Re: [VOTE] Release Apache Wagon version 3.3.4

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Release Apache Wagon version 3.3.4

Tibor Digana
SHA512 ok, successful local build
but an Error in ASF build #38 and #39 with the last two commits from
maven-release-plugin but not from the #37.
Pls have a look into this:

https://builds.apache.org/job/maven-box/job/maven-wagon/job/master/39/testReport/junit/org.apache.maven.wagon.providers.http/HttpWagonErrorTest/linux_jdk13___Build_linux_jdk13___testGet500/

On Sun, Nov 3, 2019 at 9:04 PM Hervé BOUTEMY <[hidden email]> wrote:

> Hi,
>
> We solved 5 issues:
>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12318122&version=12345956&styleName=Text
>
> There are still a couple of issues left in JIRA:
>
> https://issues.apache.org/jira/issues/?jql=project%20%3D%20WAGON%20AND%20status%20%3D%20Open%20ORDER%20BY%20key%20DESC%2C%20priority%20DESC
>
> Staging repo:
> https://repository.apache.org/content/repositories/maven-1535/
>
> https://repository.apache.org/content/repositories/maven-1535/org/apache/maven/wagon/wagon/3.3.4/wagon-3.3.4-source-release.zip
>
> Source release checksum(s):
> wagon-3.3.4-source-release.zip sha512:
> 1484d17bede842ed45ae3642ccb12f585489a95604fd100a4fddea05e39b0d0471a3d878c8252cc2a29fcdc4f3d2ec0dd25629842ea4443d7557e488b0f3c25f
>
> Staging site:
> https://maven.apache.org/wagon-archives/wagon-LATEST/
>
> Guide to testing staged releases:
> https://maven.apache.org/guides/development/guide-testing-releases.html
>
> Vote open for at least 72 hours.
>
> [ ] +1
> [ ] +0
> [ ] -1
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Release Apache Wagon version 3.3.4

Vladimir Sitnikov
> Staging repo:
> https://repository.apache.org/content/repositories/maven-1535/

-1 since
https://repository.apache.org/content/repositories/maven-1535/org/apache/maven/wagon/wagon-http/3.3.4/wagon-http-3.3.4-shaded.jar
violates licensing terms for the third-party code.
One of the violations is org.jsoup:jsoup.

I know releases may not be vetoed (
https://www.apache.org/foundation/voting.html#ReleaseVotes )
However, there's

> http://www.apache.org/legal/release-policy.html#licensing
>Every ASF release MUST comply with ASF licensing policy. This requirement
is of utmost importance

Vladimir
Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Release Apache Wagon version 3.3.4

michaelo
Am 2019-11-05 um 20:10 schrieb Vladimir Sitnikov:
>> Staging repo:
>> https://repository.apache.org/content/repositories/maven-1535/
>
> -1 since
> https://repository.apache.org/content/repositories/maven-1535/org/apache/maven/wagon/wagon-http/3.3.4/wagon-http-3.3.4-shaded.jar
> violates licensing terms for the third-party code.
> One of the violations is org.jsoup:jsoup.

Are you referring to his statement of the MIT license?

> The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Release Apache Wagon version 3.3.4

Vladimir Sitnikov
> Are you referring to his statement of the MIT license?

I am

Vladimir
Reply | Threaded
Open this post in threaded view
|

Apache Wagon vs maven-shade vs embedded licenses

Vladimir Sitnikov
In reply to this post by Vladimir Sitnikov
Enrico>(I apologize, I don't want to pollute the vote thread, but this is
somehow
related)

I've altered the subject.

Enrico> For binary release (that actually is not part of the official VOTE)

I'm not a lawyer, but:

> http://www.apache.org/legal/release-policy.html#what
> WHAT IS A RELEASE?
> Releases are, by definition, anything that is published beyond the group
that owns it

>
http://www.apache.org/legal/release-policy.html#what-must-every-release-contain
> Every ASF release must comply with ASF licensing policy

release-policy.html does not make a distinction between "part of the
official vote" and "not a part of the official vote".
It just stays "whatever is released must comply with ASF licensing policy".

In other words, the VOTE thread looks to me like "we are about to release
Apache Maven Wagon, please check the artifacts".
-shaded artifact is a part of the release (because it is "anything that is
published beyond the group that owns it"),
and -shaded does not comply with jsoup's license ==> I suggest that there's
an "utmost importance" issue with the artifacts.

