You are viewing a plain text version of this content. The canonical link for it is here.

Posted to legal-discuss@apache.org by Christian Schneider <ch...@die-schneider.net> on 2018/08/20 14:38:17 UTC

[Discuss] Apache Nexus as allowed distribution for releases

Currently we have this release policy:
http://www.apache.org/legal/release-policy.html#release-distribution
So any release must be published to the dist directory.

I am active in projects that mainly create libraries like CXF, Camel,
Aries, Felix, Sling...
Let's take felix as an example. How do people consume the projects the
felix community creates?
I am pretty sure almost all users of felix libraries (not the framework
itself) never download releases from the dist directory or the mirrors.
Whenever I need such a library I create a maven or gradle dependency in my
project and this loads the library from maven central.

So I propose to allow projects to put a release in dist OR in Apache Nexus
(which publishes to maven central).
I think this would make the life of release managers a lot easier as
currently they have to copy to dist AND publish in Apache Nexus.
Practically all projects I work on use Apache Nexus as the staging for the
votes anyway.

Additionally this would take some of the burden from dist as there would be
a lot less files to hold and archive after a while.
If I look at the ~100 independently released jars in felix or the ~200 in
sling I think you see what I mean.

So what do you think? Does this make sense?

Christian

-- 
-- 
Christian Schneider
http://www.liquid-reality.de

Computer Scientist
http://www.adobe.com

Re: [Discuss] Apache Nexus as allowed distribution for releases

Posted by Dave Fisher <da...@comcast.net>.

Hi -

> On Aug 20, 2018, at 8:51 AM, Christian Schneider <ch...@die-schneider.net> wrote:
> 
> My proposal of course is about the sources. Only if we allow the sources and the binaries to be at maven central (or more specifically the apache nexus which publishes to maven central) then we will relief the burden of release managers.
> If we still have to copy the source to dist then I think we do not gain anything compared to now.

If all of our releases are in dist and then copied to archives then anyone can find any release from one or two places forever with simple tools.

Someone else suggested tooling …. Perhaps shared tooling to move a release candidate to the proper locations makes sense.

BTW - there are projects releasing binary convenience to locations other than Nexus - like NPM.

Regards,
Dave

> 
> Christian
> 
> Am Mo., 20. Aug. 2018 um 17:12 Uhr schrieb Bertrand Delacretaz <bdelacretaz@apache.org <ma...@apache.org>>:
> By doing so I assume you are getting the binary artifacts, not the source code.
> 
> These are *not* Apache Releases, our releases consist of source code only.
> 
> So I don't think it's a requirement to copy those binaries under
> dist.apache.org <http://dist.apache.org/>, the only thing that must be there is the Apache
> Release, so the source code.
> 
> In other words, I think having the convenience binaries only on
> https://repository.apache.org/ <https://repository.apache.org/> should be fine.
> 
> -Bertrand
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org <ma...@apache.org>
> For additional commands, e-mail: legal-discuss-help@apache.org <ma...@apache.org>
> 
> 
> 
> --
> --
> Christian Schneider
> http://www.liquid-reality.de <http://www.liquid-reality.de/>
> 
> Computer Scientist
> http://www.adobe.com <http://www.adobe.com/>
>

Re: [Discuss] Apache Nexus as allowed distribution for releases

Posted by Christian Schneider <ch...@die-schneider.net>.

My proposal of course is about the sources. Only if we allow the sources
and the binaries to be at maven central (or more specifically the apache
nexus which publishes to maven central) then we will relief the burden of
release managers.
If we still have to copy the source to dist then I think we do not gain
anything compared to now.

Christian

Am Mo., 20. Aug. 2018 um 17:12 Uhr schrieb Bertrand Delacretaz <
bdelacretaz@apache.org>:

> By doing so I assume you are getting the binary artifacts, not the source
> code.
>
> These are *not* Apache Releases, our releases consist of source code only.
>
> So I don't think it's a requirement to copy those binaries under
> dist.apache.org, the only thing that must be there is the Apache
> Release, so the source code.
>
> In other words, I think having the convenience binaries only on
> https://repository.apache.org/ should be fine.
>
> -Bertrand
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
>
>

-- 
-- 
Christian Schneider
http://www.liquid-reality.de

Computer Scientist
http://www.adobe.com

Re: [Discuss] Apache Nexus as allowed distribution for releases

Posted by Bertrand Delacretaz <bd...@apache.org>.

Hi Christian,

On Mon, Aug 20, 2018 at 4:38 PM Christian Schneider
<ch...@die-schneider.net> wrote:
> ...How do people consume the projects the felix community creates?
> I am pretty sure almost all users of felix libraries (not the framework itself) never download releases from the dist directory or the mirrors.
> Whenever I need such a library I create a maven or gradle dependency in my project and this loads the library from maven central....

By doing so I assume you are getting the binary artifacts, not the source code.

These are *not* Apache Releases, our releases consist of source code only.

