www-repository mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Trustin Lee" <trus...@gmail.com>
Subject Re: [repo] /www/people.apache.org/repo/m1-ibiblio-rsync-repository/
Date Fri, 22 Dec 2006 15:56:55 GMT
Sorry for kicking into the discuttion being late. :)

On 12/13/06, Henri Yandell <flamefew@gmail.com> wrote:
>
> On 12/12/06, Steve Loughran <steve.loughran@gmail.com> wrote:
> > (replying to all as I dont yet know if dims is on repository@)
> >
> > On 12/12/06, Davanum Srinivas <davanum@gmail.com> wrote:
> > > Don't worry carlos. Let's set up a process. Let's document what we
> > > process we want everyone to conform to on our Wiki then inform infra
> > > folks. Let them look it over and then we can set a date for new
> > > releases to conform to the policy. Does that sound like a plan?
> > >
> >
> > 1. Nobody releases artifacts that arent signed off by the relevant PMC.
>
> +1


Who can imagine a release without a release vote? :)

That's a current rule - enforcement being the key.
>
> > 2. No artifacts get released if their explicit/implicit metadata is
> invalid
>
> +1


Absolutely.

That's a current rule (?) enforcement being the key.
>
> >   -POMs have schema declaration and are valid against the schema
> >   -POMs have no unexpanded ${project.version} values
> >   -all dependencies resolve. You cannot depend on sun stuff that
> > doesnt at least have a stub.
> >   -dependency graph is acyclic and no ambiguities (conflicting
> > artifacts at the same depth)


What would happen we develop a compiler?  There's a chicken and an egg
problem with developing a compiler.  Even if a project is not a compiler, a
project can have this kind of acyclic dependencies.  A very careful rule on
approving releasing an artifact with an acycle dependency though.

>   -until we have an automated solution, all artifacts will be held in
> > staging until hand audited. That means scanning the artifact looking
> > for common-troublespots (testing artifacts non-optional, etc)
> >   -checksums exist and are correct.
> >   -MD includes license and POM author info.
> >
> > In an ideal world we'd audit the JARs and look for trouble there too.
> >  -Java1.5+ class files (warn, dont reject :)
>
> Yeah, as highly likely this could be intentional.
>
> >  -copied in class files from other JARs
> > I dont have any stats on how much of an issue this is, yet.


Does this mean that we can't provide an all-in-one artifact with all
dependencies included even if all of them are licensed under ASL?

Trustin
-- 
what we call human nature is actually human habit
--
http://gleamynode.net/
--
PGP key fingerprints:
* E167 E6AF E73A CBCE EE41  4A29 544D DE48 FE95 4E7E
* B693 628E 6047 4F8F CFA4  455E 1C62 A7DC 0255 ECA6

Mime
View raw message