gump-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefano Mazzocchi <stef...@apache.org>
Subject Re: legalities of jar publishing
Date Mon, 21 Jun 2004 19:01:26 GMT
Adam R. B. Jack wrote:

>>One of the questions that haven't really been answered/resolved by the
>>board (IIRC) is whether automated snapshots are considered releases.
> 
> This is really a big deal (for me & probably others).

NOTE: board hat off.

If a nightly build is a release, then it is a svn|cvs checkout and if 
you want the PMC to approve any checkout, we clearly kill our ability to 
scale.

I agree with Leo that the problem of jar distribution is absolutely not 
technical, it's legal and security. Gump executes code downloaded from 
repositories that the ASF doesn't consider legally trustful.

say I was the author of a weird library that some weird commons code 
depended on, it is entirely possible to write a task in a build.xml file 
that recompiles a class in tomcat and opens a back door, it might take a 
while to notice.

Releasing executable artifacts by gump will have my permanent -1 
*FOREVER*. The way gump works is intrinsically unsafe, but this is not a 
problem if what gump is producing is "metadata" about code, not 
executable code directly.

As for making gump both a nightly build and a continuous integration 
system, I think projects should be allowed to specify their "preferred" 
checkout tag of any dependency, that would allow gump to be *way* more 
useful.

-- 
Stefano.


Mime
View raw message