-
Notifications
You must be signed in to change notification settings - Fork 314
ORT Community Meeting
The ORT community hosts weekly meetings on Thursdays, 10.00 - 11.00 CET, that are open to any interested party (reach out to @mnonnenmacher if you are having problems with the above invitation link).
An important goal of these meetings is to share and align on the ideas for the future development of ORT, and to maintain a community roadmap. Also, e.g. open pull requests may be discussed where verbal communication might be more expedient than the usual textual conversation.
To shape these meetings efficient, the aim is to have an agenda before each meeting, and stick to the agenda topics before discussing anything else. In general, for support questions please prefer to reach out to the ORT community on Slack.
- ORT Server / UI demo some time after 11th of November 2024
- Set processed declared licenses to NONE instead of empty. (https://github.com/oss-review-toolkit/ort/issues/2852, @sschuberth)
- How to deal with https://github.com/jslicense/spdx-correct.js/blob/master/test.js? (@sschuberth)
- Allowing curating of copyright holders. (https://github.com/oss-review-toolkit/ort/issues/4519, @tsteenbe)
- Replace license URLs with SWH content hashes. (https://github.com/oss-review-toolkit/ort/pull/5259, @sschuberth)
- Release Notes for version 39.0.0.
- Remove PR labels for breaking changes as we have them in release notes, and having both causes confusion.
- No objections to remove breaking change related labels in favor of documenting breaking changes in conventional commit footers and showing them in the release notes.
- Add a "Project" suffix to IDs of projects (like "MavenProject") to solve the specific problem of project vs package ID duplicates.
- No additional concerns, proceed with the implementation.
- Release Notes for version 38.0.0.
- Halloween edition 🎃
- Discussions about how to read in invalid SPDX produced by Snyk (Copyrigth text is explicity set to empty)
- Also see the somewhat related https://github.com/oss-review-toolkit/ort/issues/8052 to decouple parsing from validation.
- Other ideas include to have a separate SPDX ➡️ ORT Result helper command to uses the new SPDX library.
- As a general remark, if packages need to be manually declared, the package list file should be preferred over creating SPDX files for the SpdxDocumentFile analyzer.
- Release Notes for version 37.0.0.
- Breaking configuration changes for plugins and license file patterns.
- Sharing the larger discussion about package namespaces in ORT vs. purl and their encoding, e.g. ORT IDs do not contain namespaces for Go packages, but purl does, which has an impact on encoding.
- Release Notes for version 36.0.0.
- Further discussion of how to handle Bazel monorepos where a singl emodule file refers to all projects in the monorepo, but only a subset of that should be analyzed.
- One idea is a package-manager-specific option for Bazel to filter projects parsed from the module file before analyzing them.
- Release Notes for version 34.0.0.
- Release Notes for version 35.0.0.
- First Release Candidate for the ORT Server.
- Discussion about different root causes for duplicate identifiers
- The same "thing" could be seen as both a dependency and a project in a (mono-)repo that has project A with dependency packacke B, but the source code of B is hosted in the same repo.
- E.g. NPM and Yarn projects could depend on the same (?) package, but it gets pulled from different (private) registries.
- ORT's logic to come up with project names for projects without (enough) metadata (like Python's
requirements.txt
files) could create name / id clashes.
- Alliander has published their OSPO Code Scanner and ORT is part of it 😃
- No weekly call on October 3rd as it a national holiday in Germany so most people will have a day off. Next call will be October 10th. Althought there will not be a call the ORT project will have a release this week as usual.
- Release Notes for version 34.0.0 (will be discussed on 2024-10-10).
- Release Notes for version 33.1.0.
- Any objections to move to Java 21?
- No objections let's be bold and remove it to see if something breaks.
- But first add the
javaVersion
feature to "legacy" Gradle analyzer.
- Any objections to remove the Nexus IQ advisor?
- No objections, no one seems to be using it still.
- Release Notes for version 33.0.0.
- Improved vulnerability data model maintains CVSS vectors; need to change vulnerabilits rules as shown here.
-
python-inspector
support broken withsetuptools
75.0.0, see https://github.com/aboutcode-org/python-inspector/issues/190.
- Release Notes for version 32.0.0.
- Release Notes for version 31.0.0.
- @mnonnenmacher to talk about the new plugin API.
- Welcome @nnobelis as a new commiter to the ORT project!
- Reto continues to work on and off on Conan 2 support
- Can we limit ourselves to only support lockfiles?
- Enrico introduces himself
- Looks forward to the Black Duck integration issues beig worked on
- Has problems making ORT take custom configuration into use
- Maybe related to https://github.com/oss-review-toolkit/ort-ci-github-action/issues/35?
- We need to properoly maintain the (or a new version of) GitHub action.
- Release Notes for version 30.0.0.
- Should Curations, Package Configurations and Concluded licenses also apply to modified packages?
- Setting author information for all SBOM reporters
- Release Notes for version 29.0.0.
- No more vulnerabilities, thanks to the removal of the GitHub defects advisor.
- Release Notes for version 29.1.0.
- Handing multiple SCANOSS line ranges for snippets.
- Heads up: AOSD 2.0 will get an update to 2.1 soon.
- Discussion about vulnerabilities reported for ORT Docker images; the majority probably comes from the base image.
- Release Notes for version 28.0.0.
- Sonatype report has 1 vulnerability for an outdated Ktor version.
- Comes from Expedia's
graphql-kotlin-ktor-client
for which we're stuck on a old version. - Maybe migrate to https://github.com/apollographql/apollo-kotlin?
- Agreement to simply remove the GitHub defects advisor, see https://github.com/oss-review-toolkit/ort/pull/8994.
-
No release due to Sonatype issues.Edit: The issue was fixed shortly after the meeting. - Release Notes for version 27.0.0.
- Release Notes for version 26.0.0.
- @tsteenbe announces to show curations as part of the web app
- Needs help with evaluated model changes
- Related issues:
- Proposal to kill processes after some amount of time / receiving no stdout / stderr output
- Idea about conventional exceptions that could be thrown to not continue scanning / analysis of remaining packages
- Release Notes for version 25.1.0.
- Is someone willing to work on adding an expiration date to resolutions?
- @heliocastro is willing to contribute a Markdown reporter for vulnerabilities for use in GitHub action job summaries.
- Porsche is eager to get SPDX 2.3 (and 3.0 support), see https://github.com/oss-review-toolkit/ort/issues/5445.
- Release Notes for version 25.0.0.
- Use-cases for "non-repository" input to the analyzer
- Accouncement of
orthw
for Python as a separate project; will eventually deprecate https://github.com/oss-review-toolkit/orthw.
- Release Notes for version 24.0.0.
- Sneak peek at the ORT Server frontend UI hosted at Double Open / Scaleway.
- Release Notes for version 22.8.0.
- Release Notes for version 23.0.0.
- Any objections to raise the min. supported Conan version to 1.44.0? See https://github.com/oss-review-toolkit/ort/pull/8759.
- No concerns were raised during the community meeting.
- Integrating Black Duck as advisor (https://github.com/oss-review-toolkit/ort/issues/8739)
- Frank is planning to work on the topic and currently collecting more information.
- Porsche has a working solution which is currently internal and might be contributed in the future.
- Frank will schedule a meeting with the interested parties to discuss the technical details.
- Release Notes for version 22.7.0.
- Move
NestedProvenance
to model: https://github.com/oss-review-toolkit/ort/pull/8724 - Proposal to refactor CVSS enums to a sealed class to solve https://github.com/oss-review-toolkit/ort-config/pull/193/files#r1625429429.
- Release Notes for version 22.6.0.
- Ok to remove JitPack builds?
- No objection, but probably ask again next week with more participants.
- Release Notes for version 22.4.0.
- Release Notes for version 22.5.0.
-
Issue with
scancode
missing from the Docker image since 22.3.0 is gone with release 22.5.0.
- Release Notes for version 22.3.0.
-
CycloneDX 1.6 support delayed due to bugs in their core library.
- Probably stick with writing out CycloneDX 1.5 by default until more tools support 1.6 features.
Skipped due to a public holiday in Germany and elsewhere.
- Release Notes for version 22.2.0.
- Backlog grooming of issues was made on 2024-04-29 by @sschuberth @tsteenbe @mnonnenmacher and @fviernau - closed tickets with sentence "Closed as part of backlog grooming. Feel free to comment if you would like to contribute to this."
- Discussion about how to display effective licenses in the web-app report
- Community favorite is to consolidate declared, detected and effective license information in a combined "Licensing" tab
- Details about how to summarize licensing information (summary header vs. licensing tab) still need to be figured out
- Generally tabs should not be reordered automatically or hidden if there is no content, but the first tab to act upon in a usual workflow should be made active by default
- Release Notes for version 22.1.0.
- Release Notes for version 22.0.0.
- SPDX 3.0 is there: https://spdx.github.io/spdx-spec/v3.0/annexes/diffs-from-previous-editions/
- Upstream Java library does not support it yet.
- Idea to fix https://github.com/oss-review-toolkit/ort/issues/8462 by extending the custom deserializer for the
data
field. - @fviernau asks for poll about Static HTML layout changes.
- Probably first a brainstorming session by voice.
- Release Notes for version 21.0.0.
- Discussion on solution on improving copyright holders within ORT
- Anton from VW showed table with examples, see slide 15 in https://github.com/oss-review-toolkit/ort/files/14692577/ORT-at-Volkswagen.pdf.
- Is post-processing done by ScanCode an intentionally feature or unwanted side-effect
- Philippe: Not unwanted side affect, no dependency on third party libs that introduces the issues - it's a design decision from ScanCode to harmonize
- Martin: What about just getting the original copyrights directly from ScanCode? But that boils down - does someone have resources to work on this?
- Philippe: Can't out of the top of my head say effort required. Could set up project on OpenCollective to pull funding.
- Rishi: Think it worth to do some research and put a price / effort required to fix this so ORT users can bring this back to their organizations.
