Hervè can we fix this issue before releasing this version of Wagon ? this way we can update Wagon in Maven Core
Enrico Il giorno mer 6 nov 2019 alle ore 11:06 <[email protected]> ha scritto: > issue created: https://issues.apache.org/jira/browse/WAGON-574 > > Regards, > > Hervé > > ----- Mail original ----- > De: "Enrico Olivelli" <[email protected]> > À: "Maven Developers List" <[email protected]> > Cc: "Hervé BOUTEMY" <[email protected]> > Envoyé: Mercredi 6 Novembre 2019 09:53:29 > Objet: Re: Apache Wagon vs maven-shade vs embedded licenses > > > > > > > > Il giorno mer 6 nov 2019 alle ore 09:03 Vladimir Sitnikov < > [email protected] > ha scritto: > > > Enrico>(I apologize, I don't want to pollute the vote thread, but this is > somehow > related) > > I've altered the subject. > > Enrico> For binary release (that actually is not part of the official > VOTE) > > I'm not a lawyer, but: > > > http://www.apache.org/legal/release-policy.html#what > > WHAT IS A RELEASE? > > Releases are, by definition, anything that is published beyond the group > that owns it > > > > > http://www.apache.org/legal/release-policy.html#what-must-every-release-contain > > Every ASF release must comply with ASF licensing policy > > release-policy.html does not make a distinction between "part of the > official vote" and "not a part of the official vote". > It just stays "whatever is released must comply with ASF licensing > policy". > > > > > > Totally agree > > > > In other words, the VOTE thread looks to me like "we are about to release > Apache Maven Wagon, please check the artifacts". > -shaded artifact is a part of the release (because it is "anything that is > published beyond the group that owns it"), > and -shaded does not comply with jsoup's license ==> I suggest that > there's > an "utmost importance" issue with the artifacts. > > >I wonder if we could enhance the pom in the future to report machiene > >readable statements like 'the artifact will include a binary copy of this > >other third party pom' > > That would be nice. I'm not sure everything comes from a pom though. > For instance, -shaded, -sources, -javadoc and other "classifier-based > artifacts" miss their respective poms. > However, they all might re-distribute different third-party dependencies. > > > > Yes, it is not so simply as I said. > > > > Then people do not always consume artifacts as jar/pom files. > For instance, apache-maven-3.6.2-bin.zip does not have a pom file. > > In my opinion, the licensing conditions should be embedded into each > archive if that is possible. > > > > I think this is the only viable option nowadays > > > > There's spdx.org effort, however, I don't think it is ready for use. > > Vladimir > > > > > > Thanks > > > Enrico > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
