polygene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Niclas Hedhman <nic...@hedhman.org>
Subject Re: NOTICE
Date Tue, 28 Apr 2015 00:04:46 GMT
Paul,
Yes, the NOTICE requirement is actually not stipulated by ASF, but by most
licenses requiring that you "pay respect" to any upstream work you use.

ASF requires that a "RELEASE" is in source code form and can be built from
the distributed tar ball. That is the intention of our
qi4j-sdk-<ver>-source.tar.gz as well, so we fulfill this requirement. This
is of course not a coincidence, after all I have been very influence by the
ASF way of doing things. And thing about it; Open SOURCE ;-)

ASF's view on binary "releases" is that of "an optional convenience
provided to users", and it is up to each community to define this. Again,
we provide the binary Qi4j SDK, ready to use, complete with the
dependencies.

The Maven artifacts is another way to distribute "convenience" and we might
have an issue there (I haven't checked recently), since upload to Maven
Central requires all dependencies to be present on Maven Central, 3rd party
repositories are not allowed to be referenced. And we have had a couple of
those in the past, most notably for org.restlet. We should check how that
is now (both in terms of Maven Central requirements, as well as if our
dependency(ies) is/are now on it), and if we can't there is a backup plan
called BinTray by JFrog, which is larger (encompasses all Maven Central +
other repositories) and probably can fill the role if Maven Central can't.
In ASF, there is also a convention on putting LICENSE and NOTICE inside the
JAR file, under the META-INF/maven/ directory, and I think the pom.xml goes
in there as well.

Now, I don't think we should bother to change the SDK content very much.
Our current release artifacts fit the ASF expectations, and the "only"
thing we need to do is to ensure that each dependency is mentioned in
respective NOTICE file.

I suggest; Please start with extensions/, and I will take care of
libraries/. The rest whoever has more time available.

For the build system, we might need to add META-INF/maven/ additions, and
we should generate a top-level NOTICE file "somehow", for instance a header
with the Qi4j component name + its NOTICE + a divider. And make it part of
the final Source and Binary SDKs

All in all, not that much work, since I have spent time on NOTICE in the
past, but missing here and there, as well as the accuracy should be checked.

Cheers
Niclas

On Mon, Apr 27, 2015 at 5:47 PM, Paul Merlin <paul@nosphere.org> wrote:

> Gang,
>
> I started to dig into ZEST-15.
>
> I'm first looking into NOTICE files.
> There are lots of other issues (headers, gradle wrapper, crypto etc...)
> but I'm handling them one at a time.
>
>
> >From what I understand at http://www.apache.org/dev/licensing-howto.html
> :
>
> - Only one NOTICE file per released distribution is mandatory
> - Only *bundled* dependencies needs to be scrutined
>
> So, if we don't bundle any dependencies in our release distributions,
> NOTICE file should remain pretty simple.
>
> I looked at releases of other Apache TLPs like Samza, DeltaSpike and a
> few others at http://dist.apache.org/ and most of the JVM based projects
> only release a source distribution there.
> Then they publish JARs to maven repositories without LICENSE/NOTICE files.
>
> I'd lean towards doing the very same. That is releasing a sources-only
> distribution (with proper LICENSE/NOTICE files) and pushing artifacts to
> repositories once the release is voted.
>
> WDYT?
>
> Cheers
>
> /Paul
>
>


-- 
Niclas Hedhman, Software Developer
http://zest.apache.org/qi4j <http://www.qi4j.org> - New Energy for Java

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message