- Thomas propose to set up a group of folks:
- Users: clear description of all issue, provide test data and willingness support testing any solution or raise resulting document within their organizations
- Scancode: Willingness to do initial research to determine parts of the code impacted, possible solutions and coach devs on how to fix issues
- Both sides: Estimate effort required
- Agreement to work on this
- Anton: happy to provide test data and solution statement, create issue on ScanCode
- Philippe: Happy to support
- Rishi: To provide test data support, feedback on problem statement
- Thomas: Will take coordination from ORT TSC
- Possible solution:
- ORT users such as VW provide raw copyrights issues or results from internal research to the ScanCode project so they become aware of issues. More issues/ edge cases reported will in better solution
- ScanCode to add option to include unprocessed copyrights in the scan results
- Implement copyright curations within ORT that enable curations based on processed and unprocessed copyrights
- Fix things upstream in ScanCode, @pombredanne says it possible but lack resources to work on it - he open to contributions/funding
- Include unprocessed copyrights from ScanCode into the ORT result optionally
- @mnonnemacher: Would like to see the format coming from ScanCode before inclusion, let discuss this further
- Philippe reports they are working on copyrights to make it faster so more input they receive it the better they can make it.
- Release Notes for version 20.1.0.
- Interest in post-processing of copyright holders to work around ScanCode issues? (@vw-anton)
- Currently stuck with Cargo < 1.77.
- Discussion about removing support for the deprecated
dep
tool. - Heads up about an old SVN issue that reappeared.
- Release Notes for version 20.0.0.
- ORT Community Days - slides have been added to schedule (@tsteenbe)
- ScanCode 32.1.0 was released, planning to upgrade
- Will allow to solve https://github.com/oss-review-toolkit/ort/issues/8190.
- Release Notes for version 19.0.0.
- Release Notes for version 19.1.0.
- Discussion about introducing a
--packages-depth
parameter to the scanner, for the summary see: https://github.com/oss-review-toolkit/ort/pull/8372#issuecomment-2011774967
- Release Notes for version 18.0.0.
- Release Notes for version 17.1.0.
- Release Notes for version 17.0.0.
- Release Notes for version 16.0.0.
- ORT Community Days - prelimairy schedule available. (@tsteenbe)
- Discussions about
- "Quick" analyzer that might only work when lockfiles are already present, or only produce a flat list of dependencies (maybe involving deps.dev).
- Need to advise about outdated dependencies (or at least have the publishing date) and health metrics in general.
- A new host for the weekly meetings.
- Release Notes for version 15.3.0.
- Discussion about https://github.com/oss-review-toolkit/ort/issues/8249.
- Release Notes for version 15.2.0.
- Discussion about current Docker image build issues (exceeding storage limits; probably arm64 related).
- Release Notes for version 15.0.0.
- What to do about broken Git sparse checkouts? (https://github.com/oss-review-toolkit/ort/issues/8195, @mnonnenmacher)
- Release Notes for version 14.0.0.
- Discuss https://github.com/oss-review-toolkit/ort/issues/8052.
- Community feedback is for a reporter-specific option.
- Discuss https://github.com/oss-review-toolkit/ort/issues/7186.
- Community feedback is for simplifying the
given
term to semantically equivalent terms.
- Community feedback is for simplifying the
- Release Notes for version 13.0.0.
- ORT Community Days 2024: Registration and Call for Speakers is open. Seats are limited so reserve yours asap - if would like to speak submit your talk via this form.
First weekly meeting in 2024, happy new year!
- Release Notes for version 12.0.0.
- Pointing out the discussion about ScanCode "tampering" with Copyright symbols and Umlauts.
- The "ORT Server" has been announced as part of the Eclipse Overlay project proposal.
- Update on ORT Community Days 2024 (@tsteenbe)
- Release Notes for version 11.0.0.
- @vw-anton asks about how security vulnerabilitzies in ORT are handled, as he seen some to be reported in this tooling.
- We don't see anything being reported at
- @vw-anton will share the details where his findings come from.
- Release Notes for version 10.0.0.
- Release Notes for version 9.0.0.
- Please migrate from
--skip-excluded
CLI options to-P ort.<tool>.skipExcluded=true
CLI options for the respective<tool>
or configuration options inconfig.yml
. - There is a performance problem with the "DefaultDir" package curation provider with file systems mounted over NFS as it walks all files. Ideas are:
- Create an option for the provider to assume an
ort-config
-like layout which allows for a direct lookup. - Create a new provider which does the same thing.
- Create an option for the "OrtConfig" provider to read from a directory instead of Git repository.
- Create an option for the provider to assume an
- Discussion about whether path excludes should ignore scan timeout errors only for packages or also projects.
- Probably limit this feature to packages. For project still an issue resolution would be the way tro go.
- Release Notes for version 8.0.0.
- Again hiccups in publishing artifacts to Maven Central, will republish later today.
- @tsteenbe working on WebApp updates (replacing PR #6552 and PR #6589).
- Release Notes for version 7.1.0.
- Hiccup in publishing artifacts to Maven Central, will republish later today.
- Discuss reasons to use / keep the static HTML report.
- Helio: Still in use, uses less memory than generating the web app report for large projects.
- Frank: Static HTML is faster to generate, source code link feature still unique, searching through the whole content is easier as not things need to expand with the mouse.
- Jens: Faster to get / search the necessary information.
- No objection to make
ReportTableModel
non-public. - Does the Maven package manager support Eclipse p2 repositories based on Tycho? (@oheger-bosch)
- Currently no OSGi support (maybe also BndTool is related); looking at old SW360 Antenna code could be a good starting point.
- Investigate Slack Huddles for future community meetings to give attendees access to text chat, and probably attract more people to join our Slack workspace in general.
- Release Notes for version 7.0.0.
- Reminder: The
latest
tag for Docker images points to the image build from the most recent Git version tag, while thesnapshot
Docker tag points to the most recent image built frommain
.
- Release Notes for version 6.1.0.
- Will make a 6.1.1 patch release today with a fix for bundling advisor plugins into the distribution.
- ORT was ubiquitous at Mercedes-Benz FOSS Convention: Bosch, EPAM, Cariad, Mercedes-Benz, Porsche, ...
- Split https://github.com/oss-review-toolkit/ort/pull/7801 into more commits for a cleaner history.
- After the merge, old Docker images will be cleaned up.
- Release Notes for versions 5.1.0 and 6.0.0.
- Creation of new ORT subdomain for Slack http://slack.oss-review-toolkit.org. Issue is that invite link is expired although it shouldn't, instead of updating the invite link into multiple places proposal is to include subdomain everywhere so we only have to update the link in one place. Also subdomain is easier to communicate (@tsteenbe)
- Epic created to improve ORT's docs https://github.com/oss-review-toolkit/ort/issues/7793. Looking for contributors. (@tsteenbe)
- General unavailability of participants (vacation, conferences).
- Release Notes.
- Discussion about recent major version bumps and how to avoid breaking changes
- Split out code that is not core to ORT and version it independently (clients)
- Make more code internal so that API changes are not public / breaking
- Better document the area of breakage (API, configuration, etc.) similar to like we had for PRs
- Continue with moving the docs and tutorial directories to the root?
- @mnonnemacher and @tsteenbe will catch up with each other.
- People who want to help with organizing the ORT Community Day(s) 2024, reach out to @tsteenbe.
- Release Notes.
- Talk from @vw-anton about Volkswagen's current and future use of ORT.
- Release Notes.
- ORT Docker images published. Align on next steps.
- Update from @vw-anton about the ORT talk. -> Next week, 🎉!
- ORT Community Day(s) planned for 6th & 7th of March 2024 at Bosch.IO Campus in Berlin-Tempelhof (FOSS Backstage is 4th & 5th of March 2024)
- Release Notes.
- Sneak peek for new auto-generated release notes.
- How should release notes be presented going forward?
- Focus on Breaking Changes, Bug fixes and Features; skip the rest
- When should weekly releases be tagged?
- Let's start with tagging on Thursdays before the Community Meeting
- How should release notes be presented going forward?
- Discussion about taking new features without also taking breaking changes
- Mostly a resource issue, we'd need something like a "Release Manager" position; maybe funding from the ORT community would be possible?
- Host docs directly at https://oss-review-toolkit.org/ instead of https://oss-review-toolkit.org/ort/?
- Maybe simply let https://oss-review-toolkit.org/ forward to https://oss-review-toolkit.org/ort/?
- Is https://docs.oss-review-toolkit.org/ also an option?
- Move more (currently duplicate) parts out of the main
README.md
to the docs site- @mnonnenmacher will prepare a PR
- Have a look at @fviernau's PR: https://github.com/oss-review-toolkit/ort/pull/7488
- Brainstorming how to deal with generic-LicenseRef findings from ScanCode that do not have a concrete license text associated
- Probably filter those out from reports via license classifications
- Release Notes.
- Need to re-tag version 1.0.0 due to bugs in the release process.
- No objections / concerns from the community to "move" the remote 1.0.0 tag.
- Tag 1.0.0 now points at 84600f33c8a713587236d48a935dad4cc642f42e.
- Present updated documentation website based on https://github.com/oss-review-toolkit/ort/pull/6705.
- Version 1.0.0 was tagged, points at 9d022a47b87c74b95021722b3d812c31f621d9e7.
- No artifacts published yet, will be done.
-
Tag new version 1.1.0 todayPostponed, see notes of next meeting.
- Release Notes.
- New teams within oss-review-toolkit have been set up - we now have contributors, committers and technical steering committee teams who respectively have read, write and admin rights. Set up aligned with ORT's Charter, simplifies permissions and should enable any community member to show they are part of ORT community on their GitHub profile. (@tsteenbe)
- Clarify rules for curations and package configurations https://github.com/oss-review-toolkit/ort-config/issues/132. (@tsteenbe)
- @heliocastro reports about progress on https://github.com/oss-review-toolkit/ort/pull/7447.
- Release Notes.
- Plans to soon-ish tag version 1.0.0 of ORT and have weekly releases to Maven Central from then on.