>I wonder if we could enhance the pom in the future to report machiene
>readable statements like 'the artifact will include a binary copy of this
>other third party pom'

That would be nice. I'm not sure everything comes from a pom though.
For instance, -shaded, -sources, -javadoc and other "classifier-based
artifacts" miss their respective poms.
However, they all might re-distribute different third-party dependencies.

Then people do not always consume artifacts as jar/pom files.
For instance, apache-maven-3.6.2-bin.zip does not have a pom file.

In my opinion, the licensing conditions should be embedded into each
archive if that is possible.

There's spdx.org effort, however, I don't think it is ready for use.

Vladimir
Reply | Threaded
Open this post in threaded view
|

Re: Apache Wagon vs maven-shade vs embedded licenses

Enrico Olivelli
Il giorno mer 6 nov 2019 alle ore 09:03 Vladimir Sitnikov <
[hidden email]> ha scritto:

> Enrico>(I apologize, I don't want to pollute the vote thread, but this is
> somehow
> related)
>
> I've altered the subject.
>
> Enrico> For binary release (that actually is not part of the official VOTE)
>
> I'm not a lawyer, but:
>
> > http://www.apache.org/legal/release-policy.html#what
> > WHAT IS A RELEASE?
> > Releases are, by definition, anything that is published beyond the group
> that owns it
>
> >
>
> http://www.apache.org/legal/release-policy.html#what-must-every-release-contain
> > Every ASF release must comply with ASF licensing policy
>
> release-policy.html does not make a distinction between "part of the
> official vote" and "not a part of the official vote".
> It just stays "whatever is released must comply with ASF licensing policy".
>


Totally agree


>
> In other words, the VOTE thread looks to me like "we are about to release
> Apache Maven Wagon, please check the artifacts".
> -shaded artifact is a part of the release (because it is "anything that is
> published beyond the group that owns it"),
> and -shaded does not comply with jsoup's license ==> I suggest that there's
> an "utmost importance" issue with the artifacts.
>
> >I wonder if we could enhance the pom in the future to report machiene
> >readable statements like 'the artifact will include a binary copy of this
> >other third party pom'
>
> That would be nice. I'm not sure everything comes from a pom though.
> For instance, -shaded, -sources, -javadoc and other "classifier-based
> artifacts" miss their respective poms.
> However, they all might re-distribute different third-party dependencies.
>

Yes, it is not so simply as I said.


>
> Then people do not always consume artifacts as jar/pom files.
> For instance, apache-maven-3.6.2-bin.zip does not have a pom file.
>
> In my opinion, the licensing conditions should be embedded into each
> archive if that is possible.
>

I think this is the only viable option nowadays


>
> There's spdx.org effort, however, I don't think it is ready for use.
>
> Vladimir
>


Thanks

Enrico
Reply | Threaded
Open this post in threaded view
|

Re: Apache Wagon vs maven-shade vs embedded licenses

Enrico Olivelli
In reply to this post by Vladimir Sitnikov
Il giorno gio 7 nov 2019 alle ore 10:38 <[hidden email]> ha scritto:

> sure, if you know how to fix, yes, I can drop this release and start the
> next one quickly
>
> particularly if it helps us later to improve Maven handling of the case
>
> This case of -shaded.jar published to Central [1] is really a completely
> different scenario than Maven -bin.zip/tar,gz binary distribution [2] that
> has the dependency added to the archive.
> I currently did not really get how the shaded archive case should be
> managed: do you have any strategy or fix available?
>

I have thought more about this case:

For the Binary Distribution of Maven we can simply add the LICENSE and
NOTICE in the zip files, I will handle it.

For the distribution on Maven central of shaded artifacts......really I
don't know.
Maybe we should ask to LEGAL as the problem is for every one that is using
the shade plugin and deploying to Maven Central.

I image we can't drop JSoup now, ot at least it won't be an easy task

So my final position for Wagon HTTP 3.3.3 is:
- we are releasing sources, so no problem
- we have a more general problem with shaded third party libraries, there
is no clear and clean way to address it, so stick to current way for this
version of Wagon

I will be happy to create an issue on ASF LEGAL JIRA and start the
discussion, but I would like to have some Maven PMC member supporting this
choice before doing this step.

