Skip to content

Kotlin Developer Meeting

Jump to bottom
Martin Nonnenmacher edited this page Oct 7, 2025 · 233 revisions

This page hosts the agenda of Kotlin / deeply technical topics to be discussed by the core developers in a smaller round than the Community Meeting. If you want to contribute and have concrete technical questions, please ping us on Slack to get invited to the meeting.

Meeting Minutes

Future

2025-10-07

  • FYI: https://github.com/oss-review-toolkit/ort/pull/10947
  • Add an analyzer based on the package-list.yml format from the helper CLI.
    • Example file: https://github.com/oss-review-toolkit/ort/blob/main/cli-helper/src/funTest/resources/package-list.yml
    • Related issue: https://github.com/oss-review-toolkit/ort/issues/10182
    • There is a need for a simpler input format than SPDX when none of the package manager implementations can be used.
    • Design discussion:
      • Check which project and package metadata properties are missing.
      • Keep the flat list of dependencies for now.
      • Find a better name for the definition file, package-list.yml is too generic, an ORT specific name would be better.
      • Prefer using purls over ORT IDs (maybe only support purls).
      • The format currently has properties like isExcluded or concludedLicense which are usually set by curations. This raises the question if those properties should be kept, and if curations should be applied to the results of this package manager. The tendency in the discussion was to keep the properties and not apply curations, as the data is written by hand anyway and can be fixed in place.
    • Future improvement idea:
      • Automatically fetch metadata from https://deps.dev:
        • The user only has to provide an identifier/purl and then metadata for the package is automatically fetched from the service.
        • The user can disable this behavior (globally or per package, if required).
        • Metadata provided by the user is prioritized over metadata from the service.
        • A good choice to implement the deps.dev client might be: https://github.com/hfhbd/kfx
    • Bosch will start working on that, next steps are: Create a design document plus example files for review.

2025-09-23

2025-09-16

  • Proposal to simplify our formatting rules to be able to:
    • Configure and share IntelliJ formatting configurations
    • Enable the usage of (fast!) CLI formatters to automatically format the code, i.e. using detekt --auto-correct without any static code analysis --> ktlint?
    • Configure the .editorconfig so other editors can also be used without formatting configuration.
      • ➡️ @MarcelBochtler will investigate further and propose solutions.
    • Get rid of the custom detekt-rules.

2025-09-09

2025-09-02

  • Use immutable releases?
    • Tendency is yes, need to get a better understanding about which tags are protected.
  • Externalize test projects?
    • Would solve the issue for people running e.g. Scorecards against our repo.
    • Potentially avoids patching of VCS info.
    • Areas
    • Tendency is no, rather optimize for developer experience than user experience in this specific case.
    • Ideas
      • Create a discussion FAQ entry which parts to exclude in security scans.
      • Commit configuration for a few well-know tools, so users get correctly configured security scans out of the box.
      • Increase existing Scorecards score, e.g. by adding a SECURTIY.md etc.
  • Should we remove toolVersions from Environment?
    • No objections.

2025-07-22

2025-07-15

2025-06-24

2025-06-17

2025-06-03

2025-05-20

  • How to implement AI-powered Copyright filtering? (in OCCTET context)
    • Generate a copyright-garbage.yml file? Still needs scan-result.yml as the input.
      • This is the way to go for now.
    • Rewrite scan-result.yml with Copyrights filtered out?
    • Create a plugin interface for Copyright garbage filters?
  • Agreement to aim for a strict split between data classes that resemble serialization models and mappings to ORT data models
    • A good example are the Node PM's ModuleInfo.kt files
      • Only one top-level data class with no member functions
      • No other top-level functions than those needed for deserialization
      • No ORT-specific code or imports
    • Probably add this to the contribution or development guide
    • Additional detekt / Konsist checks maybe

2025-05-06

2025-04-29

2025-04-15

  • Discuss Exclude binary license files to prevent reporter hang.
    • Comments added to PR.
  • Consider removing on-disk-caches in favor of only in-memory-caches (Yarn, Maven).
    • Try with in-memory cache only for Yarn to reduce usage of old DiskLru cache; eventually re-implement on-disk caching with other means if there are performance issues.
  • Rename helper-cli to cli-helper to group with cli.
    • Yes.

2025-03-25

2025-03-18

2025-03-04

  • Agree on way forwards for package configuration version ranges https://github.com/oss-review-toolkit/ort/issues/9918
  • Add new SPDX reporter which uses the SPDX java library.
    • at first: Produce similar output to the existing reporter
    • then: Produce also SPDX v2.3
    • Remove existing reporter later on if the new one is considered a replacement.

