On May 21, 2009, at 1:03 PM, Upayavira wrote:
> I am a mentor for Shindig, but I am aware of a weaknesses of mine as a
> mentor is that I'm not that knowledgeable or experienced with the
> release process at Apache, and therefore have not followed this thread
> in detail, which I really should have.
>
> It seems that this release is stalled, but I am not entirely sure how,
> and want to understand this better.
Sebb has raised some valid concerns; some were addressed, some are
left; shindig has to address those concerns, but up new artifacts, and
then ask for another vote.
> The thing that confuses me is that, as I understand it, Shindig is
> just
> using Maven to produce its artefacts (binary jars as a convenience to
> users). If that is the case, surely those artefacts are structured in
> the same way as other Maven based releases from other projects?
The apache-hosted maven-based projects I've checked (including maven
itself!) only officially release source archives. As Jason pointed
out, this is now pretty easy to do in accordance with policy, thanks
to some plugin work David did quite a while ago.
To release binary archives that embed third-party dependencies is more
work. The LICENSE and NOTICE file have to have details about
dependencies, if those dependencies are in the binary distributions.
With maven, automatic resolution of transitive dependencies is
possible, which shindig relies on. However, there is not automatic
resolution of licensing details, which makes crossing the legal t's
and dotting the legal i's quite a chore.
> Is it that we have identified a new issue that actually affects
> _all_ Maven based releases, not just Shindig?
No not necessarily. You can use maven to produce binary releases that
have all the required legal details inside of them; it just isn't
automatically taken care of.
> If so, how can we both unblock the Shindig release
Shindig can choose to either do the work to get the legal bits and
pieces related to their dependencies sorted out and produce binary
releases that follow the rules, or they can opt to do a source-only
release.
> and also get this issue resolved in such a way as it covers all
> Maven based projects?
To solve this issue in a way that covers all maven-based projects
requires making sure that all required legal details and notices are
put inside the maven repositories in a machine-processable manner, for
all artifacts, and then modifying a maven plugin or two to aggregate
those details automagically, and then to make use of that plugin
everywhere. In other words, that's a few months of work at the least :-)
cheers,
- Leo
|