It will be super useful to have a reference doc on ASF website and a link
to it inside the maven shade plugin website.



Enrico



>
> Regards,
>
> Hervé
>
> [1]
> http://repo.maven.apache.org/maven2/org/apache/maven/wagon/wagon-http/3.3.3/
>
> [2] https://archive.apache.org/dist/maven/maven-3/3.6.2/binaries/
>
> ----- Mail original -----
> De: "Enrico Olivelli" <[hidden email]>
> À: "Maven Developers List" <[hidden email]>
> Envoyé: Mercredi 6 Novembre 2019 11:20:47
> Objet: Re: Apache Wagon vs maven-shade vs embedded licenses
>
> Hervè
> can we fix this issue before releasing this version of Wagon ?
> this way we can update Wagon in Maven Core
>
> Enrico
>
> Il giorno mer 6 nov 2019 alle ore 11:06 <[hidden email]> ha
> scritto:
>
> > issue created: https://issues.apache.org/jira/browse/WAGON-574
> >
> > Regards,
> >
> > Hervé
> >
> > ----- Mail original -----
> > De: "Enrico Olivelli" <[hidden email]>
> > À: "Maven Developers List" <[hidden email]>
> > Cc: "Hervé BOUTEMY" <[hidden email]>
> > Envoyé: Mercredi 6 Novembre 2019 09:53:29
> > Objet: Re: Apache Wagon vs maven-shade vs embedded licenses
> >
> >
> >
> >
> >
> >
> >
> > Il giorno mer 6 nov 2019 alle ore 09:03 Vladimir Sitnikov <
> > [hidden email] > ha scritto:
> >
> >
> > Enrico>(I apologize, I don't want to pollute the vote thread, but this is
> > somehow
> > related)
> >
> > I've altered the subject.
> >
> > Enrico> For binary release (that actually is not part of the official
> > VOTE)
> >
> > I'm not a lawyer, but:
> >
> > > http://www.apache.org/legal/release-policy.html#what
> > > WHAT IS A RELEASE?
> > > Releases are, by definition, anything that is published beyond the
> group
> > that owns it
> >
> > >
> >
> >
> http://www.apache.org/legal/release-policy.html#what-must-every-release-contain
> > > Every ASF release must comply with ASF licensing policy
> >
> > release-policy.html does not make a distinction between "part of the
> > official vote" and "not a part of the official vote".
> > It just stays "whatever is released must comply with ASF licensing
> > policy".
> >
> >
> >
> >
> >
> > Totally agree
> >
> >
> >
> > In other words, the VOTE thread looks to me like "we are about to release
> > Apache Maven Wagon, please check the artifacts".
> > -shaded artifact is a part of the release (because it is "anything that
> is
> > published beyond the group that owns it"),
> > and -shaded does not comply with jsoup's license ==> I suggest that
> > there's
> > an "utmost importance" issue with the artifacts.
> >
> > >I wonder if we could enhance the pom in the future to report machiene
> > >readable statements like 'the artifact will include a binary copy of
> this
> > >other third party pom'
> >
> > That would be nice. I'm not sure everything comes from a pom though.
> > For instance, -shaded, -sources, -javadoc and other "classifier-based
> > artifacts" miss their respective poms.
> > However, they all might re-distribute different third-party dependencies.
> >
> >
> >
> > Yes, it is not so simply as I said.
> >
> >
> >
> > Then people do not always consume artifacts as jar/pom files.
> > For instance, apache-maven-3.6.2-bin.zip does not have a pom file.
> >
> > In my opinion, the licensing conditions should be embedded into each
> > archive if that is possible.
> >
> >
> >
> > I think this is the only viable option nowadays
> >
> >
> >
> > There's spdx.org effort, however, I don't think it is ready for use.
> >
> > Vladimir
> >
> >
> >
> >
> >
> > Thanks
> >
> >
> > Enrico
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [hidden email]
> > For additional commands, e-mail: [hidden email]
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Apache Wagon vs maven-shade vs embedded licenses

michaelo
Am 2019-11-07 um 12:08 schrieb Enrico Olivelli:

