polygene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Niclas Hedhman <nic...@hedhman.org>
Subject Re: NOTICE
Date Tue, 28 Apr 2015 10:13:51 GMT
Why not include the wrapper? Isn't the whole point that it bootstraps
itself via the wrapper? It isn't particularly large.

KEYS & Rat --> Excellent.

// Niclas

On Tue, Apr 28, 2015 at 2:56 PM, Paul Merlin <paul@nosphere.org> wrote:

> Niclas,
>
> Thanks for your thorough answer.
>
> Our actual distributions needs refinements. For example the Gradle
> wrapper should not be included so we need to provide some 'bootstrap'
> for this, see https://github.com/apache/samza/blob/master/bootstrap.gradle
>
> If you're ok with that, I can handle that work while you put some effort
> elsewhere. I'm sure there's plenty of things to do.
>
> Moreover, I started hacking some gradle task that should enable us to
> generate the NOTICE files. It won't be as simple as it should be but it
> should work. I'll push it in a branch once I get something convincing.
>
> BTW I just pushed some commits to develop with two notable things:
> - add a KEYS file at the project's root with our GPG keys
> - add a `rat` build task that runs Apache Rat on the codebase
>
> Cheers
>
> /Paul
>
>
> Niclas Hedhman a écrit :
> > Paul,
> > Yes, the NOTICE requirement is actually not stipulated by ASF, but by
> most
> > licenses requiring that you "pay respect" to any upstream work you use.
> >
> > ASF requires that a "RELEASE" is in source code form and can be built
> from
> > the distributed tar ball. That is the intention of our
> > qi4j-sdk-<ver>-source.tar.gz as well, so we fulfill this requirement.
> This
> > is of course not a coincidence, after all I have been very influence by
> the
> > ASF way of doing things. And thing about it; Open SOURCE ;-)
> >
> > ASF's view on binary "releases" is that of "an optional convenience
> > provided to users", and it is up to each community to define this. Again,
> > we provide the binary Qi4j SDK, ready to use, complete with the
> > dependencies.
> >
> > The Maven artifacts is another way to distribute "convenience" and we
> might
> > have an issue there (I haven't checked recently), since upload to Maven
> > Central requires all dependencies to be present on Maven Central, 3rd
> party
> > repositories are not allowed to be referenced. And we have had a couple
> of
> > those in the past, most notably for org.restlet. We should check how that
> > is now (both in terms of Maven Central requirements, as well as if our
> > dependency(ies) is/are now on it), and if we can't there is a backup plan
> > called BinTray by JFrog, which is larger (encompasses all Maven Central +
> > other repositories) and probably can fill the role if Maven Central
> can't.
> > In ASF, there is also a convention on putting LICENSE and NOTICE inside
> the
> > JAR file, under the META-INF/maven/ directory, and I think the pom.xml
> goes
> > in there as well.
> >
> > Now, I don't think we should bother to change the SDK content very much.
> > Our current release artifacts fit the ASF expectations, and the "only"
> > thing we need to do is to ensure that each dependency is mentioned in
> > respective NOTICE file.
> >
> > I suggest; Please start with extensions/, and I will take care of
> > libraries/. The rest whoever has more time available.
> >
> > For the build system, we might need to add META-INF/maven/ additions, and
> > we should generate a top-level NOTICE file "somehow", for instance a
> header
> > with the Qi4j component name + its NOTICE + a divider. And make it part
> of
> > the final Source and Binary SDKs
> >
> > All in all, not that much work, since I have spent time on NOTICE in the
> > past, but missing here and there, as well as the accuracy should be
> checked.
> >
> > Cheers
> > Niclas
> >
> > On Mon, Apr 27, 2015 at 5:47 PM, Paul Merlin <paul@nosphere.org> wrote:
> >
> >> Gang,
> >>
> >> I started to dig into ZEST-15.
> >>
> >> I'm first looking into NOTICE files.
> >> There are lots of other issues (headers, gradle wrapper, crypto etc...)
> >> but I'm handling them one at a time.
> >>
> >>
> >> >From what I understand at
> http://www.apache.org/dev/licensing-howto.html
> >> :
> >>
> >> - Only one NOTICE file per released distribution is mandatory
> >> - Only *bundled* dependencies needs to be scrutined
> >>
> >> So, if we don't bundle any dependencies in our release distributions,
> >> NOTICE file should remain pretty simple.
> >>
> >> I looked at releases of other Apache TLPs like Samza, DeltaSpike and a
> >> few others at http://dist.apache.org/ and most of the JVM based
> projects
> >> only release a source distribution there.
> >> Then they publish JARs to maven repositories without LICENSE/NOTICE
> files.
> >>
> >> I'd lean towards doing the very same. That is releasing a sources-only
> >> distribution (with proper LICENSE/NOTICE files) and pushing artifacts to
> >> repositories once the release is voted.
> >>
> >> WDYT?
> >>
> >> Cheers
> >>
> >> /Paul
> >>
> >>
> >
> >
>



-- 
Niclas Hedhman, Software Developer
http://zest.apache.org/qi4j <http://www.qi4j.org> - New Energy for Java

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message