So I don't think it's a requirement to copy those binaries under
dist.apache.org, the only thing that must be there is the Apache
Release, so the source code.

In other words, I think having the convenience binaries only on
https://repository.apache.org/ should be fine.

-Bertrand

---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

Re: [Discuss] Apache Nexus as allowed distribution for releases

Posted by Phil Steitz <ps...@apache.org>.

On 8/20/18 10:26 AM, Chris Mattmann wrote:
> Hi, all,
>
>   
>
> I’ve covered this in prior threads, see:
>
>   
>
> https://issues.apache.org/jira/browse/LEGAL-323
>
> https://s.apache.org/8eOM
>
>   
>
> The distribution and release policy applies to source releases.
>
> There is nothing for the Legal committee to weigh in on here, unless
> you are proposing that we move away from putting source-releases on
> dist.apache.org, and then move to using repository.apache.org for those.
> If so, I am -1 on that issue for much of the same reasons at David below.
>
>   
>
> Thanks,
>
> Chris
>
>   
>
>   
>
>   
>
>   
>
> From: David Nalley <da...@gnsa.us>
> Reply-To: "legal-discuss@apache.org" <le...@apache.org>
> Date: Monday, August 20, 2018 at 9:57 AM
> To: "legal-discuss@apache.org" <le...@apache.org>
> Subject: Re: [Discuss] Apache Nexus as allowed distribution for releases
>
>   
>
>   
>
> So I propose to allow projects to put a release in dist OR in Apache Nexus
>
> (which publishes to maven central).
>
> I think this would make the life of release managers a lot easier as
>
> currently they have to copy to dist AND publish in Apache Nexus.
>
> Practically all projects I work on use Apache Nexus as the staging for the
>
> votes anyway.
>
>   
>
>   
>
> Not a member of the legal affairs committee, and thus no real effect
>
> on this policy (which is set by the Legal Affairs Committee) - but
>
> here's my take anyway:
>
>   
>
> The main advantage of requiring the use of /dist/ is that we have a
>
> canonical source of truth about our releases. We have archive and
>
> backup processes already in place for that, and downstream users
>
> actively monitor and mirror /dist/.
>
>   
>
> Our Nexus implementation doesn't have the same SLA expectations, or
>
> longevity expectations. We also aren't currently setup to permit Nexus
>
> to be a source of truth that people mirror and audit. In fact we
>
> recently blocked a large user who was mirroring our Nexus
>
> implementation, and we have told people that Nexus is not intended to
>
> be public/end-user facing. Nexus is primarily a place for projects to
>
> send artifacts to maven central, which is a third party resource that
>
> we don't control. (I am not saying that pejoratively, I am just saying
>
> that Maven Central isn't under our control)
>
>   
>
> Occasionally, we receive civil process demanding versions of our
>
> products (source code) and knowing that they all exist at dist.a.o or
>
> archives.a.o makes the process for complying much simpler.
>
> Additionally, we have tooling that deals with auditing/verification of
>
> items that show up on dist.a.o/archive.a.o (see examples like
>
> checker.a.o)
>
>   
>
> TL;DR I'm -1 on moving away from dist.a.o at the moment.

+1 to your -1 on allowing source releases to skip /dist.  Marvin and 
David pretty much covered it.

Phil
>
>   
>
> ---------------------------------------------------------------------
>
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>
> For additional commands, e-mail: legal-discuss-help@apache.org
>
>   
>
>   
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

Re: [Discuss] Apache Nexus as allowed distribution for releases

Posted by sebb <se...@gmail.com>.

On 21 August 2018 at 07:05, Romain Manni-Bucau <rm...@gmail.com> wrote:
> We also have the Downloads.java in several site generator, it is trivial to
> wrap it in a maven plugin to push to dev at deploy time and doing the copy
> to release should be automatic IMHO on close action on the repo. Concretely
> every single step about dist is wrappable in a mojo+nexus plugin so no need
> to bother release managers with that and it would be a central piece of code
> to enforce requirements (like the coming sha512) instead of doing it per
> project.

This would probably require customisation to support the various
different dist/ layouts.

Ideally there should be a companion script to rename the dist/dev/
files to dist/release when publishing.

Note that svnmucc can be used to push files directly to SVN without
needing a checkout.
It can also bundle lots of different commands in the same
all-or-nothing transaction.
Can be useful to ensure that the set of files is complete.

