clearlydefined / curated-data Goto Github PK
View Code? Open in Web Editor NEWContains curations submitted by the community
License: Creative Commons Zero v1.0 Universal
Contains curations submitted by the community
License: Creative Commons Zero v1.0 Universal
I am getting 404 for the packages below. Can this be fixed? Is there anything I can do to help?
PR validation is a great idea. we have an spdx library that should be able to do that work so putting together an action should be straight forward.
Originally posted by @jeffmcaffer in #7937 (comment)
This CodeProject.ObjectPool definition is still declared as NOASSERTION even though there's a merged PR with a declared license included in this PR #2297. The definition is also tagged with "curated".
From an initial glance, I believe the problem might be the capitalization in the file led to a mismatch with the revision name in PR #2297, however ClearlyDefined still thinks that it "counts" as a curation according to the definition page.
There's a new PR out from Microsoft (#11543) with the correct capitalization that should resolve this.
I know that clearlydefined analyzes npm dependencies transitively. What about go-lang dependencies? Does clearlydefined analyze go-lang dependency transitively or developer should provide each dependency separately for analyzing?
I'm looking at several entries of libraries coded in Java or TypeScript; those do have license headers and so on, they're very clean from source perspective. However, the license score is very low because the derived files (.class or .js files) are binary-sh and don't contain license information which got lost at compilation.
Is there some configuration possible on the project to get a better license-score for that case when binary is... binary?
We should consider adopting main
as the default branch. Any reason that could break things?
When someone is publishing a NuGet package that contains code from other sources for the sole purpose of making it publicly available on NuGet.org, should the source be the repo where the NuGet package comes from or the source of the package contents?
A recent example is some packages that were published from http://nugetpackages.codeplex.com. Some do include custom scripts (e.g. jQuery), but others are just copies of other libraries (e.g. yepnope, gRaphael).
When cloning this repo on Windows I get:
warning: the following paths have collided (e.g. case-sensitive paths
on a case-insensitive filesystem) and only one from the same
colliding group is in the working tree:
'curations/nuget/nuget/-/DiscUtils.yaml'
'curations/nuget/nuget/-/Discutils.yaml'
'curations/nuget/nuget/-/EMGU.CV.yaml'
'curations/nuget/nuget/-/Emgu.CV.yaml'
'curations/nuget/nuget/-/GitLink.yaml'
'curations/nuget/nuget/-/gitlink.yaml'
'curations/nuget/nuget/-/Microsoft.AspNetCore.Authentication.JwtBearer.yaml'
'curations/nuget/nuget/-/microsoft.aspnetcore.authentication.jwtbearer.yaml'
'curations/nuget/nuget/-/MSBuildTasks.yaml'
'curations/nuget/nuget/-/MsBuildTasks.yaml'
'curations/nuget/nuget/-/React.Core.yaml'
'curations/nuget/nuget/-/react.core.yaml'
'curations/nuget/nuget/-/StructureMap.yaml'
'curations/nuget/nuget/-/structuremap.yaml'
'curations/nuget/nuget/-/System.Data.HashFunction.SpookyHash.yaml'
'curations/nuget/nuget/-/system.data.hashfunction.spookyhash.yaml'
'curations/nuget/nuget/-/System.Windows.Interactivity.WPF.yaml'
'curations/nuget/nuget/-/system.windows.interactivity.wpf.yaml'
'curations/nuget/nuget/-/TinyMCE.JQuery.yaml'
'curations/nuget/nuget/-/TinyMCE.jQuery.yaml'
'curations/nuget/nuget/-/ValueInjecter.yaml'
'curations/nuget/nuget/-/valueinjecter.yaml'
'curations/nuget/nuget/-/VsWhere.yaml'
'curations/nuget/nuget/-/vswhere.yaml'
'curations/pypi/pypi/-/Pillow.yaml'
'curations/pypi/pypi/-/pillow.yaml'
'curations/pypi/pypi/-/Resource.yaml'
'curations/pypi/pypi/-/resource.yaml'
I believe the contents of these pairs of files should be merged, and the capitalization should be aligned to the spelling used in the respective registry. Would you agree with that rationale @capfei @fossygirl?
Recently we merged this PR containing license info for above package #23397. PR is merged but our alerts page still says Missing License information.
