noi-techpark / project-solda

GNU General Public License v3.0
0 stars 0 forks source link

As an audit team member, I want to use the snapshot API of debian source packages, in order to get the best match possible #5

Closed Piiit closed 3 years ago

Piiit commented 3 years ago

use snapshot.debian.org API to search and fetch debian source packages

Outsourced to Martin R.

Some debian package versions may be removed from debian repositories over time (eg. alsa-lib_1.2.3, found by the debian matcher for OHOS debian release on Apr 12, 2021, as of May 3, 2021 cannot be found any more in debian repos). This may lead to inconsistent and non-reproducible results by the debian matcher. We should use snapshot.debian.org API instead (https://salsa.debian.org/snapshot-team/snapshot/raw/master/API), which would enable us to find more possibly matching versions in debian (and possibly closer matches), and would lead to stable and reproducible results over time

https://git.ostc-eu.org/oss-compliance/toolchain/aliens4friends/-/issues/9

UPDATE 2021-06-16 We agreed that the findings must not be reproducible, but only find the best match with what the snapshot API gives at some time point. The reproducibility would be a major effort since the API itself does not support filtering against a time interval, hence we would need to crawl the data, and generate our own API and database. This effort is too high compared to the gain... I change the title of this user story therefore...

Piiit commented 3 years ago

@mrabans FYI

Please also accept the invitation for this project

Piiit commented 3 years ago

@mrabans needs to work on some changes we requested inside the original issue, hence blocked for now

mrabans commented 3 years ago

@Piiit please see my latest push today into the snapmatcher branch and the merge request for master https://git.ostc-eu.org/oss-compliance/toolchain/aliens4friends/-/merge_requests/27

Piiit commented 3 years ago

@mrabans I added a new todo in the main comment section