incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Leo Simons <>
Subject Re: Release votes
Date Sun, 04 Jun 2006 13:13:10 GMT
On Fri, Jun 02, 2006 at 10:17:46AM -0400, Noel J. Bergman wrote:
> Leo Simons wrote:
> > Let's write a piece of software to do the auditing for us.
> How do you propose to do this?  How do you propose to audit the code and
> know which pieces of code require which license and whether or not that
> license is conforming, and properly documented?  Not saying that this can't
> be done, but am asking how you propose to do it.

Hadn't thought about it a whole lot yet. I figured the question was coming so
I typed up some random things on the train...not sure whether it makes sense
but I'm confident it can be done.



The Magnificient Release Licensing Assistant

--> takes a tarball
 --> check tarball name
     --> has "incubating" in there
 --> checks there is a LICENSE.txt containing at least all of the
     apache license, v2.0
 --> checks there is a NOTICE.txt containing at least all of the
     policy-required ASF copyright statements
 --> look for any file which is easily identified as "potentially
     third party" (for java projects, this typically means .jars.
     For other projects, who knows...)
     --> for each such file
         --> compare (eg the SHA1 or MD5) with a database of
             'known' ASF artifacts (eg based on our maven repo
             --> if match
                 --> if "SNAPSHOT", issue warning
                 --> if "incubating", issue warning
             --> if no match
                 --> compare the name of the file
                     --> if match, issue error
                     --> if no match
                         --> compare with a database of known
                             'external' artifacts
                             --> similar policies
                             --> for known non-apache license
                                 and/or copyright, inspect
                                 subdir (as per 3rd party
                         --> if still no match
                             --> issue warning, request addition
                                 of metadata
                                 --> tool for adding metadata in
                                     some way (webapp? Integrates
                                     with maven repo manager?)
 --> check availability of PGP file
     --> check validity
 --> check availability of SHA1 file
     --> check validity
 --> etc etc

Frequently Imagined Answers
Is this hard to implement?


    --> some forloops
    --> some switch/case/if/then/else
    --> some regular expressions
    --> some clever use of 'diff'
    --> some file i/o
    --> availability of maven POM metadata (perhaps with an
        extension or two) is *key*

Why no 'template' tool instead?

    --> no idea! Lets do that too!

Why not as a maven subproject?

    --> no idea! Lets see if that makes sense!

Why write it using maven?

    --> it somehow seems sensible. It looks like our non-java projects tend to
        get this right anyhow, and most of our java projects use maven for their
        builds and stuff anyway.

        But I want to do it using technology X!
        --> Cool! Please do. Way to go! Less work for me!

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message