incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Roy T. Fielding" <>
Subject Re: [DISCUSS] Do we really need an incubator?
Date Tue, 08 Jul 2008 00:06:55 GMT
Dims, I have to disagree.  The releases that we allow incubating  
to make, with three +1s and a majority approval, are full Apache  
They have been officially approved by the foundation and we are 100%
responsible for their content. That's okay, because they also tend to
receive far more detailed inspection and thus are better quality and  
conforming to our policies then our pre-incubator TLPs.

There is no reason for a separate repository.  It certainly isn't  
to a podling's desire to become a TLP -- that is more than adequately
compensated by the freedom from slow IPMC approvals and ability to host
their own website without the butt-ugly egg icon and disclaimers.  A
separate repo does not help protect "users" from incubator code, since
users don't set the Maven configs that define which repos to use and
which modules are dependencies.  At best, what it does is add an
irrelevant incubator layer on top of all Maven repo requests that masks
the "normal" repo path from developers, introduces another way to inject
insecure code, and wastes our bandwidth sending 404 responses to
automated build requests.

In contrast, if real incubator releases are allowed to be placed in the
normal Maven locations, then the incubating config does not mask the
normal Maven path, there is no need to send *all* repo requests to
incubator first, the project documentation for Maven doesn't have to
be a special-case, and releases are still subject to the same quality
controls as all Apache releases.

Regardless, the user never makes a decision regarding incubator code
in the Maven repo.  The user is either going to pull the incubator
release directly and then build it using Maven with the provided pom,
or some other project is going to make a decision to add the artifact
(with incubator in its name) as a dependency.  The Maven repo path is
irrelevant to the user's decisions -- it just changes the background
bit traffic and the load on our servers.  In short, the policy is
just plain stupid (speaking as a C developer who builds a few
projects via Maven only a couple times a year).

Yes, it would be nice if Maven was more secure, properly checked
signatures, and properly delegated namespaces so that third-parties
would be unable to add artifacts within other org's trees.  None of
those issues are specific to incubator.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message