
> eyes provide integration with GHA, as well as binary tar and docker
> image[1] for other CI platforms.
>
> We hope this project could help incubating projects, especially new
> podlings, to analyze dependencies easier.
>
> [1] https://hub.docker.com/r/apache/skywalking-eyes
>
> Sheng Wu 吴晟
> Twitter, wusheng1108
>
> -
> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
> For additional commands, e-mail: general-h...@incubator.apache.org
>

-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: A license check tool offered by Apache SkyWalking Community

Re: A license check tool offered by Apache SkyWalking Community

Re: A license check tool offered by Apache SkyWalking Community

Re: A license check tool offered by Apache SkyWalking Community

Re: A license check tool offered by Apache SkyWalking Community

Re: A license check tool offered by Apache SkyWalking Community

Re: A license check tool offered by Apache SkyWalking Community

Re: A license check tool offered by Apache SkyWalking Community

Re: A license check tool offered by Apache SkyWalking Community

Re: A license check tool offered by Apache SkyWalking Community

Re: A license check tool offered by Apache SkyWalking Community

Re: A license check tool offered by Apache SkyWalking Community

Re: A license check tool offered by Apache SkyWalking Community

Re: A license check tool offered by Apache SkyWalking Community

14 matches

Site Navigation

Mail list logo

Footer information