- There's demand to keep the JitPack releases.
- JARs go to Maven Central (no wrapper shell scripts there).
- Distribution archive (incl. wrapper shell scripts) should get attached to GitHub releases.
- Any Docker image would get published to the GitHub container registry.
- The community should have a look at https://github.com/oss-review-toolkit/ort-config/issues/132 and chime in on upcoming rules.
- Initial discussion about how to improve performance for applying license choices.
- Release Notes.
- ORT is now listed at https://sbombenchmark.dev/
- Working on improving the sbomqs score
- Following an Slack conversation, a scanner option to take only existing scan result, but not actually perform a new scan was discussed; an issue will be created for this
- Release Notes.
- ScanCode license exception pairs: https://github.com/oss-review-toolkit/ort/issues/7384
- SPDX currently does not allow any custom exceptions for licenses; for SPDX 3, the proposal is to introduce
AdditionRef-
- SPDX currently does not allow any custom exceptions for licenses; for SPDX 3, the proposal is to introduce
- ORT currently does not build due to a reincarantion of https://github.com/eclipse-sw360/sw360/issues/1259
- Release Notes.
- Discussion about versioning for releases
- Stick with plain SemVer for simplicity (remembering the date as part of a version if you want to upgrade is hard)
- Summer break after today's meeting
- Note about DNF / licnese choise performance issues, see #6721 and #7316
- Release Notes.
- Quick update on Publish the Docker image to a public repository
- @heliocastro is working on it, expects progress this week
- Scanning ORT with ORT is not part of the topic
- Presentation about Double Open Server by @mmurto
- Main goals are to scan and share results on the server side, plus a UI for curations (similar of FOSSology)
- Fork of ORT basically just constain a client plus scanner plugin which could eventually be hosted separately
- Idea to list related projects similar to adopters
- We already have related tools in the README
- Release Notes.
- Are people still there next Thursday? -> @mmurto could give a presentation about dos(-ort).
- Release Notes.
- Anyone having issues using
yq
on ORT result files?- No issues with parsing YAML; e.g. Porsche is using a custom reporter anyway to not rely on ORT's internal result file format 👍
- Release Notes.
- Update on adding Bosch and CARIAD as adopters?
- CARIAD: Mid-September
- Bosch: PR will come soon
- Can @mmurto tell us something about the Double Open Server (and the ORT fork for it)?
- Work ongoing to support ScanCode 32.x.y.
- Docker size / build time issues
- https://github.com/oss-review-toolkit/ort/issues/3230
- Idea: Install third-party CLI tools required e.g. by the analyzer dynamically at runtime of ORT in the Docker container.
- Will be added to https://github.com/oss-review-toolkit/ort/pull/7112.
- Discussion about always showing the issue tab in the web-app reporter
- Release Notes.
- FYI: https://github.com/oss-review-toolkit/ort/pull/7104
- Bring up https://github.com/oss-review-toolkit/ort/issues/6980 again, which got stalled due to replies being perceived in the wrong way.
- Release Notes.
- Enable the ORT config curation provider by default? (Also see this comment.)
- Ok, if ensured that no legally relevant properties are curated (e.g. no "concluded_license") / only "technical" curations are done.
- Need to take care to disable the
OrtConfig
provider in places where ort-config is cloned to the default location.
- Rewritten GitLab job for ORT (@tsteenbe)
- Will probably go to https://github.com/oss-review-toolkit/ort-ci-gitlab and flipped public
- https://github.com/oss-review-toolkit/ort-gitlab-ci can then be archived
- https://github.com/oss-review-toolkit/ort-ci-base can then be deleted
- Diff command for ORT result files (to compare end-to-end runs of ORT pipelines, e.g. for acceptance tests)
- Agreed to be useful
- No strong opinion whether it should be a main or helper-cli command
Public holiday in Germany.
- Weekly Release Notes.
- WebApp report: wrong scope
- @maxhbr suffers from a side-effect of NoticeTemplate reporter fails if no scanner archive storage is configured as reports are different on different machines depending on whether the license file archives are present or not
- Basic agreement that license file archives should become mandatory like file listings will be
- Weekly Release Notes.
- Merge Update antd package?
- @jens-erdmann and @tsteenbe will follow-up.
- Discussion about reoccurring use-cases for Configurable URL replacements for the analyzer.
- Idea: Implement as a curation provider.
- Weekly Release Notes.
-
Support for .yaml file endings
- General agreement to not support another file extension by default but add a warning in this case. Also, there is already the
--repository-configuration-file
option.
- General agreement to not support another file extension by default but add a warning in this case. Also, there is already the
-
Parallelize python-inspector during analyzer execution
- Closing in favor of upstream issue.
-
Resolution: Expiration Date
- Agreed that the feature makes sense as a "frist class citizen" of resolutions, more use-cases discovered during the discussion.
-
Add
color
property to the categories inlicense-classifications.yml
- Visual representation should stay separate from license semantics. Use the below idea of a custom CSS file for the web-app reporter instead.
-
Allow user to pass their own CSS file to the WebApp reporter
- Keep the issue open for people who might be interested in e.g. coloring licenses based on classifications (see above).
- Drop CVS support?
- Out of 350000 packages, 1 is hosted in CVS (at Bosch, who have configured ORT to try source artifact first).
- Tag last version with CVS support and create a Q&A discussion entry about it, for people who might want to pick it up again (as a third-party plugin).
-
Add support for darcs VCS
- No follow-ups since the issue was filed in 2018 -> closing.
- Similar to above, encourage people to write their own plugin if needed instead.
-
Add Raco (Racket) as supported package manager
- No follow-ups since the issue was filed in 2019 -> closing.
-
Add shards (Crystal) as supported package manager
- No follow-ups since the issue was filed in 2018 -> closing.
- Weekly Release Notes.
- Add ORT adopters
- Internal clearance processes take on.
- Add CARIAD as well.
- Review of https://github.com/oss-review-toolkit/ort/pull/6837. -> Done.
- Reporter clean-ups (in context of https://github.com/oss-review-toolkit/ort/issues/6602)
- Can we remove the Excel reporter? -> Yes
- Maybe use a
PlainTextTemplateReporter
instead that writes out CSV?
- Maybe use a
- Can we remove the Static HTML reporter? -> No
- It still has the unique (but rudimentary) feature of linking to source locations.
- Can have deep / direct links to specific violations.
- Can we remove the Excel reporter? -> Yes
- Weekly Release Notes.
- Updates to the web-app reporter
- https://github.com/oss-review-toolkit/ort/pulls?q=is%3Apr+is%3Aopen+reporter-web-app
- Blocking Kotlin 1.8.20 due to outdated webpack
- Discussion about how to check modified license texts to judge how big the deviations are
- Scancode's
--license-text
option does not give you the full license text, but only the matched part - Embedding all found license texts would blow up ORT's scan result too much
- Probably looking at archived licenses is enough
- Scancode's
- Scanning ORT with ORT should be done via the GitHub action for dogfooding and identifying breaking changes early
- Weekly Release Notes.
- Feedback on the ORT Community Day:
- Have dedicated moderation to avoid people taking up too much speaking time / have a more structured discussion
- Thursday discussion were hard to follow remotely (mixed Jitsi / Teams experience)
- It was nice to meet people in person / good number of (international) attendees
- Skipped due to the ORT Community Day.
- Weekly Release Notes.
- Status update on the ORT Community Day. (@tsteenbe)
- Weekly Release Notes.
- Status update on the ORT Community Day. (@tsteenbe)
- Venue will likely be Bosch IoT Campus, Ullsteinstraße 128, Tempelhof, 12109 Berlin, Germany.
- Need to agree on the schedule, which type of talks or group discussion would people like to see?
- Weekly Release Notes.
- Status update on the ORT Community Day.
- How to deal with question-type issues?
- Enable GitHub discussions? Needs to be maintained! (By the community?)
- Let's go for it as question-type issues can easily be moved to discussions.
- Redirect via issue template choosers to discussions / Slack?
- Enable GitHub discussions? Needs to be maintained! (By the community?)
- Try out Elements (provided by LF) again as a replacement for Slack? (Threaded conversations were missing so far.)
- Weekly Release Notes.
- Reminder: Please participate in the ORT Community Day poll!
- Weekly Release Notes.
- Please participate in the discission / poll about our first ORT Community Day!
- Weekly Release Notes.
- Breaking changes in #6391:
- Possible solutions to deal with such breaking changes in the future
- Separate PR label for format changing PRs.
- Versioned ORT result.
- ORT releases: #1901
- Possible solutions to deal with such breaking changes in the future
- Weekly Release Notes.
- Is #5629 already sufficiently covered by
ProjectSourceRule
s now?- Yes. Anything as specific as checking for inclusice language should be impplemented as an evaluator rule.
- Discuss giving advice about package health.
- Upvote the issue to show interest, eventually add comments and remarks.
- Weekly Release Notes.
- Could we remove CVS support?
- Please run SQL query
SELECT vcs_type, COUNT(*) FROM scan_storage.package_provenances GROUP BY vcs_type;
(for provenance-based storage). - Probably add a deprecation warning.
- Do not address https://github.com/oss-review-toolkit/ort/issues/1998 anymore.
- Please run SQL query
- Weekly Release Notes.
- Switch to / enforce Conventional Commits (via commitlint)
- Other News
- Upcoming Events:
- ORT video by @tsteenbe for FINOS: https://youtu.be/mqoW9sfTrqw
- Weekly Release Notes.
- Listing of Copyright statement "stubs" without a real holder.
- Switch to the Semver4j fork.
- Weekly Release Notes.
- Discussion about Java 11 vs 17 again: Which should be the default in ORT Dockerfile?
- It works to use Docker build args to customize the base image.
- Agreement to use a build arg which defaults to Java 17.
