www-repository mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefano Bagnara <apa...@bago.org>
Subject Re: artifactIds and "apache-" prefix for trademark-enabled artifacts
Date Wed, 16 May 2007 14:16:09 GMT
Steve Loughran ha scritto:
> On 16/05/07, Jason Dillon <jason@planet57.com> wrote:
>> I'm all for protecting things... but if that means putting "apache-"
>> in-front of everything... then I'm not sure how well that is going to
>> fly with the rest of the community.
>>
> 
> Here's a problem I have with the apache- prefix.
> 
> 1. I have the right to cut my own distributions of any apache project
> 2. I have the right to publish them to any private repository, where
> that includes repositories private to the two class-A domains of my
> employers, i.e. 1/128 of the entire IPV4 address space.
> 3. but if the artifacts have apache- in the front, then surely I am
> claiming my private artifacts are in fact apache distros, when unless
> I am the release manager for an artifact, and follow the formal
> release process, that is not the case.

I think that the "apache-" prefix advice is mainly intended to avoid
this to happen.

If you make your own distribution of any apache project you should
change the groupId and the artifactId, so that no one will ever be
confused between an official apache distribution and your own
distribution (this is also a maven best practice: you should never
deploy to any repository a changed artifact without altering the
artifactId, groupId and the version, otherwise this will lead to
incompatibilities as artifacts are cached in local repositories using
this informations as the "primary key").

1) As far as I understood it, the "apache-" prefix is there also because
tomorrow someone could create a "www.geronimo.com" domain and start
distributing an hacked version of geronimo using the same package names
are official geronimo artifacts and if they don't use the "Apache" brand
they are entitled to do that (I don't know anything of the specific
geronimo case, this is just an example). Using apache will let ASF to
protect this.

2) Maybe this even more valid with maven repositories. How can we make
sure that no one deploys artifacts hacked versions of apache products in
the maven repository using the same artifactId if the file name does not
include apache?
  Let's say tomorrow I submit to ibiblio an ant-javamail-1.6.6.jar in
the http://mirrors.ibiblio.org/pub/mirrors/maven2/ant/ant-javamail/ folder.
  Let's say I submit an hacked version where instead of sending mail I
send viruses around the world or I make it to send a copy to some "spy"
address.


IANAL, but if I understood it correctly if they used the "apache-"
prefix ASF would have one more weapon (the trademark law) to stop
similar behavior.

> so, -1 on process grounds, and -1 because you can take branding too
> far. Should we rewrite all the ant and maven docs to tell people to
> install into ApacheAnt and ApacheMaven dirs, and rename the env
> variables APACHE_ANT_HOME and APACHE_MAVEN_HOME? I think not.

I think that this is only needed for redistributable packages.
Environment variables and folders are not involved in this "advice".

Stefano


Mime
View raw message