Closed wba2hi closed 9 months ago
Some thoughts:
As I understand you can as an Eclipse committer request review of licenses, like the ones below (see https://github.com/eclipse/dash-licenses). Do we want to do that?
Any input @SebastianSchildt ?
[main] INFO Querying Eclipse Foundation for license data for 14 items.
[main] INFO Found 4 items.
[main] INFO Querying ClearlyDefined for license data for 10 items.
[main] INFO Found 10 items.
[main] INFO License information could not be automatically verified for the following content:
[main] INFO
[main] INFO pypi/pypi/-/grpcio-tools/1.56.2
[main] INFO pypi/pypi/-/grpcio/1.56.2
[main] INFO pypi/pypi/-/websockets/11.0.3
[main] INFO
[main] INFO This content is either not correctly mapped by the system, or requires review.
I tried creating a request for a review, let see what happens
erik@debian4:~/kuksa-python-sdk$ java -jar ~/Downloads/org.eclipse.dash.licenses-1.1.1-20231208.065047-4.jar dependencies.txt -review -token XXXXXXXXX -repo https://github.com/eclipse-kuksa/kuksa-python-sdk -project automotive.kuksa
[main] INFO Querying Eclipse Foundation for license data for 14 items.
[main] INFO Found 4 items.
[main] INFO Querying ClearlyDefined for license data for 10 items.
[main] INFO Found 10 items.
[main] INFO License information could not be automatically verified for the following content:
[main] INFO
[main] INFO pypi/pypi/-/grpcio-tools/1.56.2
[main] INFO pypi/pypi/-/grpcio/1.56.2
[main] INFO pypi/pypi/-/websockets/11.0.3
[main] INFO
[main] INFO This content is either not correctly mapped by the system, or requires review.
[main] INFO A review is required for pypi/pypi/-/grpcio-tools/1.56.2.
[main] INFO A review request was created https://gitlab.eclipse.org/eclipsefdn/emo-team/iplab/-/issues/11848 .
[main] INFO A review is required for pypi/pypi/-/grpcio/1.56.2.
[main] INFO A review request was created https://gitlab.eclipse.org/eclipsefdn/emo-team/iplab/-/issues/11849 .
[main] INFO A review is required for pypi/pypi/-/websockets/11.0.3.
[main] INFO A review request was created https://gitlab.eclipse.org/eclipsefdn/emo-team/iplab/-/issues/11850 .
So currently I create the tickets manually form time to time and do not release/allow you to release before master/main is clear.
I think a next step - at least I feel kuksa databroker side is robust enough for this - we should put a dash token as organisations secret and extend out dash action, that it can optionally create the tickets itself. basically automating what you did there.
For now I would not require everything being cleared in PRs. What I currently do, if I see just 1 or 2 new dependencies in a PR, I manually check the if. license "seems ok". The problem with waiting for clearing is, often it is fast (like < 1 hour, and auto cleared by scan), but sometimes it can take 2,3 weeks)
So far in recent we never had the situation that we needed to roll back a change.
Closes: #8