- Questions about ongoing Dockerfile changes
- Long term goal
- Caching issues
- Also see experiments at https://github.com/oss-review-toolkit/ort/pull/5070
- Python analysis might be affected by
python-inspector
issues currently - Discussion about simplifying scan storage configuration
- We'd like to have a simpler way to switch between storages, e.g. in the context of the GitHub action
- Also see the ongoing work in https://github.com/oss-review-toolkit/ort/pull/5516
- Weekly Release Notes.
- Status of Java 17 in ORT (@oheger-bosch)
- Also the revert at https://github.com/oss-review-toolkit/ort/pull/4948
- Ideas:
- Use custom Docker images
- Tell the Gradle tooling API to use a different JDK than the one running ORT
- Just try analyzing the project with a newer version of Gradle than specified in the wrapper
- Projects should be able to specify their required JDK via Gradle's toolchain mechanism
- But that probably won't help as the JVM running the Gradle build would still be ORT's
- Status for the GitHub Action:
- @tsteenbe is working in Markdown stage summaries
- Please test the action and give feedback
- Weekly Release Notes.
- Show number of resolved vulnerabilities in web-app report (@mnonnenmacher).
- Discussion about whether we should keep the feature to resolve vulnerabilities independently of rule violations at all.
- Yes, because:
- people might use ORT without the evaluator,
- want to have a way to resolve unapplicable vulnerabilities even if they don't trigger rule violations.
- Yes, because:
- Discussion about whether we should keep the feature to resolve vulnerabilities independently of rule violations at all.
- Remove bootstrapping of scanners (see this for some context, @sschuberth).
- Let's do it. For running funTests, scanners need to be either installed on the GitHub action runner, or in the Docker image and also scanner funTests need to use Batect to run against the Docker image.
- Update on GitHub Action for ORT (@tsteenbe).
- It's public now.
- Recently merged PRs.
- Declared license mappings: Only take 100% indisputable ones?
- https://github.com/oss-review-toolkit/ort/pull/3960
- https://github.com/oss-review-toolkit/ort/pull/5127
- Conclusions:
- Aim to only have 100% unambiguous mappings
- Make exceptions only for cases where we are very certain that a specific version of a license is meant (despite it being mentioned explicitly), e.g. because other versions of that license existed only for a very short period of time (e.g. Apache-1.0, LGPL-2.0-only)
- All exceptions need to come with comments in the YAML file
- If the version is missing in the declared license, usually map to
-only
, unless the license itself defines that omission of a version means "or later"
- Package-specific mappings should be added as package curations with declared license mappings to the
ort-config
repository - Propopsal: Create an new initial PR that just separates existing entries into sections, one for 100% unambiguous mapping, and others (for both declared license and simple mappings)
- Recently merged PRs.
- https://public.vulnerablecode.io/ is live now 🎉
- Update from @heliocastro about https://github.com/oss-review-toolkit/ort/pull/6053
- Runs "natively" on Apple M1 except for ScanCode
- act, a tool to run GitHub workflow locally, still does not support caching actions (which was the original reason to take Batect into use)
- Recently merged PRs.
- Please test the JGit / MINA SSH migration: https://github.com/oss-review-toolkit/ort/pull/6030
- @nicorikken gives update on CI-related work. General goal is to make ORT easy to use in CI. Topics include:
- Publishing a compliant Docker image; also see
- Improving the GitLab integration
- Come up with an official GitHub action
- Share common building blocks across CI systems via some sort of API
- Credential management
- @maxhbr gives a status update on the Opossum reporter; it still works and is in use 😁
- Recently merged PRs.
- Make
determineParts
(and theParts
class) public (Porsche is interested)- Ok to make these public
- New approach in https://github.com/oss-review-toolkit/ort/pull/5984 to disallow via substring and then allow via exact string match seems feasible
-
Recently merged PRs.
- Update from @mnonnenmacher about
python-inspector
state; unfortunately no successful real-life project analysis yet, still open issues
- Update from @mnonnenmacher about
- Filtering of environment variables: https://github.com/oss-review-toolkit/ort/issues/5973
- Agreement on the general feature. Discussed details about what should be the default environment, and whether includes and / or excludes should be used. @oheger-bosch will update the issue with the current proposal.
- "Skip excludes" for the analyzer: https://github.com/oss-review-toolkit/ort/issues/5968
- Agreement on the general feature. However, an (important) side-discussion arose about which (if any) semantics are attached to excludes: Does excluding something always imply that it's not distributed? Will have a core developer meeting about that.
- ScanCode messing with Umlauts in Copyrights: https://github.com/nexB/scancode-toolkit/issues/1566
- Recently merged PRs.
- Quick discussion about how to provide pip-related configuration (e.g. credentials for private package registries) with the new Dockerfile. -> Make sure to use a login shell.
- Closing early due to no more open topics.
- Recently merged PRs.
- Experimental scanner will be merged later today
- Discussion about renaming the "ORT Developer Meeting" to something less developer-specific, as attendees are not exclusively developers
- Currently exsiting meetings:
- ORT Developer Meeting
- TSC Meeting
- Kotlin Core Developer Meeting
- Proposed new meetings:
- ORT Community Meeting (regular former "ORT Developer Meeting", deal with more specific topics towards the end)
- Agreed on the renaming
- ORT Drop-in Hours (irregular, for users from different time zones that want to join the community)
- @tsteenbe will do shout-out on Social Media to figure out which hours we need
- TSC Meeting (irregular, about every 1-2 month)
- Kotlin Core Developer Meeting (regular, once a week)
- ORT Community Meeting (regular former "ORT Developer Meeting", deal with more specific topics towards the end)
- @mnonnenmacher will create a new Teams invite to rename the ORT Developer Meeting to the ORT Community Meeting
- Probably need to look at alternatives to Teams again, @tsteenbe already has a Jitsi channel
- Currently exsiting meetings:
- Recently merged PRs.
- Find a better name for the project 'ort-config/tools/curations'. Motivation: Existing Gradle tasks cover more than curations and new tasks inbound, see https://github.com/oss-review-toolkit/ort-config/issues/59 @fviernau.
- Split into
tools/verification
for CI tasks andtools/generators
for config generators.
- Split into
- Recently merged PRs.
- Multi-stage Docker status
- @mnonnenmacher will take over the PR to enhance commit messages.
- Discussion about splitting out examples to ort-config
- When "disconnecting" examples from ORT core they might break due to ORT changes
- Proposal: Keep simplifed examples in ORT core, and "real world" examples in ort-config
- We don't want to have redundancy between examples from different locations
- Proposal: Move current (simple) examples in ORT core to funTests / assets only, have "real world" examples in ort-config
- Keep in mind that the
evaluator-rules
andnotifications
direct set up Gradle "wrapper projects" to get auto-comnpletion in ORT scripts
- Recently merged PRs.
- Upcoming removal of the legancy scanner infrastructure, see https://github.com/oss-review-toolkit/ort/pull/5799.
-
Change the
PackageScannerWrapper
interface?
-
Change the
- Discuss the changed scope of https://github.com/oss-review-toolkit/ort/pull/5719.
- Request from @porsche-rishisaxena to hightlight which packages have curarions (and which ones) in the web app reporter
- Recently merged PRs.
- Update on https://github.com/oss-review-toolkit/ort/pull/4746 by @heliocastro and @tsteenbe
- Discuss the draft to refactor
CuratedPackage
.- Ultimately, we should reorganize what we currently call "curations" / "package configurations" into "metadata corrections" / "legal conclusions".
- Discuss making arbitrary file checks on the project's source tree in the evaluator.
- Recently merged PRs.
- Update on publishing Docker image
- @nicorikken @heliocastro and @tsteenbe are working on creating a ORT "sources" image e.g. the complete corresponding source code to satisfy open source license obligations.
- We are currently meeting on a weekly basis directly after ORT dev meeting
- Our work is using https://github.com/oss-review-toolkit/ort/pull/4746 as a base
- @marcelbochtler and @mnonnenmacher we hereby notifying Bosch of our intent to merge as agreed in earlier ORT dev meeting - please prepare Bosch infrastructure to use DockerFile from docker/legacy/Dockerfile if you wish to continue using the old image
- @bennati PR to update ORT for GitLab to make Dockerfile location configurable https://github.com/oss-review-toolkit/ort-gitlab-ci/pull/23
- Let's talk about Excel reporters
- Do we still need the original ExcelReporter?
- If only "some" Excel report is needed (the original Excel format was "made up" after all), can we replace it with the AOSD-compatible one from https://github.com/oss-review-toolkit/ort/pull/5518?
- Recently merged PRs.
- Ask the SW360 community (@heliocastro) about a milestone release for its client library
- @heliocastro is on it :-)
- Ask @pombredanne about ScanCode topics
- Current ScanCode issues with our Docker build.
- @pombredanne will post code lines to address this on Slack.
- Future ScanCode version will probably also be distributed as self-contained ELFs (using PyOxidizer).
- Introduce ScanCode 31.0.1.
- Wait for ScanCode 32, which is due to September?
- Current ScanCode issues with our Docker build.
- ORT's example rules vs. 'ort-config' rules: How to address redundancy?
- Wherever meaningful, "examples" from https://github.com/oss-review-toolkit/ort/tree/main/examples should be move to meaningful "default configuration" in https://github.com/oss-review-toolkit/ort-config, esp. looking at
evaluator-rules
. - @fviernau will file an issue about this.
- Wherever meaningful, "examples" from https://github.com/oss-review-toolkit/ort/tree/main/examples should be move to meaningful "default configuration" in https://github.com/oss-review-toolkit/ort-config, esp. looking at
- Adopt https://github.com/alliander-opensource/ort-container to publish latest ORT Docker image resolves https://github.com/oss-review-toolkit/ort/issues/2441 but to would expand it add a sources bundle (which may be incomplete at first but that's a bug)
- Discussion about whether scanning ORT with ORT to get compliance documents is a prerequisite
- @tsteenbe says no, will create compliance documents / pointer to source code differently / manually
- @sschuberth will still create an issue about setting up scanning ORT with ORT schedules jobs
- We'd require a globally / publicly shared scan store then, also see https://github.com/oss-review-toolkit/ort/issues/1328 -> See https://github.com/oss-review-toolkit/ort/issues/5696
- Switching to the pre-cleared OSADL base image should also be no requirement
- Discussion about whether scanning ORT with ORT to get compliance documents is a prerequisite
- Agree on a date for copyright workshop.
