Reuse of missing license configuration between AddThirdParty goals and DownloadLicenses

[srdo]

The reuse of configuration regarding missing licenses could be nicer between the AddThirdParty and DownloadLicenses goals (and aggregate variants).

DownloadLicenses allows you to specify a licensesConfigFile in XML format, which lets you set license URLs for artifacts where the license isn't set correctly.

AddThirdParty lets you specify a missingFile in a custom format, which lets you set or override licenses for artifacts where the license isn't set correctly.

As far as I can tell, this means that if I want to use AddThirdParty and DownloadLicenses on the same project, I'll have to duplicate the missing license configuration in both formats.

It would be nice if we could reuse the licensesConfigFile mechanism for both goals instead.

[ppalaga]

if I want to use AddThirdParty and DownloadLicenses

In theory yes, but in practice I see them as either one or the other. Why would anyone need both in one project?

I find AddThirdParty's missingFile format impractical as it does not allow to omit dependency versions. I do not think I'll be in favor of supporting AddThirdParty's missingFile in DownloadLicenses.

I have no opinion about supporting DownloadLicenses'es XML in AddThirdParty. If anybody wants to try to check properly if it makes sense, feel free to do so.

[srdo]

Why would anyone need both in one project?

I use AggregateDownloadLicenses to download the license texts of my dependencies. I can use the output of this goal (with a bit of hand editing) to grab the licenses I need to include in a redistribution.

AggregateAddThirdParty is useful for generating a readable overview of dependencies along with their licenses. The AddThirdParty groupByMultiLicense template generates a very nice overview compared to the licenses.xml output from DownloadLicenses. This is useful to quickly tell which licenses are being used (e.g. to verify that banned licenses are not included), and with a bit of hand editing the output can be included in e.g. an Apache LICENSE file.

I don't need to run both goals as the same time, but it is nice to be able to configure them both in the same project in case I need to run either.

Maybe I'm abusing AggregateAddThirdParty, and this is not the intended use?

[ppalaga]

I tend to think that if the user needs the license files AND some sort of a report, DownloadLicenses is the way to go. It downloads the licenses, and creates licenses.xml that should contain all data necessary to create any human readable report using XSLT, groovy or any other tech at hand.

The config is different for historical reasons. I think DownloadLicenses probably lived independently before being contributed here.

[srdo]

Thanks for explaining. It looks to me like the only features in AddThirdParty that DownLicenses doesn't have are license merging and blacklisting, but hopefully spdx identifiers will help make the first one obsolete, and the second feature useful.

I ran into another limitation of the missingFile format, since I have some dependencies where the project URL is not set. There is no way to override it, so we get lines like * zookeeper (org.apache.zookeeper:zookeeper:3.4.14 - no url defined) in the output. Maybe it's better if we try to migrate to using DownloadLicenses exclusively.

[ppalaga]

Indeed, blacklisting is not there. Let's brainstorm in https://github.com/mojohaus/license-maven-plugin/issues/323 how it should work.

What do you mean by license merging?

[srdo]

This feature https://www.mojohaus.org/license-maven-plugin/aggregate-add-third-party-mojo.html#licenseMerges

It's useful because without spdx there is no good unique identifier for a license. It's to avoid e.g. "Apache License v2" and "The Apache Software License 2.0" from showing up as different licenses.

Thanks for raising the other issue. I'll probably be more helpful once I have some more experience using DownloadLicenses.

[caroso-de]

This feature https://www.mojohaus.org/license-maven-plugin/aggregate-add-third-party-mojo.html#licenseMerges

It's useful because without spdx there is no good unique identifier for a license. It's to avoid e.g. "Apache License v2" and "The Apache Software License 2.0" from showing up as different licenses.

I totally agree with both of your suggestions. Unifying the configurations (not necessarily using the cumbersome add-third-party-way) would be a great improvement because if you use both goals (not necessarily to the same ends) you'd not have to duplicate your findings. Merging licenses is the second most important feature to me. I don't see how I'd cope with large projects otherwise.

Additionally, I'd really like the download-licenses goal to be able to consume its configuration form a web resource.