Project

General

Profile

Maintaining the List of Software Dependencies and Licenses

Introduction

The Software Dependencies wiki is full of details related to the software packages, dependencies, and licenses required. Keeping this information accurate and up-to-date is very important, and this wiki attempts to provide direction as to best-practices for accomplishing this. For more details on how we manage dependencies, please see Dependency Management.

Documenting Licenses

All .jar/.zip/.war to be documented are enumerated. The .war contains additional .jar files to be documented. The enumeration should follow a complete build of FWD using ./gradlew code all sheet:war reports execution. Note that reports generates some dependency documentation, but it is not complete, and isn't fully usable. It does provide some useful information, even in its limited capacity. For example, the dependencies.txt is very helpful, but does not contain the dependencies of the fwd_sheet.war. See ./build/reports contents after completing a build with the reports target for more information.

Once the enumerations are done, the tables in the FWD_license_tables.ods spreadsheet can be updated. The data in the spreadsheet is sorted by the Project and Version column, but to make sure you have all the enumerated .jar/.zip/.war contents enumerated, the Jar/Zip column should be used to sort, and compared against a complete list of the files generated from the build. It is the combined output of the following filters:
  • ./build/lib/*.jar (222 files)
  • ./build/lib/*.zip (14 files)
  • ./build/lib.gwt/*.jar (49 files)

The fwd_sheet.war file then has 63 .jar files within it to include (in the separate table).

The .zip files are part of our https://proj.goldencode.com/artifacts/javascript/ repository.

The use of the spreadsheet is helpful to create the Redmine tables, as the contents can be copy/pasted directly into a Redmine post without modification. It provided necessary sorting capabilities, so that determination of completeness is relatively easy.

Determining Licenses

Finding the licenses for each component can be easy or difficult. I used the below steps:

For each file to be documented:

Search
Search for the exact jar name using Google. Most are found in the MVN Repository: https://mvnrepository.com/. If found:
  • Include the link in the How to Obtain column.
  • If there is a HomePage, include that in the Observations column, as it has more background of the project in question. If this is an older artifact, it may not resolve to a valid link, and other search methods would be needed.
  • Determine the license type. Note that there are sometimes discrepancies between the Maven repository, and the actual project info. Verify the accuracy, and use the most accurate source, the project.

If the jar info isn't in the Maven repo, GitHub is usually the next best location, although the navigation of that site is more challenging.

Collect
The best source of the license is the actual .jar file contents. The name may vary (LICENSE, LICENCE, LICENSE.txt, etc) and if it is a Apache 2.0 license, determine if there is a NOTICE file, since that must be included, as well. Place the license in the licenses project using the naming convention <jarfile>_LICENSE.txt and <jarfile>_NOTICE.txt (if applicable).

If the license isn't found in the artifact, the project site may have it, or a reference to the license type. Find the correct license, and create a file from it. Try to collect it without modification.

If the project site doesn't have a useful license reference, sometimes the projects source files can be investigated for a valid license. However, a word of caution, sometimes there are various timeframes that files are created/modified in the project, so finding the most accurate one involves unzipping and searching through all source (for "license" or "copyright"). If the best license info is within the comments of a source file, copy it to the _LICENSE.txt file, and clean it up in terms of comment symbols for that file's coding language.

Maintenance
When components change or new versions are included as dependencies, make sure to remove the older licenses project item, if it is no longer in use, and add a new one. Update the table(s) in the FWD_license_tables.ods spreadsheet, and the wiki

Update the LICENSES Project

The licenses project is stored in Bazaar under devsrv01:/opt/secure/code/p2j_repo/dependency_licensing. Check it out with the following command (which will change, depending upon how you link to the /opt/secure directory on devsrv01.)

bzr co ~/secure/code/p2j_repo/dependency_licensing <optional_path>

Within this project is the FWD_license_tables.ods (as noted above) and the directory containing the license text files: licenses

If you have a new license file to add to the project, name it the same as the jar file, with _LICENSE.txt appended to the end (eg. xsdlib-2010.1.jar_LICENSE.txt). You can then check it into the project using bzr commands.

Update the List of Supported 3rd Party Libraries

If you just got approval for adding a new library to our supported list of libraries, edit the List of Supported 3rd Party Libraries to add the library in question. You did already get explicit approval, right? If not, go back and get that approval first.


© 2021-2022 Golden Code Development Corporation. ALL RIGHTS RESERVED.