Re: Apache Wagon vs maven-shade vs embedded licenses

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: Apache Wagon vs maven-shade vs embedded licenses

Hervé BOUTEMY
issue created: https://issues.apache.org/jira/browse/WAGON-574

Regards,

Hervé

----- Mail original -----
De: "Enrico Olivelli" <[hidden email]>
À: "Maven Developers List" <[hidden email]>
Cc: "Hervé BOUTEMY" <[hidden email]>
Envoyé: Mercredi 6 Novembre 2019 09:53:29
Objet: Re: Apache Wagon vs maven-shade vs embedded licenses







Il giorno mer 6 nov 2019 alle ore 09:03 Vladimir Sitnikov < [hidden email] > ha scritto:


Enrico>(I apologize, I don't want to pollute the vote thread, but this is
somehow
related)

I've altered the subject.

Enrico> For binary release (that actually is not part of the official VOTE)

I'm not a lawyer, but:

> http://www.apache.org/legal/release-policy.html#what 
> WHAT IS A RELEASE?
> Releases are, by definition, anything that is published beyond the group
that owns it

>
http://www.apache.org/legal/release-policy.html#what-must-every-release-contain 
> Every ASF release must comply with ASF licensing policy

release-policy.html does not make a distinction between "part of the
official vote" and "not a part of the official vote".
It just stays "whatever is released must comply with ASF licensing policy".





Totally agree



In other words, the VOTE thread looks to me like "we are about to release
Apache Maven Wagon, please check the artifacts".
-shaded artifact is a part of the release (because it is "anything that is
published beyond the group that owns it"),
and -shaded does not comply with jsoup's license ==> I suggest that there's
an "utmost importance" issue with the artifacts.

>I wonder if we could enhance the pom in the future to report machiene
>readable statements like 'the artifact will include a binary copy of this
>other third party pom'

That would be nice. I'm not sure everything comes from a pom though.
For instance, -shaded, -sources, -javadoc and other "classifier-based
artifacts" miss their respective poms.
However, they all might re-distribute different third-party dependencies.



Yes, it is not so simply as I said.



Then people do not always consume artifacts as jar/pom files.
For instance, apache-maven-3.6.2-bin.zip does not have a pom file.

In my opinion, the licensing conditions should be embedded into each
archive if that is possible.



I think this is the only viable option nowadays



There's spdx.org effort, however, I don't think it is ready for use.

Vladimir





Thanks


Enrico

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Apache Wagon vs maven-shade vs embedded licenses

Hervé BOUTEMY
I agree on all points, perfect match :)

Regards,

Hervé

----- Mail original -----
De: "Enrico Olivelli" <[hidden email]>
À: "Maven Developers List" <[hidden email]>
Envoyé: Jeudi 7 Novembre 2019 12:08:11
Objet: Re: Apache Wagon vs maven-shade vs embedded licenses

Il giorno gio 7 nov 2019 alle ore 10:38 <[hidden email]> ha scritto:

> sure, if you know how to fix, yes, I can drop this release and start the
> next one quickly
>
> particularly if it helps us later to improve Maven handling of the case
>
> This case of -shaded.jar published to Central [1] is really a completely
> different scenario than Maven -bin.zip/tar,gz binary distribution [2] that
> has the dependency added to the archive.
> I currently did not really get how the shaded archive case should be
> managed: do you have any strategy or fix available?
>

I have thought more about this case:

For the Binary Distribution of Maven we can simply add the LICENSE and
NOTICE in the zip files, I will handle it.

For the distribution on Maven central of shaded artifacts......really I
don't know.
Maybe we should ask to LEGAL as the problem is for every one that is using
the shade plugin and deploying to Maven Central.

I image we can't drop JSoup now, ot at least it won't be an easy task

So my final position for Wagon HTTP 3.3.3 is:
- we are releasing sources, so no problem
- we have a more general problem with shaded third party libraries, there
is no clear and clean way to address it, so stick to current way for this
version of Wagon

I will be happy to create an issue on ASF LEGAL JIRA and start the
discussion, but I would like to have some Maven PMC member supporting this
choice before doing this step.

