How does a company go about fleshing out the aspects of FOSS without wasting
so many people's time? As FOSS gains in popularity, we are sinking in a
quagmire of manual research, analysis and legal license inspections. It
seems the FOSSology product will unpack compressed files and sniff around
for licenses while on the other side of the planet we have Maven
repositories that understand version dependencies -- but there is a void in
bring them together!
In an attempt to follow a concrete day-in-the-job, let us consider
struts2.1.6 and let's further suppose that we plan to take advantage of all
the downstream dependencies it offers (i.e. optionals).
1. Is there a version specific dependency tree mechanically available?
- Will subsequent versions eventually appear in the same
location.format?
2. What technique to use in determining the stack of licenses gleaned
from this tree?
I see developers struggling to bring together the jars necessary to do a
build, which is time consuming and expensive. I see a legal team in the
other building struggling to ascertain our risk, should this "stack" be
implemented.
P.S. Does anyone here have first hand experience with FOSSology?
Peace,
Scott
