-
Notifications
You must be signed in to change notification settings - Fork 31
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to handle non-stable ClearlyDefined results? #78
Comments
Theoretically, a CQ could change state. In part, the purpose of CQs was to track usage so that--in the event that we learn of a mistake or oversight--we can figure out where mitigation will be required. By way of expectation management, it's entirely possible (and desirable) that new information (e.g., a curation) may change whether or not a dependency passes. But I don't think that this is the actual problem here. I made a change to the logic that determines whether or not ClearlyDefined data is acceptable. Previously, we accepted an overall score > 60 or a license score > 60. In consideration of issue #67, I changed this to just look at the license score. As I stated in that issue, I'm not at all certain that the score is actually interesting. I need to put more thought into this. I'll see what I can sort out tomorrow afternoon. In the meantime, I've run the groovy/3.0.8 though the IP Due Diligence process and it will pass now. It looks like groovydoc is passing now. I'm not sure why it failed six days ago; given the date of the last update of the ClearlyDefined record, it's possible that their harvester came up with a better result in the meantime. |
It seems the current 'Licensed' score is only 60, for groovydoc. I've created IPLab issue #819 for this. |
FWIW, I noticed that the Maven plugin was configured to use a higher threshold for the ClearlyDefined score than the CLI. I've set them to the same value (60). That would explain why groovydoc passed for me, but not for you. |
I'm assuming that either we've fixed the problem or you accept my answer. Reopen if I've made a terrible error. |
We use the Dash license check tool to check whether our dependencies are OK, license wise.
Today I get the following:
It seems 2 dependencies that were OK yesterday, are no longer OK today. I assume the ClearlyDefined score has changed or so. How should things like this be handled? Randomly changing outcomes like this lead to significant, where something that was allowed suddenly isn't allowed anymore. It's not very stable this way, unlike CQs, which remain approved once they are approved. Has the Eclipse Foundation thought about this when they introduced the option to use ClearlyDefined data?
The text was updated successfully, but these errors were encountered: