couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Lehnardt <>
Subject Re: On dependency management and CI issues associated with it
Date Fri, 15 Apr 2016 08:13:47 GMT

> On 14 Apr 2016, at 23:11, Joan Touzet <> wrote:
> Based on this information, are we in violation of ASF requirements? Can
> anyone clarify for me what we actually need to be doing here?

There is no such policy. We are also not bundling SpiderMonkey or Erlang
either. Neither do any of the Java projects bundle e.g. OpenJDK.

The question of whether to have a “safe copy“ to be ensured against
suddenly disappearing upstream is entirely* up to the project, but not
ASF policy.

*upstream dependencies that have dual licensing that includes a GPL
flavour or other incompatible license[1] can’t be mirrored on ASF
source control and distribution servers (that’s why we don’t mirror
SpiderMonkey or Erlang (although we could do Erlang now, that they
switched to ASF 2, but I would not suggest we do this).


* * *

Personally, with npm’s new unpublish policy[2], I’m okay with having
our dependencies there.

Because of the deep dependency tree, we should be very diligent about
not accidentally including category-x licensed modules. I’m sure we
can automate this into a npm postinstall script, so we know as soon
as possible.

At the very least, we need an audit prior to any release.



> -Joan
> ----- Original Message -----
>> From: "Garren Smith" <>
>> To:, "Joan Touzet" <>
>> Sent: Thursday, April 14, 2016 2:43:10 AM
>> Subject: Re: On dependency management and CI issues associated with it
>> Hi Joan,
>> Good point. Until about a week ago we use to keep all our
>> dependencies in
>> our repo. But we have just switched to webpack which allows us to
>> manage
>> our dependencies via npm (in case you are wondering, we don't depend
>> on
>> leftpad directly). So some of them are in our repo but the majority
>> are
>> downloaded and then bundled.
>> Cheers
>> Garren
>> On Wed, Apr 13, 2016 at 11:29 PM, Joan Touzet <>
>> wrote:
>>> Garren, correct me if I'm wrong but Fauxton depends on a large
>>> number
>>> of JS dependencies that we don't keep copies of, correct? Or is it
>>> just
>>> for the build process?
>>> -Joan
>>> ----- Original Message -----
>>>> From: "Alexander Shorin" <>
>>>> To:
>>>> Sent: Wednesday, April 13, 2016 2:08:20 PM
>>>> Subject: Re: On dependency management and CI issues associated
>>>> with it
>>>> On Wed, Apr 13, 2016 at 8:39 PM, Robert Newson
>>>> <>
>>>> wrote:
>>>>> It's a thread derail but this notion that we're being "fairly
>>>>> rude"
>>>>> needs resolving. It might be lost to history now but we got
>>>>> here,
>>>>> I think, with the best intentions of ensuring all the code that
>>>>> appears in couchdb can be traced back to code hosted at asf. Is
>>>>> it
>>>>> a concrete requirement? I honestly forget but I thought so.
>>>> Yes, that's the answer why. If one day mochiweb owner will decide
>>>> to
>>>> drop his github repo, we shouldn't be leave with broken builds.
>>>> See
>>>> leftpad story as well. Initially, that requirement seems
>>>> redundant,
>>>> but recent npm drama showed that it has a huge point. Also there
>>>> are
>>>> some legal bits about.
>>>> --
>>>> ,,,^..^,,,

Professional Support for Apache CouchDB:

View raw message