It will be super useful to have a reference doc on ASF website and a link
to it inside the maven shade plugin website.



Enrico



>
> Regards,
>
> Hervé
>
> [1]
> http://repo.maven.apache.org/maven2/org/apache/maven/wagon/wagon-http/3.3.3/
>
> [2] https://archive.apache.org/dist/maven/maven-3/3.6.2/binaries/
>
> ----- Mail original -----
> De: "Enrico Olivelli" <[hidden email]>
> À: "Maven Developers List" <[hidden email]>
> Envoyé: Mercredi 6 Novembre 2019 11:20:47
> Objet: Re: Apache Wagon vs maven-shade vs embedded licenses
>
> Hervè
> can we fix this issue before releasing this version of Wagon ?
> this way we can update Wagon in Maven Core
>
> Enrico
>
> Il giorno mer 6 nov 2019 alle ore 11:06 <[hidden email]> ha
> scritto:
>
> > issue created: https://issues.apache.org/jira/browse/WAGON-574
> >
> > Regards,
> >
> > Hervé
> >
> > ----- Mail original -----
> > De: "Enrico Olivelli" <[hidden email]>
> > À: "Maven Developers List" <[hidden email]>
> > Cc: "Hervé BOUTEMY" <[hidden email]>
> > Envoyé: Mercredi 6 Novembre 2019 09:53:29
> > Objet: Re: Apache Wagon vs maven-shade vs embedded licenses
> >
> >
> >
> >
> >
> >
> >
> > Il giorno mer 6 nov 2019 alle ore 09:03 Vladimir Sitnikov <
> > [hidden email] > ha scritto:
> >
> >
> > Enrico>(I apologize, I don't want to pollute the vote thread, but this is
> > somehow
> > related)
> >
> > I've altered the subject.
> >
> > Enrico> For binary release (that actually is not part of the official
> > VOTE)
> >
> > I'm not a lawyer, but:
> >
> > > http://www.apache.org/legal/release-policy.html#what
> > > WHAT IS A RELEASE?
> > > Releases are, by definition, anything that is published beyond the
> group
> > that owns it
> >
> > >
> >
> >
> http://www.apache.org/legal/release-policy.html#what-must-every-release-contain
> > > Every ASF release must comply with ASF licensing policy
> >
> > release-policy.html does not make a distinction between "part of the
> > official vote" and "not a part of the official vote".
> > It just stays "whatever is released must comply with ASF licensing
> > policy".
> >
> >
> >
> >
> >
> > Totally agree
> >
> >
> >
> > In other words, the VOTE thread looks to me like "we are about to release
> > Apache Maven Wagon, please check the artifacts".
> > -shaded artifact is a part of the release (because it is "anything that
> is
> > published beyond the group that owns it"),
> > and -shaded does not comply with jsoup's license ==> I suggest that
> > there's
> > an "utmost importance" issue with the artifacts.
> >
> > >I wonder if we could enhance the pom in the future to report machiene
> > >readable statements like 'the artifact will include a binary copy of
> this
> > >other third party pom'
> >
> > That would be nice. I'm not sure everything comes from a pom though.
> > For instance, -shaded, -sources, -javadoc and other "classifier-based
> > artifacts" miss their respective poms.
> > However, they all might re-distribute different third-party dependencies.
> >
> >
> >
> > Yes, it is not so simply as I said.
> >
> >
> >
> > Then people do not always consume artifacts as jar/pom files.
> > For instance, apache-maven-3.6.2-bin.zip does not have a pom file.
> >
> > In my opinion, the licensing conditions should be embedded into each
> > archive if that is possible.
> >
> >
> >
> > I think this is the only viable option nowadays
> >
> >
> >
> > There's spdx.org effort, however, I don't think it is ready for use.
> >
> > Vladimir
> >
> >
> >
> >
> >
> > Thanks
> >
> >
> > Enrico
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [hidden email]
> > For additional commands, e-mail: [hidden email]
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]