edgent-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christofer Dutz <christofer.d...@c-ware.de>
Subject Re: maven and distribution bundles with transitive deps: licensing&notice
Date Tue, 11 Jul 2017 21:07:42 GMT
I'm not demanding the assembly ... It was just the last missing part in the migration to Maven.
Most ASF projects provide such convenience binary archives, but an ASF release is the source
only anyway.

I admit that your script would do the job.

Another thing worth looking into might be the Maven wrapper, which would eliminate the need
to download Maven, as someone not wanting to use Maven would have to install Maven in order
to NOT use it afterwards ;-) ... Users using Maven wouldn't use the script.


Von meinem Samsung Galaxy Smartphone gesendet.

-------- Ursprüngliche Nachricht --------
Von: Dale LaBossiere <dlaboss@apache.org>
Datum: 11.07.17 21:29 (GMT+01:00)
An: dev@edgent.apache.org
Betreff: maven and distribution bundles with transitive deps: licensing&notice


Can’t we eliminate releasing binary bundles containing transitive deps and in doing so
eliminate a huge amount of licensing/notice pain for us?  But still supply what users need.

As I understand it / ASF policy, the newly generated distribution bundles lack the necessary
license/notice info for transitive deps contained in the bundle.

That’s what the binary-release/LICENSE and licenses/binary-release/* was all about
(included in the gradle generated binary bundles).
Justin indicated we needed to have full copies of license/notice text not just URLs to it
(since the URL may have different text at a later date that doesn’t match that text
applicable for the contained deps).

I see the new distribution stuff also generates edgent-distribution-<ver>.jar.
Its META-INF/DEPENDENCIES has a nice listing of all the transitive deps
license info but it’s (a) just URLs to licenses, (b) lacks any notice info,
and (c) isn’t included in the generated binary release bundle.
Maybe I just don’t understand how this is supposed to work.

Not releasing a binary bundle also eliminates validation/testing of it.

My hope was that viable / better alternative is to provide an easy way for users
themselves to get the Edgent jars and transitive external deps themselves from
maven-central (or any maven repo).

Presumably we'd just need to tell the user something like:
“This command retrieves the Edgent jars and their transitive external dependencies.
The external dependencies come with their own licensing terms that you should review.
A summary of the transitive dependencies and their licenses can be found here
<url to something like the info in the aforementioned META-INF/DEPENDENCIES
and/or binary-release/LICENSING file>.
Continue? <yes|no>”

That’s what get-edgent-jars.sh (https://paste.apache.org/p/GI0n <https://paste.apache.org/p/GI0n>)
was working towards.

Is this making sense / compelling / a valid and (sufficiently) user friendly approach?

To clarify for all, this tool (equivalently a binary bundle) is only needed by
Edgent users that don’t use maven/maven-repo enabled app development tools
or that don’t use those tools to generate a standalone “über jar” for their Edgent
to deploy to their edge device.

— Dale

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message