Being able to override all versions of a particular package is useful, especially ones with many, many version (think firebase)
The current format (to my understanding) requires that versions be explicitly declared to provide an override, like the following example:
coordinates:
name: communication-calling
namespace: '@azure'
provider: npmjs
type: npm
revisions:
1.0.0:
licensed:
declared: OTHER
1.0.0-beta.1:
licensed:
declared: OTHER
1.0.1-beta.1:
licensed:
declared: OTHER
1.1.0:
licensed:
declared: OTHER
1.1.0-beta.1:
licensed:
declared: OTHER
1.1.0-beta.2:
licensed:
declared: OTHER
1.2.0-beta.1:
licensed:
declared: OTHER
1.2.1-beta.1:
licensed:
declared: OTHER
1.2.2-beta.1:
licensed:
declared: OTHER
1.2.3-beta.1:
licensed:
declared: OTHER
1.3.2:
licensed:
declared: OTHER
1.3.2-beta.1:
licensed:
declared: OTHER
1.4.1-beta.1:
licensed:
declared: OTHER
1.4.3-beta.1:
licensed:
declared: OTHER
1.4.4:
licensed:
declared: OTHER
1.5.4:
licensed:
declared: OTHER
1.5.4-beta.1:
licensed:
declared: OTHER
1.6.1-beta.1:
licensed:
declared: OTHER
1.6.3:
licensed:
declared: OTHER
If we introduce version wildcards we can simply this list down to 1 entry
coordinates:
name: communication-calling
namespace: '@azure'
provider: npmjs
type: npm
revisions:
1.*:
licensed:
declared: OTHER
Additionally, if the license does change in 2.0.0
this override list won't affect it
Help me
Originally posted by @tyevil in hashicorp/vault#18498 (comment)
... shows 'Not Harvested' so it would be really useful if I could just click a button to fix that before considering creating a Curation
I've declared a bunch of licenses and hit the "Contribute" button and received no indication anything went through and did not receive an email from the clearlydefinedbot that anything happened. Also, I do not see what I contributed here: https://github.com/clearlydefined/curated-data/pulls.. ?
The Google.Protobuf.Tools NuGet package links to https://github.com/protocolbuffers/protobuf/blob/master/LICENSE for its license. (I looked at version 3.14 in particular.) This LICENSE file does not exactly match the 3-clause BSD license. It includes the following additional text at the end of the license (permalink to the revision I copied this from):
Code generated by the Protocol Buffer compiler is owned by the owner
of the input file used when generating it. This code is not
standalone and requires a support library to be linked with it. This
support library is itself covered by the above license.
Is this still considered a 3-clause BSD license? If not, does this warrant its own license or its own exception?
The SPDX Matching Guidelines v2.1 say:
2.1.2 Guideline: No Additional Text
Matched text should only include that found in the vetted license or exception text. Where a license or exception found includes additional text or clauses, this should not be considered a match.
(Is there a better venue to raise these sort of discrepancies?)
While attempting to manually contribute to some of the packages, it is observed that we are only allowed to enter the github URL's only? Doesn't this limit the scope of any contribution? since there are many packages hosted on bitbucket, gitlab, maven, etc, & etc.
Several curations use "OTHER" as the declared license, e.g.
First of all, there is a general problem as "OTHER" is not a valid SPDX expression. Secondly, at the concrete example of jsonify
, consuming the ClearlyDefined curation worsens the meta data from "Public Domain" as declared in its package.json to "OTHER", which is even less telling, and causes ORT (which has a mapping from "Public Domain" to "LicenseRef-scancode-public-domain-disclaimer") to run into issues.
That's why I'd like to propose to not use "OTHER" at all. What do you think @capfei @fossygirl?
After this PR went through our missing license information for EWS did not update
#19750
Our alerts page still says Missing License information.
After this PR went through our missing license information for angula rdid not update
#20476
Our alerts page still says Missing License information.
Help me
Originally posted by @tyevil in hashicorp/vault#18498 (comment)
Same component with different casings have different definitions but with the same pending curation. Looks to be an edge-case:
I want to get validation for kubernetes/apimachinery v0.18.16 . I see this dependency in the https://clearlydefined.io/?sortDesc=true&sort=releaseDate&name=apimachinery , but I can't find any related yamls for this dependency at this repository to create update pr... Could you point me what I am doing wrong?
I'm trying to submit a curation for a new version of DPDK stable:
However, when I do this using the WebUI I get "Contribution failed" message with no other details. It looks like the tooling is creating branches with my changes (e.g. master...AlanElder_231204_103406.542) but then is not able to submit the PR.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.