- Recently merged PRs.
- OSB Alliance / Sovereign Cloud Stack funding for security tooling planned
- @sschuberth will schedule a TSC meeting with @itrich if funding is indeed going to happen
- Discuss a new reason to eventually switch the logging framework: Log4j2 does not work with Graal native-images.
- SLF4J for the API should work.
- Logback for the implementation should work.
- No objections from the community to move forward with a migration.
- Consider consolidating
NOTICE_default
andNOTICE_summary
to something that makes @LeChasseur happy 😉- @sschuberth will come up with a proposal
- Merging of ORT results aka "I want a single report for my microservices repos"
-
https://github.com/oss-review-toolkit/ort/issues/5620
- This case is about merging results from different repos
-
https://github.com/oss-review-toolkit/ort/issues/4364
- Porsche's use-case is about results from monorepos, i.e. paths in the same repo; this could ease any merging
-
https://github.com/oss-review-toolkit/ort/issues/5620
- Extend the Evaluator to support "repolinter style" rules https://github.com/oss-review-toolkit/ort/issues/5621
- Maybe record all scanned files (not only those with findings) in scan results to avoid the need to clone the source code again in the evaluator stage
- This would also allow us to get rid of the pre-calculated SPDX package verification code if we also record the SHA1s of all scanned files
- Consider to first finish @mnonnenmacher's rules DSL refactoring and generalize
RuleViolation
class to not be tied to licenses
- Maybe record all scanned files (not only those with findings) in scan results to avoid the need to clone the source code again in the evaluator stage
- The ORT developer community will take a summer break until 2022-08-25 😀
- Recently merged PRs.
- @tsteenbe: @heliocastro I did not work on continueing multi-stage docker PR 4746 as I was out with food poisoning
-
Separate authors and copyright holders
@tsteenbe: Set up a dedicated meeting for
- Curating detected copyrights in file findings: add, remove, map to license
- Mapping concluded copyrights to concluded licenses
- Deriving declared copyright holders
- Action item for @tsteenbe Write email on @sschuberth @porsche-rbieniek @fviernau @rishi @marcelbochtler to explain option to curate copyright holders plus doodle for a meeting. Doodle link https://doodle.com/meeting/participate/id/er03A92b
- Question where scanning R project is supported @tsteenbe: Yes, it should work but it will be listed Unmanaged, if you want to add package metadata I recommend you add package.spdx.yml to the project.
Agenda
Separate authors and copyright holders
@porsche-rbieniek: Thank you @fviernau for doing a review, I see the PR is approved now what does it take to get it merged @tsteenbe: I asked @fviernau not to merge it as I wanted to review the behavior/signature myself. @fviernau: I see two issues with this PR but non-blocking its merger, as I presume they will be fixed in the future:
- Currently authors-based copyrights can only be completely overwritten using curations instead being able to add and remove copyrights entries
- Existing bug scanner code assumes the
addToCopyrights()
innnns provided to evaluator and reporter @tsteenbe: What I believe the workflow this PR is enabling is "detected copyrights a,b,c -> manual analysis copyright d is applicable so via this PR one enable creation to say package curations with copyrights a,b,c,d". This is inconsistent with how ORT works, curations in curations.yml are fixing package metadata only and package configurations should be used for fixing source code finding. We know concluded license is in curations.yml but we had discussion amongst ORT TSC members that we should move concluded_license out of curations to make things more consistent and easy to understand. @porsche-rbieniek: Below an example of curation we have:
- id: "NPM:estraversa:4.3.0"
curations:
comment: "Add copyrights for subfile"
copyright_holders:
- Copyright (c) 2009-2019 by the contributors listed in CREDITS.TXT
- Copyright (c) 2009-2014 by the contributors listed in CREDITS.TXT, see https://github.com/llvm/llvm-project/blob/main/...
vcs:
type: "git"
url: "https://github.com/estools/estraverse.git"
@tsteenbe: This estraversa curation is incorrect, the package.json per its reference only support an author field (single person) and contributors (multiple people) field see https://docs.npmjs.com/cli/v8/configuring-npm/package-json#people-fields-author-contributors
@tsteenbe: As you can see in https://registry.npmjs.com/estraverse for this package no copyrights have been declared. The "Copyright (c) 2009-2019 by the contributors listed in CREDITS.TXT" in this curation refers a finding in source code so this should be done so adding the copyrights should be done with package configurations, not a curation
@tsteenbe: As copyrights are associated with licenses it makes sense implementation of adding, removing, mapping, overwritting declared copyrights matches declared licenses
@mnonnenmacher: Agree, one first step could be to update PR 5504 to rename copyrightHolders
to declaredCopyrightHolders
so it aligns with declaredLicenses
@porsche-rbieniek: Please add a comment to PR 5504 to inform @porsche-rbieniek
Discussion between @fviernau, @mnonnemacher, @tsteenbe and @porsche-rbieniek on various ideas how curating copyrights could look like that is consistent with how licenses are currently curated.
Three ways to curate copyrights:
A. Use curations to fix-up curate copyrights
The declared copyrights comes package metadata collected by ORT analyzer which can be fixed up using curations. Note that a lot of package managers do not have copyrights fields only author, contributors, developers which in some case are "mis-used" to convey copyright information. We could implement a parseCopyrights() to from parseAuthors() find copyright statements e.g. entries starting with "copyright" or "(c)"
Below several ideas for how curating declared licenses in curations.yml could look like.
Remove a declared copyright
declared_copyright_mapping:
"MIT": ""
Add a declared copyright
declared_copyright_mapping:
"": "Copyright (C) 2022 John Doe"
Overwrite all declared copyrights with a single one:
declared_copyright_mapping:
"*": ""
"": "Copyright (C) 2022 John Doe"
Overwrite all declared copyrights with a more than one:
declared_copyright_mapping:
"*": ""
"": "Copyright (C) 2022 John Doe"
"": "Copyright (C) 2019 Jane Doe"
"": "Copyright (C) 2012 Example, Inc"
Associate declared licenses with declared copyrights:
declared_license_copyrights_mapping:
"MIT": "Copyright (C) 2022 John Doe"
"MIT": "Copyright (C) 2019 Jane Doe"
"Apache-2.0": "Copyright (C) 2012 Example, Inc"
B. Use package configurations to curate detected copyrights
Introduce a copyright_finding_curation
in package configurations to curate detected copyrights:
id: "NPM::ansi-styles:4.2.1"
copyright_finding_curations:
- path: "README.md"
start_lines: "3"
line_count: 11
detected_copyright: ""
reason: "INCORRECT"
comment: "Copyright only written on project website."
concluded_copyright: "Copyright (C) 2022 John Doe"
d. Associate detected licenses to detected copyrights in a package configuration
id: "NPM::ansi-styles:4.2.1"
license_copyright_finding_curation:
- license: "MIT"
copyrights:
- "Copyright (C) 2022 John Doe"
- "Copyright (C) 2019 Jane Doe"
- "Copyright (C) 2012 Example, Inc."
C. Use concluded copyright to overwrite both declared and detected
Introduce the concept of a concluded copyright? Should we introduce this, believe concluded_license
should be removed from curations as it applies to both declared and detected licenses
concluded_copyright: "Copyright (C) 2022 John Doe"
Conclusion of the discussion
Update the PR 5504 per below listed points, Porsche to accept signature likely will change in the future.
The following action points
- Rename
copyrightHolders
todeclaredCopyrightHolders
so it aligns withdeclaredLicenses
(@tsteenbe) - Fill an issue to address the existing bug where scanner code assumes the addToCopyrights is provided to evaluator and reporter. See also https://github.com/oss-review-toolkit/ort/pull/5504#discussion_r915825030 (@fviernau)
- Organize a workshop to discuss curating both declared and detected copyrights, fill tickets afterwards once we agree on solution. (@tsteenbe)
Topics to be discussed:
- Signature to use to add, remove, map and overwrite declared copyrights and licenses
- Signature to use to add, remove, and overwrite detected copyrights
- Association of licenses and copyrights
- Add a license finding to a file using a package configuration
- Fill an issue to move
concluded_license
out of curations, possibly into it's own config file (@tsteenbe) - Fill an issue to introduce
concluded_copyrights
to be aligned withconcluded_license
. (@tsteenbe)
- Recently merged PRs.
- TSC decision to simplify ORT copyright statement for all files to
Copyright (C) YearOfCreation The ORT Project Authors (See <https://github.com/oss-review-toolkit/ort/blob/main/NOTICE>)
, see https://github.com/oss-review-toolkit/ort-governance/issues/6 - ORT developer meeting: @MarcelBochtler will add an action item to ort governance to revisit the meeting infrastructure (Jitsy / Teams / ...)
- @tsteenbe and @fviernau will have a look at https://github.com/oss-review-toolkit/ort/pull/5504
- @tsteenbe agreed to have a meeting with @fviernau and @heliocastro regarding https://github.com/oss-review-toolkit/ort/pull/4746.
- Recently merged PRs.
- Porsche PRs:
- https://github.com/oss-review-toolkit/ort/pull/5504 required some test updates
- ignore code coverage (which is wrong anyway) as these are not required checks to get things merged
- https://github.com/oss-review-toolkit/ort/pull/5510 has low priority for the community
- @porsche-rbieniek will provide more pointer to why logback is better / more performant / more lightweight
- Discussion about https://github.com/oss-review-toolkit/ort/issues/5505
- Array syntax seems to be preferred, should be implemented via a backwards-compatible deserializer
- @mnonnenmacher encourages the community to try out the "new" / "experimental" scanner interface as the legacy implementation will be removed soon-ish
- Recently merged PRs.
