donat
commented
8 months ago Groovy and Spock are test-only dependencies and they should not appear anywhere in production.
Closed reinsch82 closed 10 months ago
donat
commented
8 months ago Groovy and Spock are test-only dependencies and they should not appear anywhere in production.
akurtakov
commented
8 months ago My bad I wanted to ask for org.gradle.toolingapi. No idea why I actually asked at this PR.
donat
commented
8 months ago All right.
Regarding the org.gradle.toolingapi dependency: years ago the Eclipse IP team allowed us to update the tapi versions without an explicit license review.
akurtakov
commented
8 months ago Regarding the org.gradle.toolingapi dependency: years ago the Eclipse IP team allowed us to update the tapi versions without an explicit license review.
@waynebeaton Can this permission be somehow handled in the dash tool database or the tool itself so buildship downstreams can rely on dash licensetool?
waynebeaton
commented
8 months ago The easiest thing to do is to remove the the component from the information that you pass to the tool.
For the Maven plugin, you can use the excludeArtifactIds property. If you're invoking the CLI, you can use grep to filter out the entries that don't need to be reviewed.
In the meantime, I have a prototype extension that should help us find new versions of the source.
waynebeaton
commented
8 months ago @donat where do I find downloads (especially of source) of org.gradle:gradle-tooling-api:*.
I'm looking specifically for some kind of archive format, not a pointer to the source tree in a Git repository (I can make the latter work, but an archive file is better for a couple of reasons). Scanning these should be easy enough, so I'd like to set us up for future success (other projects have asked for this dependency).
In the meantime... I grabbed the ZIP of the source from the Eclipse Buildship project; we'll use that to push through the review of this version.
donat
commented
8 months ago The source jar is available here: gradle-tooling-api-8.1.1-sources.jar
waynebeaton
commented
8 months ago Thanks. In the future, the IPLab scanner will look on repo.gradle.org for source for this and other org.gradle packages.
Did all these changes been ip approved by e.g. https://github.com/eclipse/dash-licenses/ ? I'm trying to move Jdt.ls to latest buildship and face a license issue https://github.com/eclipse-jdtls/eclipse.jdt.ls/pull/2974 .