Eclipse Dash License Tool and IP Logs

Posted on 3 mins read

Eclipse open source project teams are required to maintain a record of intellectual property contributions. We refer to this as the IP Log

As part of the release review process, Eclipse project teams submit their IP Log for review by the Eclipse IP Team. For many years, Eclipse project teams have depended on the IP Log Generator to provide that record. With the recent changes in our process, at least part of the data that the IP Log Generator draws on is now incomplete (the process no longer requires that project teams register every bit of third-party content with the IP Team).

So where do we get the list of third-party content and corresponding license information?

The short version is that the code knows the third-party content. More specifically, the build does. Usually.

The Eclipse Xtext Core build is Gradle based, so something like the following gives you the full list of build dependencies:

$ ./gradlew dependencies | grep -Poh "[^:\s]+:[^:]+:[^:\s]+"

The list generated from this includes a bunch of stuff that is clearly not third-party, so we can remove it.

$ ./gradlew dependencies | grep -Poh "[^:\s]+:[^:]+:[^:\s]+" | grep -Pv "^org\.(xtext|eclipse)" | sort | uniq
aopalliance:aopalliance:1.0
com.google.code.findbugs:jsr305:3.0.2
com.google.errorprone:error_prone_annotations:2.2.0
com.google.guava:failureaccess:1.0.1
com.google.guava:guava:27.1-jre
com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
com.google.inject:guice:3.0
com.google.j2objc:j2objc-annotations:1.1
io.github.classgraph:classgraph:4.8.35
javax.inject:javax.inject:1
log4j:log4j:1.2.17
org.antlr:antlr-runtime:3.2
org.checkerframework:checker-qual:2.5.2
org.codehaus.mojo:animal-sniffer-annotations:1.17
org.ow2.asm:asm:8.0.1
org.ow2.asm:asm-analysis:8.0.1
org.ow2.asm:asm-commons:8.0.1
org.ow2.asm:asm-tree:8.0.1

We can probably drop com.google.code.findbugs:jsr305:3.0.2; for reasons that I haven’t explored, it’s pulled in by Guava and isn’t really a dependency.

The resulting list is your third-party dependencies. As a committer, you know your code and better than I do, so I trust you to prune (or add) dependencies to this list using whatever technique works best for you (for Eclipse Xtext, we’d likely want to write a script that can combine the output from all of the repositories).

You can then take this information and pipe it through the Dash License Tool.

$ ./gradlew dependencies | grep -Poh "[^:\s]+:[^:]+:[^:\s]+" \
| grep -Pv "^org\.(xtext|eclipse)" | grep -v "findbugs" | sort | uniq \
| java -jar /gitroot/dash/org.eclipse.dash.licenses/target/org.eclipse.dash.licenses-0.0.1-SNAPSHOT.jar - \
-summary DEPENDENCIES

The -summary option generates a file containing the dependencies that lists the content along with license information (I’ve called the file “DEPENDENCIES”; it’s a CSV file).

Side note: the Dash License Tool reports that all of the third-party content in the Xtext Core repository passes validation.

We’re still evolving what happens next.

My thought right now is that project teams can commit this DEPENDENCIES file and update their NOTICES file to point to it. This file can also be uploaded to the IP Log CQ as a means of tracking it there (I’ve been doing this as I do IP Log reviews).

This is a piece of the puzzle that we haven’t quite finalized yet. But taking this opportunity to type it out has been helpful, so you should see it in the handbook soon.