On Tue, Jun 10, 2014 at 1:18 PM, Jakob Homan <jgho...@gmail.com> wrote: > I'm thinking we should make an exception to this no-jar rule for the > gradlew jar. The Gradle project is open source [3], Apache 2 licensed [4] > and intends for this jar to be included as part of the source of projects > [1]. Finally, the jar itself contains only Gradle-generated classes with > no other code fat-jarred [5]. The gradlew wrapper actually makes it easier > for users to get and play with our code as it removes the need for any > particular version of Gradle to be availabe beforehand (it also hides much > of the complexity of the rapidly evolving gradle spec). > > Thoughts?
The traditional answer has been to distribute binary dependencies in a complementary ".deps" file. If that suffices, great. If not, we'd have to petition the Board -- because this isn't an Incubator policy, it's an Apache policy. One fundamental problem with compiled deps is that unlike source code, they cannot be reviewed by a PMC -- so they are potential trojan horses. Maybe it's possible to address that specific concern by compiling an ASF whitelist of individual jar files whose provenance can be guaranteed and whose identity is verified via PGP prior to committing? Marvin Humphrey --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
