Return-Path: Delivered-To: apmail-repository-archive@www.apache.org Received: (qmail 5293 invoked from network); 22 Dec 2006 16:12:45 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 22 Dec 2006 16:12:44 -0000 Received: (qmail 59554 invoked by uid 500); 22 Dec 2006 16:12:51 -0000 Delivered-To: apmail-repository-archive@apache.org Received: (qmail 59493 invoked by uid 500); 22 Dec 2006 16:12:51 -0000 Mailing-List: contact repository-help@apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: Reply-To: repository@apache.org List-Id: Delivered-To: mailing list repository@apache.org Received: (qmail 59482 invoked by uid 99); 22 Dec 2006 16:12:51 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 22 Dec 2006 08:12:51 -0800 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (herse.apache.org: domain of steve.loughran@gmail.com designates 64.233.184.229 as permitted sender) Received: from [64.233.184.229] (HELO wr-out-0506.google.com) (64.233.184.229) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 22 Dec 2006 08:12:41 -0800 Received: by wr-out-0506.google.com with SMTP id 69so234972wri for ; Fri, 22 Dec 2006 08:12:20 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=LrCriAbFRt4u8sxotNYHrTQz0bsy9xaQOzV6O9Cy8+lVVvEYCb782o71wbnzcKqjygEX3h4eYEVw6JOwGgSQGU91d2OITqvRt4AgWUNZS/IFfuOY+rNT5+2mk2ymSpy3gEoKbM7Wc909da8WA7xrhq4PzG34gQJ/oyrB93RVYXM= Received: by 10.78.17.1 with SMTP id 1mr1366949huq.1166803940344; Fri, 22 Dec 2006 08:12:20 -0800 (PST) Received: by 10.78.124.19 with HTTP; Fri, 22 Dec 2006 08:12:20 -0800 (PST) Message-ID: Date: Fri, 22 Dec 2006 16:12:20 +0000 From: "Steve Loughran" To: repository@apache.org Subject: Re: [repo] /www/people.apache.org/repo/m1-ibiblio-rsync-repository/ In-Reply-To: <768dcb2e0612220756w428f380ejeef679837980f705@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20061211091504.18111.qmail@minotaur.apache.org> <1a5b6c410612120232x22eff7a0te31c712d0e87f8fe@mail.gmail.com> <19e0530f0612120601k3c8da1dbodfede2702491a8e4@mail.gmail.com> <1a5b6c410612121211y16ddbcf8mbde0df0346041192@mail.gmail.com> <19e0530f0612121235s2302789cl264cbc5dbafaf657@mail.gmail.com> <1a5b6c410612121254x21d4bafcw69f3beebf7878e18@mail.gmail.com> <19e0530f0612121306i3a1ccacbq31020d8924e703d@mail.gmail.com> <31cc37360612121345k1010a06crdb08ea83377a582b@mail.gmail.com> <768dcb2e0612220756w428f380ejeef679837980f705@mail.gmail.com> X-Virus-Checked: Checked by ClamAV on apache.org On 22/12/06, Trustin Lee wrote: > > > That's a current rule (?) enforcement being the key. > > > > > -POMs have schema declaration and are valid against the schema > > > -POMs have no unexpanded ${project.version} values > > > -all dependencies resolve. You cannot depend on sun stuff that > > > doesnt at least have a stub. > > > -dependency graph is acyclic and no ambiguities (conflicting > > > artifacts at the same depth) > > > What would happen we develop a compiler? There's a chicken and an egg > problem with developing a compiler. Even if a project is not a compiler, a > project can have this kind of acyclic dependencies. A very careful rule on > approving releasing an artifact with an acycle dependency though. There already is an implicit loop in the build, as ant depends on an XML compiler, and xerces depends on Ant. So I wouldnt ban stuff, just look closely at the dependency chain. > > > > -until we have an automated solution, all artifacts will be held in > > > staging until hand audited. That means scanning the artifact looking > > > for common-troublespots (testing artifacts non-optional, etc) > > > -checksums exist and are correct. > > > -MD includes license and POM author info. > > > > > > In an ideal world we'd audit the JARs and look for trouble there too. > > > -Java1.5+ class files (warn, dont reject :) > > > > Yeah, as highly likely this could be intentional. of course > > > > > -copied in class files from other JARs > > > I dont have any stats on how much of an issue this is, yet. > > > Does this mean that we can't provide an all-in-one artifact with all > dependencies included even if all of them are licensed under ASL? no, I just think we ought to recognise whenever the situation arises and check that it is the right thing to do, and/or encourage the releasers to release a copy of the artifact without all the merged in files. Case in point, I have my own copy of jython.jar, with the ora-regexp files stripped out.