www-repository mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Steve Loughran" <steve.lough...@gmail.com>
Subject Re: [repo] /www/people.apache.org/repo/m1-ibiblio-rsync-repository/
Date Fri, 22 Dec 2006 16:12:20 GMT
On 22/12/06, Trustin Lee <trustin@gmail.com> wrote:

>
> > That's a current rule (?) enforcement being the key.
> >
> > >   -POMs have schema declaration and are valid against the schema
> > >   -POMs have no unexpanded ${project.version} values
> > >   -all dependencies resolve. You cannot depend on sun stuff that
> > > doesnt at least have a stub.
> > >   -dependency graph is acyclic and no ambiguities (conflicting
> > > artifacts at the same depth)
>
>
> What would happen we develop a compiler?  There's a chicken and an egg
> problem with developing a compiler.  Even if a project is not a compiler, a
> project can have this kind of acyclic dependencies.  A very careful rule on
> approving releasing an artifact with an acycle dependency though.

There already is an implicit loop in the build, as ant depends on an
XML compiler, and xerces depends on Ant.

So I wouldnt ban stuff, just look closely at the dependency chain.

>
> > >   -until we have an automated solution, all artifacts will be held in
> > > staging until hand audited. That means scanning the artifact looking
> > > for common-troublespots (testing artifacts non-optional, etc)
> > >   -checksums exist and are correct.
> > >   -MD includes license and POM author info.
> > >
> > > In an ideal world we'd audit the JARs and look for trouble there too.
> > >  -Java1.5+ class files (warn, dont reject :)
> >
> > Yeah, as highly likely this could be intentional.

of course

> >
> > >  -copied in class files from other JARs
> > > I dont have any stats on how much of an issue this is, yet.
>
>
> Does this mean that we can't provide an all-in-one artifact with all
> dependencies included even if all of them are licensed under ASL?

no, I just think we ought to recognise whenever the situation arises
and check that it is the right thing to do, and/or encourage the
releasers to release a copy of the artifact without all the merged in
files. Case in point, I have my own copy of jython.jar, with the
ora-regexp files stripped out.

Mime
View raw message