2025-02-25

  • Do we want to merge the ORT Result Schema Reporter?
    • Basically yes, but maybe migrate to a top-level option similar to clikt's built-in --generate-completion.

2025-02-11

  • Plugin questions (@mnonnenmacher)
    • Should plugin constructors be internal to force use of the factory? -> yes
    • Should plugin descriptors move from the constructor to overrides inside the class? -> no
  • Issue label vs types vs. templates (@sschuberth)
    • Enhancement vs. new feature

2025-01-14

2025-01-07

2024-12-17

2024-12-03

2024-11-26

  • Used for backlog grooming ("Closed as part of backlog grooming. Feel free to comment if you would like to contribute to this.")
    • Finished!

2024-11-19

2024-11-12

2024-11-05

2024-10-15

2024-10-08

  • Setting SPDX's licenseDeclared e.g. for Go dependencies that have no metadata?
    • Yes, based on RootLicenseMatcher.
    • Additionally, the analyzer could query the GitHub API for "repository declared licenses" (which are actually licenses detected by Licensee).
  • Should we have a "too many scan failures" heuristic for scanners? Also see this discussion.
    • Rather throw special exception from scanner implementation that generic heuristic on "client" side.
  • Used for backlog grooming ("Closed as part of backlog grooming. Feel free to comment if you would like to contribute to this.")

2024-09-24

  • Build ORT with Java 21
    • Postpone by at least one week to not cause migration efforts for this week's release, which contains important Bazel changes.
  • Remove SPDX document file analyzer in favor of making the package list helper-cli an analyzer.
    • No, still required by Bosch. Better do another implementation based on the new SPDX Java library, similar to a new SPDX reporter.
    • Also will be required by BitBake support.
  • Cleanup of teams.
    • Proposal: Consolidate "Committers", "Contributes" and "core-devs" to just "devs".

2024-09-17

  • Discuss how to best represent projects which are part of a "workspace" in the analyzer result. As Project or as Package. See also node managers.

2024-09-10

  • New API to download JDKs.
    • Expose version (and name) property to select JDK.
  • Remove NexusIQ.
    • 90 day deprecation notice first, ask in community meeting.
  • Work to maintain CVSS vectors.
    • Split severity into score and vector.

2024-08-27

2024-08-20

2024-07-15

2024-07-08 (skipped)

  • Skipped due to general unavailability of participants.

2024-07-01

2024-06-24

2024-06-17

2024-06-10

2024-06-03

2024-05-27

2024-04-29

2024-04-08

2024-01-29

2024-01-08

  • Scanner API improvements
    • Teach scanPackage about the configured sourceCodeOrigins.
    • Make the global scanner configuration accessible from scanner implementations.
  • Remove the SpdxExpression.licenses() function as it makes it too easy to do "dangerous" things?
  • Replace the ort-config's curation project with a script-based solution?
  • Allow key / value pair as license categories with arbitrary values, see this.

2023-12-18

2023-11-27

2023-11-20

2023-10-30

  • Where to apply default values for advisor configuration?
  • Align create(options: Options) implementations.
  • Get rid of double config nesting in ORT results for advisor / scanner configuration?
    • We should try to avoid constructs like val frontendUrl = ortResult.scanner?.config?.config?.get("DOS")?.options?.get("frontendUrl"), maybe by introducing a helper extension function (as a smooth transition to an interface-based API).

2023-10-09

2023-09-18

  • Maintain orthw and helper-cli in a single repo?

2023-09-04

2023-08-30

2023-08-21

2023-07-24

2023-07-17

2023-07-10

2023-07-03

2023-06-26

2023-06-19

2023-06-12

  • Try to switch to the legacy Docker again in order to work around the current disk space issues in the functional tests.
  • Ideas for an Amazon S3-based (scan) storage implementation

2023-06-05

2023-05-22

2023-04-17

2023-03-20

2023-03-06

  • New GoMod issue to look at.
  • How to move forward with (configurable advisor plugins)[https://github.com/oss-review-toolkit/ort/pull/6613]?

2023-02-26

2023-02-20

2023-02-06

2023-01-16

  • Separating & Re-applying curations for specific providers (see this comment)
  • Automated releases

2023-01-09

2022-12-19

2022-11-28

2022-11-21

2022-11-14

2022-11-07

 ______________________________
/        \_______   \__    ___/ The OSS Review Toolkit, version 1.0.0.
|    |   | |       _/ |    |
|    |   | |    |   \ |    |    Running 'wiki' as 'ort' under Java on GitHub
\________/ |____|___/ |____|    with a lot of CPUs and a maximum amount of memory.

Community

Clone this wiki locally