Return-Path: X-Original-To: apmail-incubator-ooo-dev-archive@minotaur.apache.org Delivered-To: apmail-incubator-ooo-dev-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 4AF6B99DF for ; Fri, 13 Jan 2012 18:36:35 +0000 (UTC) Received: (qmail 43870 invoked by uid 500); 13 Jan 2012 18:36:35 -0000 Delivered-To: apmail-incubator-ooo-dev-archive@incubator.apache.org Received: (qmail 43744 invoked by uid 500); 13 Jan 2012 18:36:34 -0000 Mailing-List: contact ooo-dev-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: ooo-dev@incubator.apache.org Delivered-To: mailing list ooo-dev@incubator.apache.org Received: (qmail 43734 invoked by uid 99); 13 Jan 2012 18:36:34 -0000 Received: from minotaur.apache.org (HELO minotaur.apache.org) (140.211.11.9) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 13 Jan 2012 18:36:34 +0000 Received: from localhost (HELO mail-vw0-f47.google.com) (127.0.0.1) (smtp-auth username robweir, mechanism plain) by minotaur.apache.org (qpsmtpd/0.29) with ESMTP; Fri, 13 Jan 2012 18:36:33 +0000 Received: by vbbfc26 with SMTP id fc26so423260vbb.6 for ; Fri, 13 Jan 2012 10:36:32 -0800 (PST) MIME-Version: 1.0 Received: by 10.52.69.51 with SMTP id b19mr1031156vdu.9.1326479792774; Fri, 13 Jan 2012 10:36:32 -0800 (PST) Received: by 10.220.5.195 with HTTP; Fri, 13 Jan 2012 10:36:32 -0800 (PST) In-Reply-To: References: <1326466786.35062.YahooMailNeo@web160902.mail.bf1.yahoo.com> <1326467323.8801.YahooMailClassic@web113520.mail.gq1.yahoo.com> <1326467553.12721.YahooMailNeo@web160906.mail.bf1.yahoo.com> <4F105583.7080302@a-w-f.de> Date: Fri, 13 Jan 2012 13:36:32 -0500 Message-ID: Subject: Re: Category-B tarballs in SVN (was Re: External libraries) From: Rob Weir To: ooo-dev@incubator.apache.org Content-Type: text/plain; charset=UTF-8 On Fri, Jan 13, 2012 at 12:50 PM, Ross Gardler wrote: > On 13 January 2012 17:38, Rob Weir wrote: > >> You are trying to argue the necessity point. > > I'm not arguing any point. I'm asking questions so that I might > understand what the sticking point is. > OK. You'll understand this better if you think of it as a configuration management question rather than a question of necessity. Consider: AOO has a dependency on component X. Never mind the license. It could be anything. We have a dependency on X, specifically version 1.0 of X. We, in the role of an integrator, write our code to integrate with X, version 1.0. We then release, it gets widely adopted. Time passes. The maintainers of X release version 1.1, with minor feature changes. Then they release version 1.2 with minor feature changes. AOO has no releases in the interim, so we're still dependent on X 1.0. Many things could go wrong at this point. For example, a critical security flaw is found in component X. The X project quickly release a new patched version, X 1.2.1 to fix the problem, and releases a package for that, source and binaries. For sake of argument say they do not patch versions 1.0 and 1.1. What do we do then? We could try to upgrade to version 1.2.1 of their component. It might be possible. We might hope it is possible. But it might not work. It could fail for any number of reasons. Time is ticking. Our users are at risk. What do we do? Well, obviously, we can apply the patch from 1.2.1 to 1.0 and fix the flaw in a way that works with our code and we get that new AOO out to users quickly. And at the same time we make available our patched 1.0 available to the X project if they will host it. If not we make it available to downstream consumers, as courtesy, but not as an Apache release. And then we make an issue in Bugzilla to investigate more thoroughly how to upgrade to 1.2.1 in the future. It is not pretty, but prettiness is not a necessity either. The whole OSS universe does not march lock step on the same release schedule. We're not working with Legos. Things don't always just fit. We need to deal with the messiness of that reality. And obviously do it within policy. It could easily be every worse than that. Suppose, hypothetically, that we could upgrade our code to X 1.2.1, that it was not impractical. But we might still have another dependency, on component Y that also has its own dependency on X 1.0 and which does not work with X 1.2.1. Being an integrator of 3rd party components, regardless of license, is complex. You can get all sorts of interactions like this. What we need to do is get away from false alternatives, that either we have no category-b code in SVN, or we are subverting ASF policy and running stealth copyleft development efforts under the noses of the IPMC. There is plenty in the middle, including the prudent archiving of source code for 3rd party dependencies **regardless of license** and using them, in full conformance with Apache release policies, in order best to serve our users and downstream consumers. None of this would be necessary if there was some master OSS source code archive that was guaranteed to be as reliable and stable and secure and independent as Apache's SVN is. If such an alternative server existed, then we'd just use that. But one does not exist. -Rob > Ross