Is it just the Eclipse project code itself or is a 3rd party JAR being used as well?
If a 3rd party JAR from the project is being linked to directly then a CQ needs to be entered
If Eclipse project is mature (not in incubation) then there is no need to enter a CQ for indirect use of a 3rd party JAR
3rd party JARs not checked in
Some JARs may be downloaded as part of the build and stored locally (not checked in)
If a developer checks out the complete project tree and does a full build and test run then it may result in the build/test tool downloading these 3rd party JARs
Low percentage of people doing this in Jetty, risk is likely not significant
Transitive dependencies
All 3rd party JARs linked to by Required dependencies require CQs
3rd party JARs linked to by Works-with dependencies do not require CQs
Distributed code
Current definition of "distributed code" is code that is checked in or accessible from config mgmt/version control system or bundle repo
Questions about test code that is not actually shipped in a release or zipped up in any form, but is really just part of the project development process
Would like to not have to submit CQs for test code (even though it may link directly to a 3rd party JAR) based on the premises that the test code is not really something that is provided to the consumer and the 3rd party JAR will not be checked into an Eclipse repo
Barb will talk with Janet about non-released project code as well as the issues of the risk described in the developer download case and get back or join the next call
Mike will summarize in a new version of the flow chart once conclusion is reached on the key issues