- Ongoing work from @fviernau to improve GoMod support
- Almost done, some VCS path issues left
- Need to ensure that changes to expected results are actually correct
- Discussion about https://github.com/oss-review-toolkit/ort/issues/5483
- Seems like we have conflicting use-cases for SPDX document files to define project / packages
- Need to rework the logic that distinguishes between SPDX document files that describe a project vs. a package
- @tsteenbe will come up with a list of SPDX document scenarios that ORT needs to support
- Discussion about an NPM / Yarn problem with its
resolutions
directive- Requires more debugging
- Recently merged PRs.
- Announcement that @MarcelBochtler was voted to join the TSC
- @pombredanne introduces https://github.com/nexB/python-inspector, a new tool to detect Python dependencies
- will be integrated with ORT
- Slides with current status will be shared
- @pombredanne is aware of https://github.com/pypa/pip/pull/10771 and related upstream work
- Recently merged PRs.
- Agreement to add
ADOPTERS.md
, see https://github.com/oss-review-toolkit/ort/pull/5409. - Talk about contributing guidelines in ORT
- Idea: Enhance
CONTRIBUTING.md
by referring to good PR examples from ORT's own history
- Idea: Enhance
- Meeting was skipped due to a German holiday.
- Recently merged PRs.
- Discussion about the PR to move away from Log4j (@porsche-rbieniek)
- Idea to allow configurable Regex-based rewriting of URLs in the Downloader to cope with funky corporate proxy requirements, like prefixing URLs of changing protocols (@heliocastro)
- @sschuberth will plan for a "contributor training" meeting
- Recently merged PRs.
- Update
CONTRIBUTING.md
with more details about PR workflow; maybe also have a separate meeting for new / "young" contributors. - @pombredanne gives outlook for new ScanCode version (to be released in a month from now)
- Ask for testing on Apple silicon (@MarcelBochtler will do)
- @tsteenbe has another meeting with SVT tomorrow (they have an interesting workflow)
- Interest in OSADL-based published ORT image (also see https://github.com/oss-review-toolkit/ort/issues/2441)
- Experiments with Tekton integration
- Recently merged PRs.
- BMW Car IT gives demo about their ORT process and technical implementation.
- Recently merged PRs.
- Discussion about https://github.com/oss-review-toolkit/ort/pull/5285, follow-up to create something like a "DetectedLicenseProcessor" to centralize scanner-specific license mappings. -> https://github.com/oss-review-toolkit/ort/issues/5296
- Discussion about https://github.com/oss-review-toolkit/ort/pull/5012, people will add comments to PR about:
- State machine probably still needs to reflect the UI changes
- Nested filter bar should probably be removed
- Filtering for messages on top-level should filter also (collapse) nested messages
- @tsteenbe meets with SVT (Swedish national broadcaster) on 2022-04-29 to look at ORT use and GitHub integration.
- Take a look at using scan results from ClearlyDefined again (and this issue) as they seem to have upgraded to ScanCode 30.1.0 by now.
- Recently merged PRs.
- Updates from Porsche
- Update on ongoing BlackDuck integration. (@porsche-rishisaxena)
- Consider getting rid of Log4j because of its bad reputation by now, and technical issues with the BlackDuck integration. Proposal is to use Logback. (@porsche-rbieniek)
- Clarified on misunderstandings about https://github.com/oss-review-toolkit/ort/issues/4519, there's still interest from Porsche to contribute this. (@porsche-rbieniek)
- Taking scan-by-repo into use (@mnonnenmacher).
- Make use of upvoting issues.
- Use logos of ORT users into
README.md
/ a dedicated landing page.
- Recently merged PRs.
- Discussion about credential management in ORT
- In the analyzer, we need to pass credentials to the respective package manager (e.g. to NPM via
.npmrc
) - In the downloader, we also need to have the same set of credentials, but for OkHttp
- Where to store credentials in a central place, from where package manager specific / OkHttp authentication could maybe generated?
- In the analyzer, we need to pass credentials to the respective package manager (e.g. to NPM via
- Recently merged PRs.
- PR discussions
- Recently merged PRs.
- Bosch gives demo about their ORT process and technical implementation.
- Recently merged PRs.
- Porsche gives demo about their ORT process and technical implementation.
- Recently merged PRs.
- Discussion about the Python version problem
- It's rather complex and manifold, thus no one is actively working on it, although several users are affacted
- Work-around: Use a custom Docker image with the required Python version included
- Discussion about ScanCode false-positives again
- @porsche-rishisaxena will set up a dedicated meeting with @pombredanne to ask what more data he needs to be able to address the issue
- Recently merged PRs.
- Need to revise the logic to generate unique SPDX ids in order to add transitive relationships.
- Proposal to agree to a fixed directory structure for curation files (see OrtConfigPackageCurationProvider.kt).
- @tsteenbe is leaving HERE Technologies by end of March (new employer to be disclosed 😉, but will still be working with ORT)
- Recently merged PRs.
- Problem with automatic numbering of SPDX packages (see https://github.com/oss-review-toolkit/ort/pull/5126)
- Skipped as no one from HERE attended.
- Call for sharing of package configurations / license findings curations with ScanCode.
- How does Porsche implement the upload of pre-created analyzer results from the project teams?
- Porsche will give a demo on 2022-03-17.
- ScanCode will support a (long) list of files to be included for a scan (instead of specifying files to exclude from a tree).
- See:
- Background: Incremental scans in ORT.
- Idea: Use a daemon to speed up incremental runs of ScanCode, similar to Gradle.
- Recently merged PRs.
- Had a separate meeting on Update Dockerfile to use multi-stage builds, see PR comments.
- Update on https://github.com/oss-review-toolkit/ort/issues/4196: @fviernau is fine with not having a feature toggle, but supporting version ranges in package configurations by default, just like for curations.
- Discussions with @pombredanne about the idea to create a public place (repository / database) to store and share ScanCode scan results.
- Recently merged PRs.
- Check on https://github.com/oss-review-toolkit/ort/issues/4196 again.
- Idea: Feature toggle for both curation and configuration version ranges; enable both by default. Ping @fviernau again about this.
- Wild-cards for package curation's namespaces / names to tackle
NuGet::Microsoft.NETCore.Platforms:1.0.1
etc.- HERE uses (wildcard) issue resolutions to suppress downloader issues / policy violations. In notice generation custom text based on SDK usage is inserted.
- Idea: Maybe allow wildcards (if enabled) only in global curations, but not in project-local ones?
- Idea: Introduce "alias names" / placeholders to generally trust SDK vendors.
- High number of
LicenseRef-scancode-*
false-positives in ScanCode 30.1.0.- Assemble a list of false-positive keys (and where they occurred) for @pombredanne (ideally also the matched rule).
- False-positives likely to go down when taking the new main / primary license feature into use (probably not in next stable release yet).
- Recently merged PRs.
- License texts for
+
variants of SPDX licenses (https://github.com/oss-review-toolkit/ort/issues/5004, @mmurto)- General consensus that it is ok to use the license text of the base license.
- Repository Configuration
- Allow excluding files in a project subdirectory https://github.com/oss-review-toolkit/ort/issues/5018 (@MarcelBochtler)
- Recently merged PRs.
- HERE will be submit declared license mapping it found as after scanning all of its code repositories (inbound next week)
- @porsche-rishisaxena: Missing API functionality in SW360 for the AttachmentController to upload attachments (no DELETE / POST implemented). Does someone else already implemented this functionality? If not Porsche will work on it. @heliocastro documentation is not up to date with the code. SW360 has developer call every Wednesday 10 AM via https://meet.jit.si/sw360-community and Slack channel
- @porsche-rishisaxena having issue with large analyzer result file where it runs ORT runs out of memory. @fviernau do you pass -Xmx? We in HERE use JAVA_OPTS="-Xmx64G". @rbieniek What I would like see is rule of thumb if I have Analyzer results then it's recommend to have 4, 8 GB. @oheger-bosch we have pipelines with different t-shirt sizes s, l, xl with memory sizes machines doing scan. Action item for @rbieniek to create an issue describing the issue and if possible add numbers (nr of packages vs nr of package references), @heliocastro suggested to use https://github.com/bmwcarit/joynr/ as a test case. Action item for @fviernau for scan joynr to see if he can recreate the issue and add outcome to ticket created by @rbieniek.
- SPDXDocument files does not support downloaded from PackageDownloadLocation, @tsteenbe and @heliocastro need this functionality. @oheger-bosch Sebastian is working on integration of SPDX with other package manager. Define a SPDX and reference other projects that use a package manager.
- @heliocastro In the ORT conf file we have multiple time the same configurations e.g multiple same entries for scanner and archive configuration. See https://github.com/oss-review-toolkit/ort/blob/master/model/src/main/resources/reference.conf it has multiple sw360Configuration. @oheger-bosch we use secrets via environment variables, @rbieniek recommends against doing secrets via environment vars.
- Recently merged PRs.
- Status of https://github.com/oss-review-toolkit/ort/pull/4925 (@rbieniek).
- @rbieniek will continue to work on it.
- Demo of ORT Workbench (@mnonnenmacher).
- Recently merged PRs.
- Why are alternative package configuration providers just fallbacks? Wouldn't it be better if all curations would (at least optionally) be merged? (@mnonnenmacher, see: https://github.com/oss-review-toolkit/ort/pull/4966#discussion_r785793858)
- Probably there was no "real" / legal reason. If the priority / precedence of curation providers was configurable, taking all matching curations into account would probably be fine.
- Rename main branch from "master" to "main".
- Announced today, will do the renaming (from within GitHub settings) next Monday (2022-01-24).
- @tsteenbe shared public link to GitLab integration: https://gitlab.com/tsteenbe/ort-gitlab-ci/
- Will move this to https://github.com/oss-review-toolkit/ and set up a mirror to https://gitlab.com/oss-review-toolkit/
- Share raw SVG ORT assets in private repo
- Recently merged PRs.
