commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Charles Honton <>
Subject Re: [ALL] Changing the commons process
Date Sat, 24 Dec 2016 00:02:40 GMT

I am incorrect about the contents of the sources zip.   It does contain all the files under
source control.

As a test, I replaced ~/.m2/repository/org/apache/commons/commons-lang3/3.5/commons-lang3-3.5-src.jar
with the distribution  Using the eclipse IDE, I navigated from
the use of StringUtils.join() to its source.

I will test IntelliJ soon.  Are there any other IDEs that should be tested?  

> On Dec 23, 2016, at 2:54 PM, Bernd Eckenfels <> wrote:
> Hello,
> I think hybrid -sry/source does not work very well, since the IDE expect a package-like
directory structure. I am not sure it would work with src/main/ prefix.
> Gruss
> Bernd
> -- 
> On Fri, Dec 23, 2016 at 11:33 PM +0100, "Gary Gregory" <>
> On Fri, Dec 23, 2016 at 12:54 PM, Charles Honton  wrote:
>> Several recent email threads have discussed our parent pom and release
>> process.  The process we have derive from Apache Common’s rich history
>> which pre-dates many current distribution practices.  I’d like to summarize
>> several quirks with our current releases:
>> The official release source tarball contains just the sources, not all the
>> project files.  Building the artifact from just the src directory without
>> the pom would be extremely difficult.
>> The commons parent pom attaches the source tarball to the maven release
>> for the side effects of signing/checksumming the source tarball.  This
>> induces a manual step of removing the source tarballs from the staging
>> repository.
>> We publish convenience binaries to
>> commons/XXX/binaries.  I doubt anyone consumes these binaries.  Most
>> developers use Maven Central.  Extremely security conscious downstream
>> projects consume the distribution source tarballs.
>> The distribution artifacts are doubled in size by providing both .zip and
>> tar.gz versions.
>> Slightly different artifacts are published to Apache Distribution Site vs
>> Maven Central.
>> Now the questions:
>> 1. Are there any concerns with publishing the source and source-test jars
>> produced by maven-source-plugin as the official distribution artifacts?
> You cannot build from the -source jars so that would not work. We could ADD
> stuff to these jars to make them the same as the files. Then we do
> not need the files.
>> This would make the official distribution artifacts published to
>> the same as the
>> convenience source artifacts published to Maven Central.
>> 2. Are there concerns with not publishing the convenience binaries to
>>  Alternatively, are
>> there concerns with using the the jar produced by maven-jar-plugin as the
>> convenience binary artifact?  This would make the convenience binary
>> artifact published to
>> the same as the convenience binary artifacts published to Maven Central.
> Since the binaries are conveniences, we can do whatever we want IMO.
>> Some background information to help contemplate these questions:
>> When releasing a package, Apache Commons publishes the official source
>> tarball at  The Apache
>> Release Policy  release-contain> and Release Signing Policy  release-distribution.html#sigs-and-sums>
>> “Every ASF release must contain a source package, which must be sufficient
>> for a user to build and test the release provided they have access to the
>> appropriate platform and tools”
>> "Every artifact distributed to the public through Apache channels MUST be
>> accompanied by one file containing an OpenPGP compatible ASCII armored
>> detached signature and another file containing an MD5 checksum.” (.asc file
>> and .md5 file)
>> Apache Commons also distributes convenience binaries at
>> These convenience
>> binaries must also be signed and checksummed.
>> For even more convenience, Apache Commons also publishes packages to Maven
>> Central.  Maven Central policy  pages/requirements.html> requires:
>> “Projects with packaging other than pom have to supply JAR files that
>> contain Javadoc and sources.”
>> “All files deployed need to be signed with GPG/PGP and a .asc file
>> containing the signature must be included for each file.”
>> A pom file with
>> Correct Coordinates
>> Project Name, Description and URL
>> License Information
>> Developer Information
>> SCM Information
> A lighter weight system would:
> - Publish the same as we do now to Maven Central PLUS adding all of the
> files needed to build to *-sources.jar files such that they become the same
> as **-src.tar.gz files.
> - Publish the *-sources jar file to
> commons/XXX/source instead of the **-src.tar.gz files.
> - Stop publishing *-bin files
> The question is, if we publish a build-able *-source.jar file to
> why do we need to double that up and ALSO publish to
> ?
> Not publishing to
> would really simplify
> things.
> Gary

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message