Makefile: Use Travis to run canonical-matching tests #593
Conversation
wking
force-pushed
the
makefile
branch
2 times, most recently
from
1034a63 to
e15a8e2
Compare
|
The test failure will be fixed by #589. |
|
I've pushed e15a8e2 → 992d62e, temporarily rolling back the test data to get the tests passing here. With that change, this PR can land without waiting for #589. If this lands first, we'll have to update #589 to bump the test-data hash in |
|
We should commit both the update to the license list XML file and the test in the same commit to resolve. I'll revert the copy in https://github.com/goneall/license-list-XML to resolve the test failures in the script. |
|
I've pushed 992d62e → 8354d14 updating this to use
No need to revert, because I'm now pinning the commit in |
|
I've been unable to convince @goneall that keeping the test data in an external repository will be easier (e.g. see here), so I've just pushed 268f54b → 1853d30 to demonstrate the submodule approach I'd floated here. This would give us a similar feel to having local files (for folks who want to If this is still not acceptable, let me know, and I'll file another commit to go completely over to the local-file approach. In that case, I expect we'll revisit the external repo approaches once we get tired of the doubled review. |
wking
force-pushed
the
makefile
branch
2 times, most recently
from
43cccdd to
9a8648f
Compare
|
I've been unable to convince @goneall to use either the
|
|
The current tool failure is because spdx/tools was broken by wking/fsf-api#9 (discussion on protecting from future breakage in wking/fsf-api#10). It would be nice if the validation didn't depend on the presence of the FSF API, since as far as I can see that's orthogonal to whether we match the canonical text or not. But I realize that separating the verification from the generation would take spdx/tools dev-time. Oh, another difference between here and #592 is that I'm still punting on auto-publishing to space out the changes. This PR is just about unit-testing this repo. |
Also, once we implement publishing we would want to include the FSF-Free generation. Once versioning is implemented in the FSF Free API code, I'll update the tools and push a new version to remove the error. I'll also add a property to use a cached version of the FSF Free JSON file so we don't need to update the tool if we run into a similar issue in the future. |
|
Makefile and gpg are improvements We need to resolve the FSF-Free failures before merging. I would also like to have support for publishing, but I can hold off on that if we can add publishing support within the next couple of weeks. |
We can revert this commit once the FSF API is versioned [1] and the tools are updated [2]. [1]: wking/fsf-api#10 [2]: spdx#593 (comment)
|
On Fri, Jan 05, 2018 at 07:37:16PM +0000, goneall wrote:
> But I realize that separating the verification from the generation
> would take spdx/tools dev-time.
Also, once we implement publishing we would want to include the
FSF-Free generation.
Agreed. But I'd rather have the option to verify without publishing.
Once versioning is implemented in the FSF Free API code, I'll update
the tools and push a new version to remove the error.
Until then, since we don't need working FSF data for verification,
I've switched in temporary dummy data with 845b02c, but it doesn't
work (as described in [1]).
I'll also add a property to use a cached version of the FSF Free
JSON file so we don't need to update the tool if we run into a
similar issue in the future.
Can we get that now? Then we can move forward with this and buy me
some more time to work out [2].
[1]: wking/fsf-api#9 (comment)
[2]: wking/fsf-api#10 (comment)
|
|
@wking The master branch of the tools are updated with the property to force using the cached JSON file. It has also been updated to comply with the schema changes for PR #452 Do you think you will have wking/fsf-api#9 resolved soon or should I spin a release with these 2 changes? |
|
Note - test file updates are required for Apache-1.0.txt and LLVM-exception.txt to pass tests due to changes made since the 3.0 release of the license list. |
|
On Mon, Jan 15, 2018 at 10:13:28PM -0800, goneall wrote:
Do you think you will have wking/fsf-api#9 resolved soon or should I
spin a release with these 2 changes?
It will take me another few days, so you may want to move ahead with a
tools release.
