New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Help Wanted: Guidance on Maven Package Metadata #1

Open
kemitchell opened this Issue Jun 25, 2018 · 4 comments

Comments

2 participants
@kemitchell
Member

kemitchell commented Jun 25, 2018

The roadmap for this repo is currently:

  • Finish testing, release a 1.0.0, and update licensezero.com documentation to make this CLI the official client.
  • Support Maven dependencies.

I would really appreciate advice on how to go about finding, reading, and writing License Zero metadata to Maven packages. I've done some Java and Clojure in the past, but it's not fresh in mind.

A few specific questions:

  1. Is finding Maven dependencies in a Maven-based project as easy as recursing the project's filesystem hierarchy and reading pom.xml files?

  2. Is the best approach shelling out to something like mvn dependency:list?

  3. Should License Zero write licensing metadata to pom.xml? What's the cleanest, least-problematic way to do that? Should it write its own licensezero.xml or similar, instead?

  4. Is it safe and idiomatic to write license terms to LICENSE.txt and README information to README.txt? That's documented as standard directory layout, but is it standard practice?

@kemitchell

This comment has been minimized.

Member

kemitchell commented Jun 25, 2018

@kemitchell

This comment has been minimized.

Member

kemitchell commented Jun 29, 2018

@eduardoejp, the latest here is that the CLI will inventory licensezero.json files wherever they appear in a project source tree. It will also try to find package manager metadata in the same directory, and report it to those who run licensezero quote, so they can sanity-check at a glance.

Current master reads any pom.xml in the same directory as any licensezero.json and attempts to read artifactId, groupId, and version.

@kemitchell

This comment has been minimized.

Member

kemitchell commented Jul 2, 2018

A few open questions:

  1. Does licensezero license have to do anything special to make sure licensezero.json is included in Maven packages? Is there a manifest file that licensezero.json should be added to?
  2. It looks like it's common practice to have multiple pom.xml files in various subdirectories of a package. licensezero quote currently reads only the pom.xml found in the same directory as licensezero.json. Will that work?
  3. Is it common to use Maven dependencies outside the working directory of the project, say because they're installed system- or user-wide? If so, how do we list those dependencies, and find their paths?
@ghost

This comment has been minimized.

ghost commented Jul 13, 2018

Hey, @kemitchell

Apologies for the delayed reply.
I've been a bit busy.


  1. Is finding Maven dependencies in a Maven-based project as easy as recursing the project's filesystem hierarchy and reading pom.xml files?

Pretty much. It's a safe bet.

  1. Is the best approach shelling out to something like mvn dependency:list?

I'd say so. It gives both direct and transitive dependencies, so it's a solid solution.

  1. Should License Zero write licensing metadata to pom.xml? What's the cleanest, least-problematic way to do that? Should it write its own licensezero.xml or similar, instead?

It's better for L0 to have its own file, instead of writing to the POM or another build-tool-specific file.
Keeps things de-coupled.

  1. Is it safe and idiomatic to write license terms to LICENSE.txt and README information to README.txt? That's documented as standard directory layout, but is it standard practice?

It's probably safe. Those 2 files seem pretty ubiquitous (with the caveat that README.md is also common, due to GitHub's Markdown rendering).

  1. Does licensezero license have to do anything special to make sure licensezero.json is included in Maven packages? Is there a manifest file that licensezero.json should be added to?

General Maven is not really my expertise, as I've only dealt with Maven indirectly through Clojure's Leiningen.
With that said, both Leiningen (and, I believe, Maven) package up the contents of /resources directories inside of .jar files that get generated.
This is often used for packaging assets, but LICENSE files often show up in .jar files.
Whether the LICENSE files were originally inside the /resources directory or not, I don't know.
But clearly there is a way to package arbitrary files, so I'd just leave the packaging duty to the programmers, so they handle it with their respective tools.

  1. It looks like it's common practice to have multiple pom.xml files in various subdirectories of a package. licensezero quote currently reads only the pom.xml found in the same directory as licensezero.json. Will that work?

I'd advise to recursively check all the POM files.

  1. Is it common to use Maven dependencies outside the working directory of the project, say because they're installed system- or user-wide? If so, how do we list those dependencies, and find their paths?

I'm not familiar with that use-case.
As far as I'm aware, dependencies will always be specified in the POM file, so it's probably safe to just rely on that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment