dependencies on svn.apache.org

[Juan Pablo Santos Rodríguez <ju...@gmail.com>]

Hi,

(somewhat long e-mail following...)

as per noted in [#1], external dependencies, aside from not being
distributed with source, also should not be downloaded from svn.apache.org,
it's an infra requirement. In [#1] are proposed two courses of action:

1) distribute a deps package with required jars (like stanbol or subversion
are/were doing)
2) upload artifacts to Central via OSSRH [#2]

option 2 seems to me like a more long-term solution with easier
manteinance, so I'm more inclined to it. Other thoughts?

My intention is to open 3 JIRAs, according to the 3 cases of dependencies
held at svn.apache.org:


1) Deps to be uploaded with src + javadocs to OSSRH
===================================================
these libraries aren't published on Central, so we should follow the steps
detailed at [#2]

- akismet-java-1.02.jar
    src + javadocs available at
http://sourceforge.net/projects/akismet-java/files/akismet-java/1.02/

- sandler-0.5.jar
    src + javadocs available at
http://sourceforge.net/projects/sandler/files/sandler/sandler%200.5/

- freshcookies-0.60.jar
    src + javadocs available at
http://sisyphus.ru/en/srpm/Sisyphus/freshcookies-security/get


2) Deps currently available at Central repo
===========================================
some libraries are currently present at Central, didn't find them on the
first run. They are easily replaceable on build.xml/.project:

- jakarta-tablibs-standard-1.1.2 with

http://search.maven.org/remotecontent?filepath=taglibs/standard/1.1.2/standard-1.1.2.jar

- jakarta-taglibs-jstl-1.1.2.jar with

http://search.maven.org/remotecontent?filepath=jstl/jstl/1.1.2/jstl-1.1.2.jar

- json-rpc-1.0.jar with

http://search.maven.org/remotecontent?filepath=com/metaparadigm/json-rpc/1.0/json-rpc-1.0.jar


3) Different versions of deps available at Central repo
=======================================================
- jrcs-diff-0.2.jar -> The closest match I was able to find is JMeld, a
LGPL app which includes the exact classes from jrcs-diff (among many
others). There's also a newer version of the library at Central, at [#3]
but it includes a package rename. Other than that, it seems fine, but this
might be the most delicate jar to upgrade.

- jasper-*-5.5.25.jar [2 files] -> downgrade to 5.5.23? We use them to
precompile JSPs, downgrading shouldn't affect us and we could use the
version from Central.

- jetty-* [3 files] -> upgrade to 7.0.0.pre5 (5.1.14 11MB zip downloadable
at [#4]). Have to locate the use of these jars to see the possible
consequences of upgrading; there are earlier versions on Central of
jetty-*, except for jetty-jmx, so it seems safer to upgrade all three jars
to 7.0.0.pre5

- selenium-*-1.0-beta-1 [2 files] -> upgrade them to 1.0-beta-2. Not very
sure if this could be done w/o changing code. If that's the case, we could
try to upgrade to 1.0.2.

Whether we ship a deps package or apply the proposed changes, once the
changes have been checked in, RC3 tag should be recreated (again, *sigh*)
in order to cast the release vote.


br,
juan pablo

[#1] http://s.apache.org/1OP
[#2]
https://docs.sonatype.org/display/Repository/Uploading+3rd-party+Artifacts+to+The+Central+Repository
[#3]
http://search.maven.org/remotecontent?filepath=org/jvnet/hudson/org.suigeneris.jrcs.diff/0.4.2/org.suigeneris.jrcs.diff-0.4.2.jar
[#4] http://dist.codehaus.org/jetty/jetty-5.1.x/jetty-5.1.14.tgz