Mailing-List: contact users-help@maven.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Maven Users List" <users@maven.apache.org>
Received-SPF: neutral (athena.apache.org: 209.85.221.191 is neither permitted
 nor denied by domain of brianf@infinity.nu)
MIME-Version: 1.0
In-Reply-To: <AANLkTin5aphoGTSVtqgrGNQyo9_11tuDKnsNriz7W5iQ@mail.gmail.com>
References: <hsjr9k$4r8$1@dough.gmane.org>
	 <AANLkTik_p178QAXtJ4BOicmamno5D3q0Guo4GfSNHSG0@mail.gmail.com>
	 <hskls7$5tn$1@dough.gmane.org>
	 <AANLkTimjDyfrkAm86Co8vJhdhz4eS8EQZk_B1_AaRlXo@mail.gmail.com>
	 <hsm7qt$14m$1@dough.gmane.org>
	 <AANLkTin5aphoGTSVtqgrGNQyo9_11tuDKnsNriz7W5iQ@mail.gmail.com>
Date: Sat, 15 May 2010 21:00:44 -0400
Message-ID: <AANLkTinG4M4jV48s7giueIRbWQOw8p-r3Isv-8TbqKkF@mail.gmail.com>
Subject: Re: Central repository, bundle-create and distribution of licenses
From: Brian Fox <brianf@infinity.nu>
To: Maven Users List <users@maven.apache.org>
Content-Type: text/plain; charset=ISO-8859-1

On Sat, May 15, 2010 at 4:56 PM, Benson Margulies <bimargulies@gmail.com> wrote:
> I think that perhaps there's an important distinction being missed
> here. Central doesn't vacuum up artifacts from unsuspecting authors.
> Other people put them there. If the authors of code choose to deposit
> jar files on central, then it's not central who is 'distributing' them
> -- it's the authors. In this case, it's people who download from
> central and then repackage on their own who are responsible for
> worrying about tracking down and including licenses.
>
> The tricky case here is the non-author publishers, as with the
> recently-announced mechanism. If I take a jar of OSS from its author's
> distro, and push it to central without a license file, I am probably
> violating the license. It's not clear to me that Sonatype is.
>
> Thus, what I take from this thread is that it would be a kindness for
> Sonatype to add a feature to the new publication mechanism to upload
> the actual license. It could then be added to META-INF or just
> published as an accompanying artifact, either way, and then no one
> would have anything to complain about.
>

Yes, these are good ideas. We currently require that the license be
specified in the pom but aren't validating that it is correct
automatically. The vast majority of artifacts in Central come in over
wide open rsyncs so garbage in the source repo = garbage in central.
This gaping hole is slowly being closed by requiring projects to go
through forges that have the proper validation procedures before
getting into Central.

What I meant by usually was that if someone wants to include the
license text, it's done inside the archives. Take a look at any recent
apache jar for example and you'll find LICENSE and NOTICE prominently
included.

Requiring this of all artifacts is probably a good idea.

> It might be worth doing this just to avoid those voices in the wide
> world who like to write alarmist postings about Maven distribution
> (e.g. Saxon's author).
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
> For additional commands, e-mail: users-help@maven.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org