- Should we support scanning local directories that are not under version control? (E.g. by introducing a
LocalFileProvenence
.)- Sometimes source code from inaccessible repos needs to be analyzed / scanned, and then the source code is sent over in a ZIP file beforehand.
- Idea: Let a
LocalFileProvenence
record absolute paths, requiring to run analyzer and scanner on the same machine.- @sschuberth will create issue for this feature.
- Change to a generic Copyright header in ORT source code
- Create issue for people to comment / signoff / consent to the generic Copyright
- Maybe use a
NOTICE
file to globally collect Copyright entities
- Recently merged PRs.
- Java 17 LTS? (For performance reasons and to get rid of "illegal reflective access".)
- Had to be reverted 😢 See https://github.com/oss-review-toolkit/ort/pull/4948.
- Upgrade to ScanCode 30.1.0 🎉
- Design a logo for the Notifier tool. -> Idea: Reuse the existing Documenter logo. @tsteenbe will create a design proposal.
- Recently merged PRs.
- Is the scanners "native-scan-results" directory still needed?
- This is the last developer meeting for this year, see you all in 2022 😄
- Development on GitHub vs GitLab to develop / debug the GitLab integration
- GitLab is currently setup up as a syncing mirror, but can still push custom branches to
- @tsteenbe's video and slides on GitLab integration
- General interest in GitHub integration (action, app) as well
- See https://github.com/oss-review-toolkit/ort/issues/3512 and https://github.com/oss-review-toolkit/ort/issues/1029; topic for early 2022 also from Bosch DAN side.
- @fviernau is going to prepare an issue to collect typical questions from an OSO perspective and queries we should optimize ORT / the database schema for
- CPE vs PURL to query VulnerableCode
- Trick question: What's the PURL type for OpenSSL?
- Recently merged PRs.
- PRs
- Recently merged PRs.
- Issues
- PRs
- General
- How to track CPEs in addition to PURLs? Maybe like SPDX external references?
- Recently merged PRs.
- @mnonnenmacher gives an update on how to upgrade ScanCode.
- Add example use of
ScannerCriteria
toreference.conf
.
- Add example use of
- @fviernau will add an issue about creating a new kind of report to compare results of different ScanCode versions; add that to the roadmap.
- Recently merged PRs.
- Sharing of updates regarding making the ScanCode version configurable (#4523 will hopefully be merged today).
- Discussion about organizing our work in the common roadmap (added an "Organization" column; Porsche plans for BlackDuck integration in Q1 2022).
- Create a public high-level roadmap for contributing parties to align. (@sschuberth)
- Recently merged PRs.
- Should
severeIssueThreshold
also apply toRuleViolation
s? (#4642, @sschuberth)- No, introduce
severeRuleViolationThreshold
.
- No, introduce
- How to map vulnerabilities to Evaluated Model stats? (https://github.com/oss-review-toolkit/ort/issues/4663, @tsteenbe)
- No mapping of vulnerablites per se, list as is, and additionally create rule violations if you want vulnerabilities to be acted upon.
- Should config file CLI options be moved to the root command to reduce repetition? (@mnonnenmacher)
- Let's do it: Move common configuration override options to
ort.conf
, implicitly allowing to override via-P
(which should be documented inOrtMain
's help output).
- Let's do it: Move common configuration override options to
- Align on WoW for new features- propose we clarify new features and their context with issues prior to PRs being created (@tsteenbe)
- Create issue about plugin examples (@sschuberth) -> https://github.com/oss-review-toolkit/ort/issues/4636
- Epic for ScanCode is at https://github.com/oss-review-toolkit/ort/issues/4631 (@sschuberth)
- Issue filed for BlackDuck integration at https://github.com/oss-review-toolkit/ort/issues/4632 (@porsche-rishisaxena)
- Goal is to scan individual packages with multiple scanner, like planned with @mnonnenmacher's new experimental scanner (in the scan-by-repo context)
- @tsteenbe working on WebApp report improvements to display the scanner results are coming from
- Docker topics
- Multi Docker PR: https://github.com/oss-review-toolkit/ort/pull/3902
- Idea is to "steal" ideas like making tool version configurable via Docker build arguments
- Upgrade to JDK 17 (currently waiting for Gradle 7.3)
- Use https://github.com/batect/batect (see https://github.com/oss-review-toolkit/ort/tree/batect)
- Multi Docker PR: https://github.com/oss-review-toolkit/ort/pull/3902
- @maxhbr asks for reference scanner output that includes multiple scanners -> Provided by @mnonnenmacher.
- AsciiDocTemplate Reporter
- Reporter name changes: AsciiDocTemplate was split up to PdfTemplate, HtmlTemplate, ... (@MarcelBochtler) PR: https://github.com/oss-review-toolkit/ort/pull/4567
- General way of working
- Problems:
- Breaking changes are merged, and not properly documented
- Lack of transparency outside of Bosch and HERE.
- Proposals:
- Align on what is the expected behaviour of ORT.
- Create principles document.
- Document what we want to implement and what we don't want wo implement (and in include the why).
- Draft a Roadmap in a dedicated roadmap meeting (@tsteenbe)
- Create issues and discuss the proposal for all non-trivial PRs.
- Improve documentation regarding the "unspoken functionality".
- Create and maintain a changelog.
- Commit messages do not document the "bigger picture".
- Outcome:
- Create working group (3-4 people / 1 per company) to draft a document for "ways of working on ORT".
- Thomas, Helio, Sebastian, somebody from Porsche, Nico
- Create an issue for this topic and set up meeting for all the nominated persons. (https://github.com/oss-review-toolkit/ort/issues/4629, @tsteenbe)
- Problems:
- Epic for ScanCode upgrade needs to be created.
- @tsteenbe, @fviernau will document how to check existing results, curations, ... with the new ScanCode version.
- https://scancode-toolkit-reference-scans.readthedocs.io/en/latest/
- Figure out how to test ScanCode upgrades better in ORT.
- Blackduck integration
- Issue has to be created first.
- Should ORT migrate to PURL? (@tsteenbe)
- Probably technically doable, but a lot of work. Unclear benefit. Low priority compared e.g. to upgrading ScanCode.
- Finally create the epic issue mentioning all issues to deal with on a ScanCode upgrade. (@sschuberth)
- Decision to remove bootstrapping for scanners. E.g. "Getting Started" should be rewritten to use
docker run
commands exclusively. - All latest & greatest ScanCode license texts are available at https://scancode-licensedb.aboutcode.org/index.json
- ScanCode IO/TK Roadmap: https://github.com/nexB/scancode-toolkit/blob/62d0e84e79942c4dc4755184fa032217f8f5ffef/ROADMAP.rst
- How to deal with C/C++ packages that are used with different compile flags depending on the project, and thus need different curations based on the project context? (@sschuberth)
- One approach is to use separate ort.yml files for each variant of the project.
- Use build tool like Conan to provide information about different product variants. (@heliocastro)
- Demo of the Opossum integration (#4533). (@maxhbr)
- Currently runs ScanCode in parallel to ORT to capture information from the ScanCode result that is not captured by ORT, for example the full list of files or the content of archives. There are already plans to add at least some of that information to ORT as well. @maxhbr to create an ORT issue for further discussion of the topic.
- Allows curating the PURL, that would also be a useful feature for ORT (https://github.com/oss-review-toolkit/ort/issues/4565, @tsteenbe) -> Yes, makes sense.
- Porsche is testing the helper-cli tool to merge analyzer results (@porsche-rishisaxena)
- Where to put additional copyright holders,
PackageCurationData
orPackageConfiguration
? -> Preference forPackageCurationData
to have it next toauthors
. - Clarify in the OpenChain community that OppossumUI is not an (ORT) server frontend, but "just" a tool to browse results.
- What is @maxhbr referring to if he claims that ORT run by ScanCode does not capture the same information as running ScanCode directly?
- October 13th, we do a deep dive on using ORT via the tool + deep dive into ORT internals engineering.
- Sum up the issues we potentially see with a ScanCode upgrade to finally get it done. (@mnonnenmacher)
- Should the developer meeting be held weekly? As we never manage to talk about all agenda items. (@MarcelBochtler)
- Yes, let's do weekly meetings.
- Rename
master
tomain
? (@sschuberth)- Yes, plan for doing it. -> Create issue and pre-announcement. (@sschuberth)
- Use
originator
as the "author" in SpdxDocumentFiles? (#4058, @sschuberth)- Yes, @tsteenbe agrees to do that, for both person and organization (not
supplier
).
- Yes, @tsteenbe agrees to do that, for both person and organization (not
- Update on merging result files (#4364, @porsche-rishisaxena)
- Porsche-internal testing is on-going, will file a PR soon
- Discuss a "delta-analysis" feature (#4347, @porsche-rishisaxena)
- On hold for in in favor of re-creating AOSD statements anew each time
-
RepositoryConfiguration
naming (@sschuberth)- Vote for proposals in https://github.com/oss-review-toolkit/ort/issues/4466
- HERE would be fine with rebuilding the whole scan storage on the pending ScanCode upgrade
- Discuss the recent additions of
package configurations
andpackage curations
to theort.yml
- Revisit whether it's reasonable or should be reverted, see
- https://github.com/oss-review-toolkit/ort/pull/4386
- https://github.com/oss-review-toolkit/ort/pull/4381 -> Introduce two configuration options to toggle this, default to disabled (to resemble original behavior); local overrides global is fine for now
- Number of Unique Packages for Violations in Web App Report, see https://github.com/oss-review-toolkit/ort/issues/4017 (@sschuberth)
-
Do it like https://ant.design/components/table/#components-table-demo-tree-data on same tab view
-
- Use https://github.com/oss-review-toolkit/ort/discussions? (@sschuberth) -> Disable discussions as we have Slack
- Revisit whether it's reasonable or should be reverted, see
- BlackDuck Hub integration (@sschuberth)
- Porsche (and probably Cariad) would be interested, and could eventually do the contribution
- SARIF file support (@heliocastro, @nicorikken)
- Proposal is to make SARIF the native ORT format instead of its own YAML files -> needs research if technically possible (e.g. how to represent dependency graphs)
- @tsteenbe announces coming new repo to showcase how to do full GitLab license management integration
- @tsteenbe, please add links here to public GitLab issues to upvote
- Number of Unique Packages for Violations in Web App Report, see https://github.com/oss-review-toolkit/ort/issues/4017 (@sschuberth)
- Attracting front-end developers via OpenChain / ACT?