> Il giorno gio 7 nov 2019 alle ore 10:38 <[hidden email]> ha scritto:
>
>> sure, if you know how to fix, yes, I can drop this release and start the
>> next one quickly
>>
>> particularly if it helps us later to improve Maven handling of the case
>>
>> This case of -shaded.jar published to Central [1] is really a completely
>> different scenario than Maven -bin.zip/tar,gz binary distribution [2] that
>> has the dependency added to the archive.
>> I currently did not really get how the shaded archive case should be
>> managed: do you have any strategy or fix available?
>>
>
> I have thought more about this case:
>
> For the Binary Distribution of Maven we can simply add the LICENSE and
> NOTICE in the zip files, I will handle it.
>
> For the distribution on Maven central of shaded artifacts......really I
> don't know.
> Maybe we should ask to LEGAL as the problem is for every one that is using
> the shade plugin and deploying to Maven Central.
>
> I image we can't drop JSoup now, ot at least it won't be an easy task

Actually, we can. If you look for what JSoup is used, it does not really
make sense to do so. It assumes that the target server is Apache HTTPd
which must not be the case. Along with assumptions where
http://host/path and http://host/path/ are the same which must not
necessarily be true.

Jsoup is used to satisfy/implement
org.apache.maven.wagon.Wagon.getFileList(String) on HttpWagon and
LightweightHttpWagon, but that is wrong. HTTP has no means to list a
directory, moreover there is no notion of directories in HTTP, only
resources. Parsing some HTML file is plain wrong and makes assumptions
about an unknown environment. The only HTTP target which can satisfy
this is WebDAV where a directory can be logically mapped to a collection
which will happily respond with HTTP 207 Multistatus.

If you really cannot satisfy the license, it'd be a little risk removing
JSoup with 3.4.0.

Michael

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Release Apache Wagon version 3.3.4

Enrico Olivelli
In reply to this post by Vladimir Sitnikov
+1 (non binding) from me in the current form.
I have tested on Linux (Fedora 30) + jdk8 (1.8.0_222, vendor: AdoptOpenJDK)

The licensing issue can be addressed in a new release, we have ideas and we
are working on it.
In my opinion it is not good to block this release.
Wagon Http is used and distributed directly in Maven Core and we can fix
LICENSE/NOTICE files in the zip/tars of Maven Core in 3.6.3 or even 3.6.4

Enrico

Il giorno mer 6 nov 2019 alle ore 07:48 Enrico Olivelli <[hidden email]>
ha scritto:

> Thank you Vladimir.
> This problem affects Maven core binary package, as you already reported.
>
> For the source release we do not have a real problem as we did not
> copy/paste Jsoup code.
>
> For binary release (that actually is not part of the official VOTE), the
> jar we are deploying to Maven central, I think we can only bundle the
> LICENSE file of Jsoup inside the jar such LICENSE file includes the NOTICE
> we are talking about.
>
> This is really some task we should document in maven shade plugin website,
> or at least mention that whoever embeds another library to handle this kind
> of problem
>
> I wonder if we could enhance the pom in the future to report machiene
> readable statements like 'the artifact will include a binary copy of this
> other third party pom'
> (I apologize, I don't want to pollute the vote thread, but this is somehow
> related)
> Enrico
>
> Il mer 6 nov 2019, 00:38 Tibor Digana <[hidden email]> ha scritto:
>
>> The MIT license can be included in the project
>> https://www.apache.org/legal/resolved.html
>> Are we talking about the file /META-INF/DEPENDENCIES in JAR?
>>
>> On Tue, Nov 5, 2019 at 8:10 PM Vladimir Sitnikov <
>> [hidden email]> wrote:
>>
>> > > Staging repo:
>> > > https://repository.apache.org/content/repositories/maven-1535/
>> >
>> > -1 since
>> >
>> >
>> https://repository.apache.org/content/repositories/maven-1535/org/apache/maven/wagon/wagon-http/3.3.4/wagon-http-3.3.4-shaded.jar
>> > violates licensing terms for the third-party code.
>> > One of the violations is org.jsoup:jsoup.
>> >
>> > I know releases may not be vetoed (
>> > https://www.apache.org/foundation/voting.html#ReleaseVotes )
>> > However, there's
>> >
>> > > http://www.apache.org/legal/release-policy.html#licensing
>> > >Every ASF release MUST comply with ASF licensing policy. This
>> requirement
>> > is of utmost importance
>> >
>> > Vladimir
>> >
>>
>