couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul J Davis <paul.joseph.da...@gmail.com>
Subject Re: On dependency management and CI issues associated with it
Date Fri, 15 Apr 2016 12:38:32 GMT


> On Apr 15, 2016, at 3:13 AM, Jan Lehnardt <jan@apache.org> wrote:
> 
> 
>> On 14 Apr 2016, at 23:11, Joan Touzet <wohali@apache.org> wrote:
>> 
>> Based on this information, are we in violation of ASF requirements? Can
>> anyone clarify for me what we actually need to be doing here?
> 
> There is no such policy. We are also not bundling SpiderMonkey or Erlang
> either. Neither do any of the Java projects bundle e.g. OpenJDK.
> 

My understanding is that anything included in an ASF release tarball must be in ASF source
control which is why we mirror mochiweb but not Erlang.

There are also rules about downloading things to build ASF projects and the Java/Maven communities
should have this info. Given that Erlang hasn't had a real package thing until semi recently
its not something I've spent time figuring out. 

> The question of whether to have a “safe copy“ to be ensured against
> suddenly disappearing upstream is entirely* up to the project, but not
> ASF policy.
> 
> *upstream dependencies that have dual licensing that includes a GPL
> flavour or other incompatible license[1] can’t be mirrored on ASF
> source control and distribution servers (that’s why we don’t mirror
> SpiderMonkey or Erlang (although we could do Erlang now, that they
> switched to ASF 2, but I would not suggest we do this).
> 
> [1]: http://www.apache.org/legal/resolved.html#category-x
> 
> * * *
> 
> Personally, with npm’s new unpublish policy[2], I’m okay with having
> our dependencies there.
> 
> Because of the deep dependency tree, we should be very diligent about
> not accidentally including category-x licensed modules. I’m sure we
> can automate this into a npm postinstall script, so we know as soon
> as possible.
> 
> At the very least, we need an audit prior to any release.
> 
> [2]: http://blog.npmjs.org/post/141905368000/changes-to-npms-unpublish-policy
> 
> Best
> Jan
> --
> 
> 
>> 
>> -Joan
>> 
>> ----- Original Message -----
>>> From: "Garren Smith" <garren@apache.org>
>>> To: dev@couchdb.apache.org, "Joan Touzet" <wohali@apache.org>
>>> Sent: Thursday, April 14, 2016 2:43:10 AM
>>> Subject: Re: On dependency management and CI issues associated with it
>>> 
>>> Hi Joan,
>>> 
>>> Good point. Until about a week ago we use to keep all our
>>> dependencies in
>>> our repo. But we have just switched to webpack which allows us to
>>> manage
>>> our dependencies via npm (in case you are wondering, we don't depend
>>> on
>>> leftpad directly). So some of them are in our repo but the majority
>>> are
>>> downloaded and then bundled.
>>> 
>>> 
>>> Cheers
>>> Garren
>>> 
>>> On Wed, Apr 13, 2016 at 11:29 PM, Joan Touzet <wohali@apache.org>
>>> wrote:
>>> 
>>>> Garren, correct me if I'm wrong but Fauxton depends on a large
>>>> number
>>>> of JS dependencies that we don't keep copies of, correct? Or is it
>>>> just
>>>> for the build process?
>>>> 
>>>> -Joan
>>>> 
>>>> ----- Original Message -----
>>>>> From: "Alexander Shorin" <kxepal@gmail.com>
>>>>> To: dev@couchdb.apache.org
>>>>> Sent: Wednesday, April 13, 2016 2:08:20 PM
>>>>> Subject: Re: On dependency management and CI issues associated
>>>>> with it
>>>>> 
>>>>> On Wed, Apr 13, 2016 at 8:39 PM, Robert Newson
>>>>> <rnewson@apache.org>
>>>>> wrote:
>>>>>> It's a thread derail but this notion that we're being "fairly
>>>>>> rude"
>>>>>> needs resolving. It might be lost to history now but we got
>>>>>> here,
>>>>>> I think, with the best intentions of ensuring all the code that
>>>>>> appears in couchdb can be traced back to code hosted at asf. Is
>>>>>> it
>>>>>> a concrete requirement? I honestly forget but I thought so.
>>>>> 
>>>>> Yes, that's the answer why. If one day mochiweb owner will decide
>>>>> to
>>>>> drop his github repo, we shouldn't be leave with broken builds.
>>>>> See
>>>>> leftpad story as well. Initially, that requirement seems
>>>>> redundant,
>>>>> but recent npm drama showed that it has a huge point. Also there
>>>>> are
>>>>> some legal bits about.
>>>>> 
>>>>> --
>>>>> ,,,^..^,,,
> 
> -- 
> Professional Support for Apache CouchDB:
> https://neighbourhood.ie/couchdb-support/
> 

Mime
View raw message