- Use Kotlin to generate JavaScript / React code?
- Re-introduce Reviewable as it can review commit message now? See https://github.com/Reviewable/Reviewable/issues/507. (@sschuberth)
- Probably not, stick to current workflow for simplicity.
- Possibility to waive license rule violations of 3rd party packages on project level (@MarcelBochtler)
- Currently neither possible with resolutions nor with curations.
- How could such a feature look like?
- Project-local curations and package-configurations in
.ort.yml
.
- Project-local curations and package-configurations in
- Breaking changes to FossID integration (@nnobelis) -> Ok to do breaking changes, no one except for Bosch is using FossID integration currently
- Updates on various topics:
- Scan-by-repo (store scan results by repo instead of by package, @mnonnenmacher)
- No progress recently due to vacation time
- Finished by end of August
- ScanCode upgrade (to version 21.7.30, @fviernau)
- Python version issue
- Scan result compatibility issue
- Finished by end of next week
- Scan-by-repo (store scan results by repo instead of by package, @mnonnenmacher)
- Ideas
- Extend the
requirements
command to not check the version (range), but really for "parsability" of the output generated by the tool - Rework bootstrapping: Allow to disable it completely, clearly separate accepted versions from the version to (eventually) bootstrap, align the pub / flutter bootstrapping.
- Allow to only run
findManagedFiles
from CLI
- Extend the
- Configure the mapping of authors (https://github.com/oss-review-toolkit/ort/issues/4314, @sschuberth)
- Basic agreement on the feature, need to configure applicable licenses.
- Meeting was skipped due to vacation time.
- Remove the
packageVerificationCode
fromScanSummary
as it's SPDX-specific; instead store file SHA1's (which allows to calculate thepackageVerificationCode
any time later) (@sschuberth) -> Let's do it. At first without further reorganization of TextLocations / CopyrightFindings / LicenseFindings. - @tsteenbe and @neubs-bsi will separately talk about https://github.com/oss-review-toolkit/ort/issues/4251 and come up with a test case that should succeed.
- The nasty Python version problem, see https://github.com/oss-review-toolkit/ort/issues/3671, https://github.com/oss-review-toolkit/ort/issues/3873 (@sschuberth) -> Approach @pombredanne again to get paid for working on this via ACT.
- Maven profiles: https://github.com/oss-review-toolkit/ort/issues/1774
-> Try approach via
.ort.yml
.
- "Hidden" unmapped license issues, see https://github.com/oss-review-toolkit/ort/issues/3324 (@sschuberth) -> Agreed to move the reporting of unmapped declared licenses to rules.
-
ORT curations
- How can we "automatically" reuse curations with concluded licenses for (minor / patch level) version upgrades of the same package? -> HERE is not fine with extending package configuration to version ranges due to potential misuse / risks. -> The general topic of storing configuration data like curations and / or package configurations in a DB should be discussed in the context of a potential "ORT backend" where storing things in a DB becomes a topic naturally. -> Again this is a topic that could be solved by a UI... either a local UI or a web frontend UI -> @tsteenbe agreed to port the feature to link to the source code of detected license findings from the Static HTML reporter to the Web App reporter
-
Issues
- Change semantics of
VcsInfo.resolvedRevision
to allow also the analyzer to set it (e.g. from lock files)- Also see PRs https://github.com/oss-review-toolkit/ort/pull/4132, https://github.com/oss-review-toolkit/ort/pull/4142
-> Clarified that the issue was mostly a misunderstanding of what the new
isResolvedRevision
is supposed to mean; agreed to rename this to something likeisVerifiedRevision
orisConfirmedRevision
.
- Also see PRs https://github.com/oss-review-toolkit/ort/pull/4132, https://github.com/oss-review-toolkit/ort/pull/4142
-> Clarified that the issue was mostly a misunderstanding of what the new
- Change semantics of
-
originalVcsInfo
- PR https://github.com/oss-review-toolkit/ort/pull/3927 requires some scans to be repeated, because scans cannot be matched.
-
resolvedRevision
- Analyzer should be able to set the
resolvedRevision
, by reading the meta data from an existing lockfile. - Revision field might be symbolic but can also be fixed.
resolvedRevision
is guaranteed to be fixed. - Downloader needs to be changed to only download from the
resolvedRevision
(remove fallback). - Changes will be made in the "scan-by-repository" change.
- Maybe rename
resolvedRevision
to make clear that it is the fixed revision.
- Analyzer should be able to set the
- Concluded license in nested SPDX projects
- See: https://github.com/oss-review-toolkit/ort/issues/3509
- Can already solved via path excludes, but this requires manual work
- Remove the files from the nested directories from the source tree, but treat them as packages.
- PRs
- Clean-up old PRs -> everybody please clean up
- Also clean up remote branches -> everybody please clean up
- Who looks at "external" PRs? -> assigned PRs
- In the future, do a triage of external PRs as part of the developer meetings
- Do not insist on data-class-deserialization vs iterator-based JSON / YAML (at the example of the Cocoapods PR)
- Pending PRs
- https://github.com/oss-review-toolkit/ort/pull/3956 -> merged as-is
- https://github.com/oss-review-toolkit/ort/pull/3913 -> reminder
- https://github.com/oss-review-toolkit/ort/pull/3145 -> rebased & reminder
- New label "release notes" for changes that should be mentioned in release notes.
- Code Style
- Should we start using trailing commas? (@mnonnenmacher)
- Idea: Only allow / enforce for (statically created) collections / enum that use separate lines for elements.
- Postpone decision until https://github.com/pinterest/ktlint/issues/709 is resolved.
- Static private helper functions / properties: Put in
companion object
or top-level (before or after the class)? (@sschuberth)- Need to find out which syntax is better callable from Java. Do we need
@JvmStatic
? - Public top-level functions pollute global namespace.
- Better discoverability / auto-completion for
companion object
functions. - For now, try: Static functions that are public go to
companion object
/ top-levelobject
s, private ones go to top-level.
- Need to find out which syntax is better callable from Java. Do we need
- Should we start using trailing commas? (@mnonnenmacher)
- PR discussion
- Make analyzer results non-nullable in ORT result files? (@sschuberth)
- @fviernau will also review. @sschuberth evtl. needs to reword commit message for clarity.
- Make analyzer results non-nullable in ORT result files? (@sschuberth)
- ORT curations
- Move to Postgres? (@sschuberth)
- HERE has no interest as their workflow is code-review based (Gerrit, GitLab)
- Rather split into multiple files, like for
PackageConfiguration
s - Bosch might add a Postgres provider for curations
- Move to Postgres? (@sschuberth)
-
Talk about ways to merge / create unified reports for projects (in the project management sense, not in the ORT sense) that span multiple repositories. (@sschuberth)
- HERE does not really have that problem currently.
- Idea: Artificial "parent" Git repo + submodules, or git-repo manifest.
- Idea: (Helper-)command to merge ORT (scan) results before passing to reporter. Unclear how to resolve potential conflicts, though.
-
Should we implement adding actual and expect files to functional test results in Azure? Azure cuts of big diff in its reports making it difficult for users without a full local setup to determine why a function test is failing. (@tsteenbe)
- A bit unclear whether Kotest or Azure is the culprit; needs to be investigated.
- Maybe solve the problem by also moving (fun)tests to GitHub Actions.
- Somewhat relates to https://github.com/oss-review-toolkit/ort/issues/755.
- Idea: Configure tests to serialize actual / expected results to rules for failures, and archive these files on Azure.
- Idea: Find out what local to use to run tests in Docker, see https://www.heise.de/news/Entwicklungsumgebung-IntelliJ-IDEA-2021-1-fuehrt-Java-zielgerichtet-aus-5074000.html.
- Decide a format for user's license choice configuration. See: #3396 (@MarcelBochtler, @neubs-bsi)
- Clarified that input for choices should be only one expression, not multiple.
- Multiple choices should be incremental, i.e. output of first choice is input for second choice.
-
given
field is optional, if not specified mean "complete expression".
- ORT notifications: How to notify users? Idea: Create notification module and generalize evaluator to "post-processor" than can perform "any" action, e.g. also send mails. (@sschuberth)
- Agreement that the idea is good and fits into ORT.
-
Best practices for code review:
- Author documents with 👍🏻 whether a review comment was addressed without any further discussion needed. For simple changes the author may as well resolve the conversion, but for more complex discussion the reviewer should resolve to confirm that the change was addressed as intended. If the author addresses the review comment differently, a comment should be added, and the reviewer must resolve the discussion.
- Subsequent reviews need to be explicitly requested via the "re-request review" button. (As pushing of new commits does not necessarily mean the PR is ready for another review.)
- Enable Slack notifications for lacking reviews (separate "notifications" channel).
-
Move the declared authors PR forward:
- Rename
declaredAuthors
field toauthors
and put it betweenpurl
anddeclaredLicense
. - @fviernau will do follow-up PR to remove
declaredLicenses
fromPackageCurationData
asdeclaredLicensesMapping
is sufficient.
- Rename
- Bosch topics:
- Agreed to address curating copyright holders for now via
PackageCurationData
, which means we need to start capturing author information from package managers.
- Agreed to address curating copyright holders for now via
- HERE topics:
- Plans to publish a PR to introduce "dynamic" How-to-Fix-hints within the next weeks.
- Publish a new DSL for rules by end of February.
______________________________
/ \_______ \__ ___/ The OSS Review Toolkit, version 1.0.0.
| | | | _/ | |
| | | | | \ | | Running 'wiki' as 'ort' under Java on GitHub
\________/ |____|___/ |____| with a lot of CPUs and a maximum amount of memory.