Re: Apache Wagon vs maven-shade vs embedded licenses

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Re: Apache Wagon vs maven-shade vs embedded licenses

Enrico Olivelli
Hervè
can we fix this issue before releasing this version of Wagon ?
this way we can update Wagon in Maven Core

Enrico

Il giorno mer 6 nov 2019 alle ore 11:06 <[hidden email]> ha scritto:

> issue created: https://issues.apache.org/jira/browse/WAGON-574
>
> Regards,
>
> Hervé
>
> ----- Mail original -----
> De: "Enrico Olivelli" <[hidden email]>
> À: "Maven Developers List" <[hidden email]>
> Cc: "Hervé BOUTEMY" <[hidden email]>
> Envoyé: Mercredi 6 Novembre 2019 09:53:29
> Objet: Re: Apache Wagon vs maven-shade vs embedded licenses
>
>
>
>
>
>
>
> Il giorno mer 6 nov 2019 alle ore 09:03 Vladimir Sitnikov <
> [hidden email] > ha scritto:
>
>
> Enrico>(I apologize, I don't want to pollute the vote thread, but this is
> somehow
> related)
>
> I've altered the subject.
>
> Enrico> For binary release (that actually is not part of the official
> VOTE)
>
> I'm not a lawyer, but:
>
> > http://www.apache.org/legal/release-policy.html#what
> > WHAT IS A RELEASE?
> > Releases are, by definition, anything that is published beyond the group
> that owns it
>
> >
>
> http://www.apache.org/legal/release-policy.html#what-must-every-release-contain
> > Every ASF release must comply with ASF licensing policy
>
> release-policy.html does not make a distinction between "part of the
> official vote" and "not a part of the official vote".
> It just stays "whatever is released must comply with ASF licensing
> policy".
>
>
>
>
>
> Totally agree
>
>
>
> In other words, the VOTE thread looks to me like "we are about to release
> Apache Maven Wagon, please check the artifacts".
> -shaded artifact is a part of the release (because it is "anything that is
> published beyond the group that owns it"),
> and -shaded does not comply with jsoup's license ==> I suggest that
> there's
> an "utmost importance" issue with the artifacts.
>
> >I wonder if we could enhance the pom in the future to report machiene
> >readable statements like 'the artifact will include a binary copy of this
> >other third party pom'
>
> That would be nice. I'm not sure everything comes from a pom though.
> For instance, -shaded, -sources, -javadoc and other "classifier-based
> artifacts" miss their respective poms.
> However, they all might re-distribute different third-party dependencies.
>
>
>
> Yes, it is not so simply as I said.
>
>
>
> Then people do not always consume artifacts as jar/pom files.
> For instance, apache-maven-3.6.2-bin.zip does not have a pom file.
>
> In my opinion, the licensing conditions should be embedded into each
> archive if that is possible.
>
>
>
> I think this is the only viable option nowadays
>
>
>
> There's spdx.org effort, however, I don't think it is ready for use.
>
> Vladimir
>
>
>
>
>
> Thanks
>
>
> Enrico
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>