incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeremy Haile <>
Subject Re: maven repository
Date Fri, 30 May 2008 15:23:00 GMT
So it seems that a valid question is whether or not publishing to one  
repository or another indicates an endorsement.  I don't personally  
see it that way.  Just because ASF makes a release available via a  
maven repository isn't the same thing as endorsement to me, just as  
the fact that the Apache (Incubator) name may be used in reference to  
a project or that Apache is hosting the project doesn't mean it's  
necessarily endorsing it.

I think that if a developer doesn't understand his project's  
dependencies, that's certainly a problem.  But I worry that forcing  
them to go through extra steps of adding a special repository,  
approving a special key, etc. makes it seem like the software isn't  
trustworthy and could hinder adoption.

To my mind, "incubator project" does not necessarily imply  
instability.  Where it's hosted in maven doesn't necessarily imply  
endorsement.  The fact that the project is in the incubator and the  
names include incubating is what indicates that it isn't an ASF  
endorsed project yet.


On May 30, 2008, at 11:14 AM, James Carman wrote:

> The bottom line is that incubator projects haven't (yet) gone through
> all the hoops necessary to become official ASF projects.  So, if they
> are published to the main repository, that is in a way saying that the
> ASF endorses the software.  Since it has not graduated from the
> incubator, the ASF doesn't yet endorse it.  This is the way I see it
> at least.
> On Fri, May 30, 2008 at 11:06 AM, Les Hazlewood <>  
> wrote:
>> Noel,
>> Could you please help me understand the fundamental reasons why this
>> is important to the IPMC?
>> I mean, I as an end-user could care less about if the dependency
>> artifact is in incubation or not - as long as it solves the problems
>> in the way the development team deems necessary, all I want to do is
>> just have be accessible to me immediately.  I don't care where it
>> comes from.  If it requires intervention on my part, I view that as a
>> major pain, especially if it can knowingly be avoided.  I would want
>> things to be as automatic and hands-off as possible.
>> I'm just genuinely trying to understand why the distinction is  
>> necessary.
>> Thanks for clarifying my naivety,
>> Les
>> On Fri, May 30, 2008 at 10:54 AM, Noel J. Bergman  
>> <> wrote:
>>> Robert Burrell Donkin wrote:
>>>> it has now been clearly established that we need to move the
>>>> repository. we're now just asking: where?
>>> As I said, Brett Porter's proposal, made early on in the thread,  
>>> seemed
>>> satisfactory.
>>>> asking podlings to publish through a secondary repository is both
>>>> annoying and ineffective at making it explicit to people that
>>>> they are using artifacts under incubation. this measure cuts
>>>> against the grain of maven.
>>> I really don't care what cuts across the grain of Maven.  I do  
>>> care about
>>> the established principle that people must make a deliberate  
>>> decision to use
>>> Incubator artifacts.  If Maven would finally support enforcing  
>>> signing of
>>> artifacts, as they have been asked to do for years, we could use an
>>> Incubator-specific signing key, forcing people to approve the use of
>>> Incubator artifacts, regardless of download location.
>>> Rather than relax the principle to accomodate a defective tool, if  
>>> Maven
>>> cannot solve this problem, I'd be more inclined to ban the use of  
>>> maven
>>> repositories for Incubator artifacts.  That is how strongly I feel  
>>> about the
>>> principle.
>>> By the way, there has been some talk in Infrastructure about  
>>> shutting down
>>> the ASF's repository entirely if Maven does not provide  
>>> enforcement of
>>> signed artifacts, due to security concerns.
>>> Look back over the years of debate on this issue, and I believe  
>>> that you
>>> will find I've been very consistent.  I want Incubator projects to  
>>> be able
>>> to perform releases in order to grow their (developer) community,  
>>> but we
>>> also require that people be aware of the fact that they are not  
>>> using
>>> official ASF code, as noted by the disclaimer.
>>>> an easy and effective way to ensure that users know that they are  
>>>> using
>>>> an artifact from the incubator would be to ensure that the group or
>>>> artifact ID includes this information.
>>> End users don't read the POM.  They just use it.  So that is no  
>>> solution at
>>> all.  The signing approach would be, IMO, a reasonable solution.   
>>> It would
>>> solve Les' issue -- users would simply have to agree to install the
>>> Incubator-signed artifact(s), and thereafter they'd be fine.
>>>       --- Noel
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail:
>>> For additional commands, e-mail:
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail:
>> For additional commands, e-mail:
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message