www-repository mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Henri Yandell" <flame...@gmail.com>
Subject Re: maven2 based releases for the james project and ASF policy
Date Sun, 17 Sep 2006 08:33:29 GMT
On 9/16/06, Stefano Bagnara <apache@bago.org> wrote:
> Hi all,
>
> I know there is an ongoing thread about ASF/maven2 repositories and
> third party library, but it seems to me that we won't have an ASF-wide
> solution in few weeks, am I right?
>
> We (Apache James project) have two "new" products based on maven2 that
> are ready to be released: jSPF and Mime4J.
>
> Both projects depends on third party (license compatible) jars and our
> snapshots currently depends on a maven repository I set up in my
> minotaur home to be able to build the projects.
>
> Of course this is no good because we can't publish official releases
> including references to my home or including references to SNAPSHOT
> projects.
>
> One of James PMC members is concerned (and we, other PMC member, agree
> on his concerns) about the security issues introduced by downloading
> artifacts from ibiblio or its mirrors, so we are trying to find an
> interim solution while ASF define a common way.
>
> Here is what I've proposed:
>
> 1) create a "repository/third-party-m1" folder in our
> svn.apache.org/repos/asf/james repository.
>
> 2) commit there our current third party dependencies (BSD/CDDL/MIT/ASF)
>
> 3) export the content of this repository on a subfolder of our
> james.apache.org website (james.apache.org/repos/third-party-m1 could be
> a good candidate) so that we don't link directly the SVN server but a
> mirrored resource (websites are mirrored, right?)
>
> 4) add this "james.apache.org/repos/third-party-m1" to our main pom
> (overwriting ibiblio).
>
>
> We would still use the 2 ASF-wide maven repositories to publish our
> official release or to read ASF jars and for our snapshots needs.
>
>
> Does ASF policy allow us to do this?

Yes, provided the third party jars are ones the ASF can redistribute
(see the 3rd party legal stuff).

Infra opinions might be against the idea of putting build dependables
on a project's website. An alternative would be to have a
people.apache.org/repo/james/ repository, but that's just sneaking
into official repositories that are disliked at the moment.

> WDYT?

I like Dims' idea of doing it within the file system for the time
being. I'm not particularly a believer in the network independence
part of it - I tend to find that I still need the network for Maven to
get a plugin I wasn't expecting to need, but it does mean that you
don't have to support the repository on your project website on an
on-going basis.

When an ASF repository exists (or one that we have strong trust in),
then you could switch to using that.

Hen

Mime
View raw message