incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <>
Subject Re: Incubator Maven repo [WAS Re: [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository]
Date Thu, 18 Sep 2008 01:42:00 GMT
Davanum Srinivas wrote:
> Since you are stating facts. Let's make it clear that when someone
> download the artifacts, there's a good chance that you will see the
> disclaimers. With maven, we don't. That's the hiccup that caused the
> policy in place right now and the bruising battle now being fought is
> caused by the fact that there is no other
> maven-pmc-blessed-and-approved-way to inform the folks who
> auto-magically pull dependencies as of this moment and there is not
> likely to be one in the future AFAICT.

We don't disagree.  For that matter, there are licenses, notices and
other critical information present in maven artifacts which are unlikely
to be noticed.  That's a failure of maven and not germane to this
discussion, although I certainly hope that maven addresses it!  But in
most cases, the disclaimer was only relevant to the individual developer
who incited the dependency and triggered a maven build to fetch that
particular artifact.  Our disclaimer is really meaningless to the end
user of that developer's combined work.

Similarly, the issue of signature validation is a significant flaw which
I also hope maven addresses even more promptly, and which they are aware
of.  The alternatives are to take down maven until it is secure, or to
continue to populate maven with various released artifacts.  And this too
isn't germane to the question above, which is;

   "Allow extra release distribution channels like the central Maven

If an incubating release is a release, with a specific DISCLAIMER (no
different than incorporating other NOTICEs or LICENSE), and a specific
release name format (apache-incubating-{podling}-{rev}), then the Maven
specific side of this argument should happen on the Maven list, and this
discussion should finally come to an end.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message