incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig McClanahan" <>
Subject Re: Difference between Maven repository and dist directory
Date Fri, 16 Mar 2007 14:55:49 GMT
On 3/15/07, Jochen Wiedmann <> wrote:
> On 3/16/07, Craig McClanahan <> wrote:
> [...]
> > using the normal Apache distribution network to make them available,
> > and (for Maven users) not even making it visible that you're using a
> > non-official release because they didn't have to configure any
> > repository, you blur the distinction so much that it's going to get
> > totally lost.
> > If we accept this argument, then we naturally need a place where the
> > incubating "releases" can be retrieved from; hence, the m2-incubating
> > repository.  If we do not accept this argument, then AFAICT we are
> > basically making the "incubating projects cannot do releases" policy
> > inoperative.
> There's a flaw in your argumentation, though a more practical.
> I can understand that the Apache "dist" directory is something
> reserved for certain artifacts. Fact is, the ibiblio repository (as
> opposed to the incubator repository) is not.
> The ibiblio repository is specifically designed to hold artifacts of
> all kinds, if the license permits. There are all kind of jar files of
> all kind of sources. If artifacts are in the designated incubator
> repository, then nothing prevents external users from uploading them
> to Ibiblio, which is usually done sooner or later. (If the artifacts
> are actually in use.)

In other words, the simplest way for me to hijack an Apache release is
to put a worm in it and push it to ibiblio myself?  Doesn't sound like
a very trustable scenario.

> In other words, your intention that users have "to configure any
> repository" is lost. You cannot prevent that. Or are you telling me
> that the owner of the incubator artifacts (typically the ASF) reserves
> particular distribution rights, which are limiting the ASL? All you
> achieve is that the POM ifiles of ncubator artifacts typically have a
> lesser quality, because they aren't maintained by the project owners.

Apache's current policy is that we allow incubating podlings to
publish "incubating" releases to a special Maven2 repository that we
host, which means downstream users are required to add a <repository>
setting in order to see these artifacts.  That's enough warning (in my
thoughts) that they are depending on an incubating project's output.

If the artifacts are ending up in the public repository anyway, that means:

* Some Apache folks are violating our own rules by pushing
  these artifacts into our own dist directory (which gets mirrored

* Ibiblio is accepting Apache artifacts posted by folks other
  than the originating projects, which seems like a pretty grave
  security concern.

> Jochen


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message