I agree on all points, perfect match :) Regards,
Hervé ----- Mail original ----- De: "Enrico Olivelli" <[email protected]> À: "Maven Developers List" <[email protected]> Envoyé: Jeudi 7 Novembre 2019 12:08:11 Objet: Re: Apache Wagon vs maven-shade vs embedded licenses Il giorno gio 7 nov 2019 alle ore 10:38 <[email protected]> ha scritto: > sure, if you know how to fix, yes, I can drop this release and start the > next one quickly > > particularly if it helps us later to improve Maven handling of the case > > This case of -shaded.jar published to Central [1] is really a completely > different scenario than Maven -bin.zip/tar,gz binary distribution [2] that > has the dependency added to the archive. > I currently did not really get how the shaded archive case should be > managed: do you have any strategy or fix available? > I have thought more about this case: For the Binary Distribution of Maven we can simply add the LICENSE and NOTICE in the zip files, I will handle it. For the distribution on Maven central of shaded artifacts......really I don't know. Maybe we should ask to LEGAL as the problem is for every one that is using the shade plugin and deploying to Maven Central. I image we can't drop JSoup now, ot at least it won't be an easy task So my final position for Wagon HTTP 3.3.3 is: - we are releasing sources, so no problem - we have a more general problem with shaded third party libraries, there is no clear and clean way to address it, so stick to current way for this version of Wagon I will be happy to create an issue on ASF LEGAL JIRA and start the discussion, but I would like to have some Maven PMC member supporting this choice before doing this step. It will be super useful to have a reference doc on ASF website and a link to it inside the maven shade plugin website. Enrico > > Regards, > > Hervé > > [1] > http://repo.maven.apache.org/maven2/org/apache/maven/wagon/wagon-http/3.3.3/ > > [2] https://archive.apache.org/dist/maven/maven-3/3.6.2/binaries/ > > ----- Mail original ----- > De: "Enrico Olivelli" <[email protected]> > À: "Maven Developers List" <[email protected]> > Envoyé: Mercredi 6 Novembre 2019 11:20:47 > Objet: Re: Apache Wagon vs maven-shade vs embedded licenses > > Hervè > can we fix this issue before releasing this version of Wagon ? > this way we can update Wagon in Maven Core > > Enrico > > Il giorno mer 6 nov 2019 alle ore 11:06 <[email protected]> ha > scritto: > > > issue created: https://issues.apache.org/jira/browse/WAGON-574 > > > > Regards, > > > > Hervé > > > > ----- Mail original ----- > > De: "Enrico Olivelli" <[email protected]> > > À: "Maven Developers List" <[email protected]> > > Cc: "Hervé BOUTEMY" <[email protected]> > > Envoyé: Mercredi 6 Novembre 2019 09:53:29 > > Objet: Re: Apache Wagon vs maven-shade vs embedded licenses > > > > > > > > > > > > > > > > Il giorno mer 6 nov 2019 alle ore 09:03 Vladimir Sitnikov < > > [email protected] > ha scritto: > > > > > > Enrico>(I apologize, I don't want to pollute the vote thread, but this is > > somehow > > related) > > > > I've altered the subject. > > > > Enrico> For binary release (that actually is not part of the official > > VOTE) > > > > I'm not a lawyer, but: > > > > > http://www.apache.org/legal/release-policy.html#what > > > WHAT IS A RELEASE? > > > Releases are, by definition, anything that is published beyond the > group > > that owns it > > > > > > > > > > http://www.apache.org/legal/release-policy.html#what-must-every-release-contain > > > Every ASF release must comply with ASF licensing policy > > > > release-policy.html does not make a distinction between "part of the > > official vote" and "not a part of the official vote". > > It just stays "whatever is released must comply with ASF licensing > > policy". > > > > > > > > > > > > Totally agree > > > > > > > > In other words, the VOTE thread looks to me like "we are about to release > > Apache Maven Wagon, please check the artifacts". > > -shaded artifact is a part of the release (because it is "anything that > is > > published beyond the group that owns it"), > > and -shaded does not comply with jsoup's license ==> I suggest that > > there's > > an "utmost importance" issue with the artifacts. > > > > >I wonder if we could enhance the pom in the future to report machiene > > >readable statements like 'the artifact will include a binary copy of > this > > >other third party pom' > > > > That would be nice. I'm not sure everything comes from a pom though. > > For instance, -shaded, -sources, -javadoc and other "classifier-based > > artifacts" miss their respective poms. > > However, they all might re-distribute different third-party dependencies. > > > > > > > > Yes, it is not so simply as I said. > > > > > > > > Then people do not always consume artifacts as jar/pom files. > > For instance, apache-maven-3.6.2-bin.zip does not have a pom file. > > > > In my opinion, the licensing conditions should be embedded into each > > archive if that is possible. > > > > > > > > I think this is the only viable option nowadays > > > > > > > > There's spdx.org effort, however, I don't think it is ready for use. > > > > Vladimir > > > > > > > > > > > > Thanks > > > > > > Enrico > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
