2022-08-22
Attendees: aiuto (Google), mzeren (VMWare), Daniel Machlab (VMWare), David Kurkov (Lyft), Ben Lee (Lyft)
Discussing https://github.com/bazelbuild/rules_jvm_external/pull/683 also https://github.com/bazelbuild/rules_jvm_external/pull/692
aiuto@: status updates
Agreement with bzlmod team about capability to splice in license and package information at load time. This would handle jvm_external imports.
Design document to follow
https://github.com/bazelbuild/bazel/pull/16057 is the PoC license splicer
AOSP seems to be reusing the same scheme.
David Kurkov:
Lyft wants the license list.
Ideally could generate off the POM files
Mark:
wants a layer of indirection between the POM's declaration of a license and what is actually used.
Many POMs don't have license information
Tony:
Google does not trust the authors either. We use a classifier
Described plan to add hooks after repository download but before the workspace rule returns
Working towards merging SBOM creation into this
Ben:
As a naive first solution, add a pom parser to rules_jvm_external that produces a .json file for maven_install to read license info from
Is there value in upstreaming this to rules_jvm_external today?
We would not want to end up "owning" rules jvm just by touching it
but encouraging forks is not great for the community.
Should we send minutes to baze...@googlegroups.com?
Shout out to Daniel: https://blogs.vmware.com/opensource/2022/03/15/streamlining-open-source-software-discovery-with-bazel/
Found and fixed some bugs in the calendar link.
Daniel talked about VMWare's audit: https://github.com/vmware/rules_oss_audit/tree/main/oss_audit