incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Leo Simons <m...@leosimons.com>
Subject Re: [VOTE] Approve the release of Shindig Incubator 1.0
Date Sat, 23 May 2009 19:02:33 GMT
On May 21, 2009, at 1:03 PM, Upayavira wrote:
> I am a mentor for Shindig, but I am aware of a weaknesses of mine as a
> mentor is that I'm not that knowledgeable or experienced with the
> release process at Apache, and therefore have not followed this thread
> in detail, which I really should have.
>
> It seems that this release is stalled, but I am not entirely sure how,
> and want to understand this better.

Sebb has raised some valid concerns; some were addressed, some are  
left; shindig has to address those concerns, but up new artifacts, and  
then ask for another vote.

> The thing that confuses me is that, as I understand it, Shindig is  
> just
> using Maven to produce its artefacts (binary jars as a convenience to
> users). If that is the case, surely those artefacts are structured in
> the same way as other Maven based releases from other projects?

The apache-hosted maven-based projects I've checked (including maven  
itself!) only officially release source archives. As Jason pointed  
out, this is now pretty easy to do in accordance with policy, thanks  
to some plugin work David did quite a while ago.

To release binary archives that embed third-party dependencies is more  
work. The LICENSE and NOTICE file have to have details about  
dependencies, if those dependencies are in the binary distributions.  
With maven, automatic resolution of transitive dependencies is  
possible, which shindig relies on. However, there is not automatic  
resolution of licensing details, which makes crossing the legal t's  
and dotting the legal i's quite a chore.

> Is it that we have identified a new issue that actually affects  
> _all_ Maven based releases, not just Shindig?

No not necessarily. You can use maven to produce binary releases that  
have all the required legal details inside of them; it just isn't  
automatically taken care of.

> If so, how can we both unblock the Shindig release

Shindig can choose to either do the work to get the legal bits and  
pieces related to their dependencies sorted out and produce binary  
releases that follow the rules, or they can opt to do a source-only  
release.

> and also get this issue resolved in such a way as it covers all  
> Maven based projects?

To solve this issue in a way that covers all maven-based projects  
requires making sure that all required legal details and notices are  
put inside the maven repositories in a machine-processable manner, for  
all artifacts, and then modifying a maven plugin or two to aggregate  
those details automagically, and then to make use of that plugin  
everywhere. In other words, that's a few months of work at the least :-)

cheers,

- Leo


Mime
View raw message