www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Niclas Hedhman <nic...@hedhman.org>
Subject Re: Maven Releases
Date Mon, 27 Apr 2009 06:05:21 GMT
On Mon, Apr 27, 2009 at 12:19 PM, Brett Porter <brett@apache.org> wrote:

> The only thing not in compliance with
> http://www.apache.org/dev/release.html is that it isn't under
> www.apache.org/dist (though, the Maven repository used to be and was moved
> for infrastructural reasons). While it would be possible to publish source
> tarballs there as well, I'm not seeing that there is much practical point to
> it.

Ok, let's put your theory to the test.

 1. I download the Maven tarball (tar.gz) and Signature.

 2. Check SHA1 checksum - OK.

 3. Skipping signature, as I'm right now on Mac and can't check it easily.

 4. Expand with tar; "A lone zero block at 7796". Ok, that is bug, and
let's take the Zip instead.

 5. Download the .zip

 6. Check SHA1 - OK

 7. Unzip - OK

 8. Follow instructions in README, setting PATH and M2_HOME. (The
latter is inconsistent between the formal requirement
"maven-${version}" and the example "/usr/local/apache-maven-2.0.9").
Ok, bug.

 9. Build - Oh, yes, the execute flags are lost in zips.

10. Warnings that I don't have the local repo set. Ok, fine.

11. Now a massive amount of downloads are happening, especially from
http://repo1.maven.org (is this an Apache operated resource?), and the
artifacts fetched seems to be projects running on Codehaus. Now, I
also see that jtidy, something from Olivier Zeigermann and BeanShell
are downloaded in the process. There are no NOTICE indicating that
these are used in Maven, as required by their licenses. - Please fix.

12. The build halts with a NullPointerException. Bug - I have to abort
further analysis on legal requirement, and whether or not Maven
fulfills Apache Release policies.
Exception in thread "main" java.lang.NullPointerException
	at org.apache.maven.bootstrap.installer.BootstrapInstaller.createInstallation(BootstrapInstaller.java:254)

I still kind of contend that Maven can not really be built from its
own sources. I also contend that the user is not very well aware of
what legal position he or she is in, AND that Maven in the cases
mentioned above is in breach of the dependent licenses.

> I understand you probably raised this because of Shindig. Their case may be
> entirely different, I didn't review much more than scanning the email
> subjects.

Kind of. I wanted to check the really complicated ones first, and only
got to Maven, since it is definitely not a simple and straight forward

>> and
>> it is impossible to create a operational Maven running in "offline"
>> mode.
> Not impossible, but much harder than it should be, because it relies on
> things that need Maven to build itself. If you install them as
> pre-requisites in the local repository you can succeed in bootstrapping from
> the Maven source distribution. If you need to build plugins from their
> sources, you would run mvn install after unpacking it.

Well, for instance; Take a plugin (I randomly chose the Mercury SCM provider).

META-INF/DEPENDENCIES - Contains the follow interesting NOTICE;
"From: 'an unknown organization'
  - Unnamed - regexp:regexp:jar:1.3  regexp:regexp:jar:1.3"

And the META-INF/NOTICE does not contain the Codehaus (and the above)
reference, as it should. But never mind that for a second.

No build instructions that I can find easily. But knowing Maven, I
know how to proceed.

The build reports another 50 downloads or more. And we find for
instance QDox downloaded. Now, how do I get NOTICED that QDox is used
in Maven, and how/where do I find the license of it? I mean, it is not
from the main build, and it is not in the build of this particular

Do you see where I am going with this?

Maven's incredible level of dependency graph, and on-the-fly
downloads, obscures any and all licensing concerns downstream users
may have.

>> Has Maven been given some exemption from our legal release requirement
>> somewhere in the past?
> Let's be a little careful here - is there really a *legal* requirement to
> your request, or is it a question of internal distribution policy? I'm quite
> certain Maven release satisfy all of Apache's legal requirements.

As shown above, I challenge that notion. I agree that it is not by
much and I am sure it is to the best of your collective abilities.

> Given that, I think it would be best broached with dev@maven.

I don't really care of Maven that much (even though I am an addict),
but that Apache projects complies with what we claim on the ASF-wide
information, such as /legal.

>> Has anyone been working with Maven to resolve this issue?
> No, patches welcome! :)
> Seriously, if there is a requirement that is missed, or as a user you have a
> need you'd like to see addressed, I'm more than happy to help over there.

Yes, I realize that. First I would like to figure out where we really
stand, and what the 'minimum requirements' for both Released Artifacts
as well as "Legal Compliance" really is. It will for instance be hard
to argue with the Incubator podlings that they must comply with a
different set of policies and procedures than TLPs.

Niclas Hedhman, Software Developer
http://www.qi4j.org - New Energy for Java

I  live here; http://tinyurl.com/2qq9er
I  work here; http://tinyurl.com/2ymelc
I relax here; http://tinyurl.com/2cgsug

To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

View raw message