www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Steve Loughran <ste...@apache.org>
Subject Re: Right usage of maven coordinates from Apache projects
Date Tue, 13 Aug 2013 00:00:47 GMT
On 5 August 2013 00:38, Mark Thomas <markt@apache.org> wrote:

> On 04/08/2013 23:42, Christian Mueller wrote:
> > Hello list!
> >
> > Assume Apache Foo is publishing its artifacts to Maven central with the
> > coordinates
> > org.apache.foo:foo-core:1.0.0
> >
> > Assume there is a company Bar who builds his product based on Apache
> > Foo. Do we allow Bar to publish its modified Apache Foo artifacts with
> > the name
> > org.apache.foo:foo-core:1.0.0-bar-001
> > ?
> No. org.apache.* is for the ASF only. Anyone else publishing into the
> org.apache namespace would confuse end-users about the source of the
> software.

Except the source trees we provide come with Maven pom files that
explicitly generate artifacts and the metadata, and come with staging
support that can push it to your local  Apache Archiva server

And as the formal releases of an ASF project are only the source -not those
binaries- publishing the artifacts may nominally be a duty of the people
building it, rather than the ASF.

Why would you want to do that? To get downstream projects (inc ASF ones) to
pick up your artifacts simply by changing the repo and version  numbers,
instead of going through the entire dependency tree changing artifact names.

> > Make it a difference whether the artifacts are "only" published to a
> > freely accessible Maven repository maintained by Bar (and not to Maven
> > central)?
> No.
I'd be more relaxed here and say "internal only -but do use a different
version number to to make clear it is your build, as maven gets very
unhappy if there are conflicting versions".

I think there are some bits of a public SVN repo that contain versions of
Hadoop that I built up with some minor changes, like stripping out

(pause, yes:)

these are structured in a way that ivy can work with directly. So: are they
(a) a case where  someone  published ASF artifacts that they shouldn't
have, or (b) a case where someone exercised their right to do their own
forks of ASF code, then stuck it into a public Apache Subversion repo so
that anyone downstream doing a build of that OSS project got the
dependencies that it was built against.

View raw message