|
|
I just pushed version 2.1.9 of the tools. To use the file in the resources directory, add -DLocalFsfFreeJson=true to the Java command line. See the update to the goneall/license-list-XML repo for a reference: goneall@a4dc1f1 |
2.1.9 adds support for LocalFsfFreeJson, which allows us to decouple from the live fsf-api data [1]. [1]: spdx#593 (comment)
Based on Gary's repository for now, because [1] is still in flight. Ideally the test data would have signed releases, so we could use '--branch v1.2.3' in the clone call. But we don't have that yet, so just chase master. [1]: spdx/license-test-files#6
Until [1] lands, license-test-files d19d48d will break testing (by comparing our locally-broken XML against fixed test data). While that change is in flight, stick with the previous, broken test data. An alternative approach to getting a particular commit would be to use submodules, but: * I expect most contributors will find this approach easier to manipulate, because you don't have to wrap your head around submodules to use it. * The full clone (needed to ensure we still get the commit we want) is a price paid by GitHub (hosting the clone) and Travis (pulling the clone). As long as they're both willing to pay that price, it doesn't seem like it's worth jumping through too many hoops to be more efficient. [1]: spdx#589
This commit changes from the hard-coded hash over to OpenPGP [1] verification for the tool JAR. The key in goneall.gpg is 0xEA760AF7CBD0E4F9013F06FB8CCBE63DE91BFF1C, imported with: $ gpg --search 0x8CCBE63DE91BFF1C gpg: data source: http://5.45.108.219:11371 (1) Gary O'Neall (Key for signing jar files) <[email protected]> 4096 bit RSA key 8CCBE63DE91BFF1C, created: 2017-12-13 Keys 1-1 of 1 for "0x8CCBE63DE91BFF1C". Enter number(s), N)ext, or Q)uit > 1 gpg: key 8CCBE63DE91BFF1C: public key "Gary O'Neall (Key for signing jar files) <[email protected]>" imported gpg: Total number processed: 1 gpg: imported: 1 The source keyserver is from hkp://pool.sks-keyservers.net. I then exported the key with: $ gpg --export 0x8CCBE63DE91BFF1C >goneall.gpg When exported without ASCII armor, such keys can be used as a keyring. The --no-default-keyring option disables the user's default keyring (if any. There probably won't be one on Travis). And the --keyring ./goneall.gpg slots in our local file. We need the ./ (at least with GnuPG 2.1.20), because gpg2(1) has: If the filename does not contain a slash, it is assumed to be in the GnuPG home directory ("~/.gnupg" if --homedir or $GNUPGHOME is not used). The output may still include: gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. but that's ok, because gpg still exits zero. And because of our keyring manipulation, we know the key is trusted. Signatures from any other key will instead show: gpg: Can't check signature: No public key and exit 2. [1]: https://tools.ietf.org/html/rfc4880
Generated with: $ git remote add test git://github.com/goneall/license-test-files.git $ git fetch test $ git merge -s ours --allow-unrelated-histories --no-commit test/master^ $ git read-tree --prefix=test -u test/master^ $ rm test/README.md test/testfiles-1.0-for-license-list-2.6.tar $ git add test I'd prefer to use a submodule or similar for this to keep the clone/checkout size down for folks who don't need the test data. But I've been unable to convince Gary ;).
We can revert this commit once the FSF API is versioned [1] and the tools are updated [2]. [1]: wking/fsf-api#10 [2]: spdx#593 (comment)
2.1.9 adds support for LocalFsfFreeJson, which allows us to decouple from the live fsf-api data [1]. 2.1.9 also adds support for our new <text> element in spdx/tools@cd8822e3 (Update license RDFa Generator to use the latest XML schema with addition of text element, 2018-01-15, spdx/tools#148). [1]: spdx#593 (comment)
…losing quote) Similar to 36bce3f (test: Add license-test-files with read-tree, 2018-01-03): $ git config remote.test.url https://github.com/wking/license-test-files $ git fetch test $ git rm -r test $ git read-tree --prefix=test/ -u test/apache-1.0-missing-quote $ rm test/README.md test/testfiles-1.0-for-license-list-2.6.tar $ git add test The remote.test.url update is because Gary hasn't landed my just-filed [1]. The 'git rm' call avoids: $ git read-tree --prefix=test/ -u test/apache-1.0-missing-quote error: Entry 'test/simpleTestForGenerator/0BSD.txt' overlaps with 'test/simpleTestForGenerator/0BSD.txt'. Cannot bind. This catches the test data up with 558562e (Add missing close quote to Apache-1.0.xml, 2017-12-30, spdx#588) and b975b3e (Remove section 4.g. from BitTorrent-1.0 license, 2017-12-30, spdx#589). [1]: goneall/license-test-files#2
|
I've pushed 845b02c → 2453fb3, rebasing onto master, pulling in v2.1.9 of the tools, and bumping the tests (including goneall/license-test-files#2). Now Travis is happy with this PR :). |
Based on Gary's repository for now, because spdx/license-test-files#6 is still in flight. Ideally the test data would have signed releases, so we could use
--branch v1.2.3in the clone call. But we don't have that yet, so just chase master.This is my preferred alternative to #592, with an external test repository and the publication logic removed for now.