issue created: https://issues.apache.org/jira/browse/WAGON-574
Regards, Hervé ----- Mail original ----- De: "Enrico Olivelli" <[email protected]> À: "Maven Developers List" <[email protected]> Cc: "Hervé BOUTEMY" <[email protected]> Envoyé: Mercredi 6 Novembre 2019 09:53:29 Objet: Re: Apache Wagon vs maven-shade vs embedded licenses Il giorno mer 6 nov 2019 alle ore 09:03 Vladimir Sitnikov < [email protected] > ha scritto: Enrico>(I apologize, I don't want to pollute the vote thread, but this is somehow related) I've altered the subject. Enrico> For binary release (that actually is not part of the official VOTE) I'm not a lawyer, but: > http://www.apache.org/legal/release-policy.html#what > WHAT IS A RELEASE? > Releases are, by definition, anything that is published beyond the group that owns it > http://www.apache.org/legal/release-policy.html#what-must-every-release-contain > Every ASF release must comply with ASF licensing policy release-policy.html does not make a distinction between "part of the official vote" and "not a part of the official vote". It just stays "whatever is released must comply with ASF licensing policy". Totally agree In other words, the VOTE thread looks to me like "we are about to release Apache Maven Wagon, please check the artifacts". -shaded artifact is a part of the release (because it is "anything that is published beyond the group that owns it"), and -shaded does not comply with jsoup's license ==> I suggest that there's an "utmost importance" issue with the artifacts. >I wonder if we could enhance the pom in the future to report machiene >readable statements like 'the artifact will include a binary copy of this >other third party pom' That would be nice. I'm not sure everything comes from a pom though. For instance, -shaded, -sources, -javadoc and other "classifier-based artifacts" miss their respective poms. However, they all might re-distribute different third-party dependencies. Yes, it is not so simply as I said. Then people do not always consume artifacts as jar/pom files. For instance, apache-maven-3.6.2-bin.zip does not have a pom file. In my opinion, the licensing conditions should be embedded into each archive if that is possible. I think this is the only viable option nowadays There's spdx.org effort, however, I don't think it is ready for use. Vladimir Thanks Enrico --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
