-
Notifications
You must be signed in to change notification settings - Fork 316
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Trying to Use .ort.yml
Repository Configuration for Package Concluded License Finding
#7753
Trying to Use .ort.yml
Repository Configuration for Package Concluded License Finding
#7753
Comments
This is meaning to tell you that the feature is "disabled by policy", i.e. you need to enable it in the global ORT configuration before ORT user can make use of it in their project repositories, see
|
I've clarified this in the docs: #7754 |
Improved docs are now live at https://oss-review-toolkit.org/ort/docs/configuration/ort-yml#curations. Feel free to reopen is this does not answer your question @scottschreckengaust. |
Same results, I must be missing something:
I setup a temporary sample repository https://github.com/scottschreckengaust/orter as an attempt to set the I have reviewed https://github.com/oss-review-toolkit/ort-ci-github-action/blob/main/action.yml and documentation https://oss-review-toolkit.org/ort/docs/configuration/ort-yml#curations and need help still. Here is a successful run with the artifact report showing the This run shows the Here is the configuration of the repository's three files:
numpy==1.26.1
---
name: ort-toolkit
on:
push:
branches:
- main
workflow_dispatch: {}
jobs:
ort:
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- name: Checkout project
uses: actions/checkout@v3
- name: Run GitHub Action for ORT
uses: oss-review-toolkit/ort-ci-github-action@v1
with:
ort-cli-args: '-P ort.forceOverwrite=true -P ort.enableRepositoryPackageCurations=true --stacktrace'
---
curations:
packages:
- id: "PyPI::numpy:1.26.1"
curations:
comment: "The https://github.com/numpy/numpy/blob/v1.26.1/LICENSE.txt, as a permissive license similar to the BSD 2-Clause License, but with a 3rd clause that prohibits others from using the name of the copyright holder or its contributors to promote derived products without written consent."
concluded_license: "BSD-3-Clause" |
This line actually indicates that the curation has been applied, but there seems to be some bugs in the way the GitHub action calls ORT. It will take me some time to look into this as I'm currently traveling. |
I re-ran the job with debug logging. The 'evaluate':
The recommendation:
|
Yes: |
@sschuberth The analyzer seems to pick up the I have a PR for changing the error -> warning oss-review-toolkit/ort-config#141 |
Good finding, I was confused by this myself. |
Because a repository configuration or curation may be purposeful, declare a `WARNING` instead of `ERROR` for the evaluator. Resolves oss-review-toolkit/ort#7753 Signed-off-by: Scott Schreckengaust <[email protected]>
@sschuberth There is still the issue in reporting when the package curations and now added configurations switches are set to
Updated the GitHub action because "@v1" failing, oss-review-toolkit/ort-ci-github-action#28, so pinned to a commit hash and added the second switch to enable repository configurations also for completion mapped the license:
|
Sorry, I'm not sure I follow... what do you mean by "in reporting"? In some report created by ORT's reporter? |
@sschuberth: Yes, I would assume with the enabled flags, no violation would be reported. For example, here is a screenshot from the action's artifact https://github.com/scottschreckengaust/orter/suites/18217645706/artifacts/1052044021. |
Well, in the discussion with @fviernau for your PR I unfortunately wasn't able to convince him to not emit this violation at all (or at least relax it's wording, or only complain if there are repository configurations / curations present although the feature is disabled). Personally, I agree that the wording is misleading as it's unclear whether something actually did not work, and it also discourages the use of an IMO perfectly valid feature in ORT. The simple solution is to not use |
Is also a solution to add to the curations, https://github.com/oss-review-toolkit/ort-config/tree/main/curations? |
I'm not sure what you mean, but in general you can just copy any configuration files / directories that you like / want to use from the ort-config repo, put them in your own repo, and amend the config with your own files. So yes, you could e.g. only take the |
The documenation for Repository Configuration (.ort.yml) states:
Yet received the
PACKAGE_CURATION_IN_ORT_YML
error while trying to do so:Using Ort version 4.0.0 here is the recommendation for the
NO_LICENSE_IN_DEPENDENCY
error:Here is the repository configuration
.ort.yml
attempting to fix that received thePACKAGE_CURATION_IN_ORT_YML
:The text was updated successfully, but these errors were encountered: