james-server-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "robert burrell donkin" <robertburrelldon...@gmail.com>
Subject Re: [mime4j] release plan for 0.3
Date Sun, 13 May 2007 22:01:58 GMT
On 5/13/07, Stefano Bagnara <apache@bago.org> wrote:
> robert burrell donkin ha scritto:

<snip>

> >> None of the jars distributed by ASF via Maven repositories (*MANY*
> >> products) have the apache name in the jar !?! (well maybe a couple of
> >> them have this prefix.. but a couple vs thousands)
> >
> > i've taken a quick look and the maven 2 repository is much worse than
> > the old one used to be
> >
> > jar names should include 'apache'. unless jar names include 'apache'
> > we have no ability to ensure that others do not produce jars with the
> > same name. probably need to go and remind them that they still have it
> > very wrong.
>
> There should be a "priority" list where every committer should receive
> such informations: they are critical to the ASF community and I ensure
> you that even if I read a lot of documentaiton and I make a lot of
> questions on how to do stuff I never head the prefix thing before!

not sure how critical it really is. apache tends to be loathed to take
legal action. IIRC this arose around 5 years ago but i can't remember
why. it can't have been that important or it would have been more
widely known.

but it is good practice and worth adopting

> Please note that this is not to mean that I don't believe you, but
> simply to tell to someone that I think this thing is important and this
> should be documented and more widely communicated to newcomers.

not sure apache has a solution for this. i find that writing
documentation is tough and takes a lot of time. there are only a
limited number of other people who find any time for documentation.

it's easier (and usually quicker) to create technical solutions. when
infra moves to using a proper release upload mechanism, the releases
can be verified and any which don't meet policy can be rejected.

<snip>

> >> I believe the
> >> source package containes the NOTICE/LICENSE.
> >> About the svn source tree I posted a question on legal-discuss but I
> >> received no answer about this:
> >> http://mail-archives.apache.org/mod_mbox/www-legal-discuss/200705.mbox/<463EFEEF.4080201@apache.org>
> >
> > it's not a legal question but an infra question
> >
> > all apache releases require LICENSE and NOTICE. source releases should
> > be the primary form of release for apache projects. source releases
> > are formed by svn export. if the source lacks top level LICENSE and
> > NOTICE files then it's hard to create compliant releases.
>
> the source package is generated via an mvn assembly (package) command
> and it make sure to include an up-to-date NOTICE/LICENSE.

in that case, policy will be satisfied

IMHO it's not a real source release though, since it does not actually
corresponding to anything that i can check out of svn. i sometimes
worry about the reconstructability of maven source releases...

> Imho it is important to understand if the svn root tree is a requisite
> or not because currently our NOTICE and LICENSE is generated by metadata
> included in the POM and having also a non-automatically generated
> artifact in the source tree will lead to duplication and much more easy
> desynchronization.

the maven NOTICE generation stuff seems to be working much better now

> So I'd like to know what is the legal requirement and then to be able to
> decide how to better accomplish it technically ;-)

it's a consequence of a policy requirement (not a legal one)

> I don't understand why this should be asked to INFRA and not LEGAL,

legal discuss is about points of law and not about points of policy.
yes, policy is informed by law but release policy is set by the
infrastructure team. the policy is that every artifact released must
have LICENSE and NOTICE documents. (the convention for source
distributions is to have them at top level.)

therefore to produce a proper source release through a svn export,
LICENSE and NOTICE files need to be at top level. however, if you
aren't going to be shipping a proper source release then they aren't
necessary.

> but I will do this too.

not sure that there's much point asking on infra: you'll probably get
a quicker answer by asking infrastructure questions on this list.
hopefully, i've been reasonably comprehensive. please ask more
questions if i haven't been clear on any points.

> >> If they will reply that NOTICE and LICENSE are needed also in the svn
> >> source tree then we should coordinate the Maven2 guys to avoid pushing
> >> the use of the
> >> "apache-jar-resource-bundler"+"maven-remote-resources-plugin"
> >> combination because this leads to no LICENSE/NOTICE in the source tree.
> >
> > seems wrong to me that maven actively conflicts with the use of an svn
> > export to create a proper source release
> >
> > - robert
>
> I don't agree on the fact that svn export should be used to create
> source releases. svn export does not create a package, does not sign it,
> does not ensure any rule.

maven doesn't really enforce rules yet (but it is coming)

the latest maven code does the signing reliably but does not use an
agent so i'm not sure that i'd trust it with my code signing key

(FWIW i do all my signing on an isolate machine by switching hard discs)

> Every other package we release is created by a build script: why should
> we use svn export for the source release?

because it's the source and are an open source project :-)

a source release should consist of the source exported directly from
the repository and compressed for delivery. everything else is just
window dressing.

- robert

---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org


Mime
View raw message