> Side note: I am happy to help to code that if everybody agrees this is how
> we simplify that process.
>
> Le mar. 21 août 2018 08:01, Mark Struberg <st...@yahoo.de.invalid> a
> écrit :
>>
>> I wrote a script which does all the copying from repository.a.o. Checks
>> the sha, etc.
>> We could probably improve this and have some meta info in a property file
>> on the main dist repo checked in?
>>
>> E.g in dist/openwebbeans we would have a file dist.coordinates which
>> contains the groupId and artifactId checked in
>>
>> Then you just have to go to the dist checkout and call
>>
>> ./getrelease.sh 2.0.7
>>
>> To download and verify the release bits from repository.a.o.
>> This works well for us as we always already include the sha1 (future
>> sha512) in our VOTE already.
>>
>> Currently I just shared this script via mailing list. But we could easily
>> improve this to make it universally usable and check it in somewhere for
>> others.
>>
>> LieGrue,
>> Strub
>>
>> Am 20.08.2018 um 21:47 schrieb Christian Schneider
>> <ch...@die-schneider.net>:
>>
>> Good idea. I would be fine if we can build kind of a post or preprocess to
>> publishing a release in apache nexus.
>> We could use some heuristics to determine which of the artifacts is the
>> source release.
>>
>> From my side this would be good enough as I then only need to use maven
>> and the nexus UI to do a release.
>> The legal side should also be fine as dist remains the official place for
>> source releases.
>>
>> Christian
>>
>> Am Mo., 20. Aug. 2018 um 21:21 Uhr schrieb Romain Manni-Bucau
>> <rm...@gmail.com>:
>>>
>>> Hi guys,
>>>
>>> If we have a maven plugin which pushes to dist/dev during -Prelease and a
>>> nexus plugin grabbing dist/dev and promoting it (with validation) to
>>> dist/release on repo close, would that thread exist?
>>>
>>> High level the idea would be to automate the dist management for maven
>>> based builds which are more about nexus instead of changing the overall
>>> process by itself.
>>
>>
>>
>> --
>> --
>> Christian Schneider
>> http://www.liquid-reality.de
>>
>> Computer Scientist
>> http://www.adobe.com
>>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

Re: [Discuss] Apache Nexus as allowed distribution for releases

Posted by Romain Manni-Bucau <rm...@gmail.com>.

We also have the Downloads.java in several site generator, it is trivial to
wrap it in a maven plugin to push to dev at deploy time and doing the copy
to release should be automatic IMHO on close action on the repo. Concretely
every single step about dist is wrappable in a mojo+nexus plugin so no need
to bother release managers with that and it would be a central piece of
code to enforce requirements (like the coming sha512) instead of doing it
per project.

Side note: I am happy to help to code that if everybody agrees this is how
we simplify that process.

Le mar. 21 août 2018 08:01, Mark Struberg <st...@yahoo.de.invalid> a
écrit :

> I wrote a script which does all the copying from repository.a.o. Checks
> the sha, etc.
> We could probably improve this and have some meta info in a property file
> on the main dist repo checked in?
>
> E.g in dist/openwebbeans we would have a file dist.coordinates which
> contains the groupId and artifactId checked in
>
> Then you just have to go to the dist checkout and call
>
> ./getrelease.sh 2.0.7
>
> To download and verify the release bits from repository.a.o.
> This works well for us as we always already include the sha1 (future
> sha512) in our VOTE already.
>
> Currently I just shared this script via mailing list. But we could easily
> improve this to make it universally usable and check it in somewhere for
> others.
>
> LieGrue,
> Strub
>
> Am 20.08.2018 um 21:47 schrieb Christian Schneider <
> chris@die-schneider.net>:
>
> Good idea. I would be fine if we can build kind of a post or preprocess to
> publishing a release in apache nexus.
> We could use some heuristics to determine which of the artifacts is the
> source release.
>
> From my side this would be good enough as I then only need to use maven
> and the nexus UI to do a release.
> The legal side should also be fine as dist remains the official place for
> source releases.
>
> Christian
>
> Am Mo., 20. Aug. 2018 um 21:21 Uhr schrieb Romain Manni-Bucau <
> rmannibucau@gmail.com>:
>
>> Hi guys,
>>
>> If we have a maven plugin which pushes to dist/dev during -Prelease and a
>> nexus plugin grabbing dist/dev and promoting it (with validation) to
>> dist/release on repo close, would that thread exist?
>>
>> High level the idea would be to automate the dist management for maven
>> based builds which are more about nexus instead of changing the overall
>> process by itself.
>>
>
>
> --
> --
> Christian Schneider
> http://www.liquid-reality.de
>
> Computer Scientist
> http://www.adobe.com
>
>

Re: [Discuss] Apache Nexus as allowed distribution for releases

Posted by Mark Struberg <st...@yahoo.de.INVALID>.

I wrote a script which does all the copying from repository.a.o. Checks the sha, etc. 
We could probably improve this and have some meta info in a property file on the main dist repo checked in?

E.g in dist/openwebbeans we would have a file dist.coordinates which contains the groupId and artifactId checked in

Then you just have to go to the dist checkout and call

./getrelease.sh 2.0.7

To download and verify the release bits from repository.a.o.
This works well for us as we always already include the sha1 (future sha512) in our VOTE already.

Currently I just shared this script via mailing list. But we could easily improve this to make it universally usable and check it in somewhere for others.

LieGrue,
Strub

> Am 20.08.2018 um 21:47 schrieb Christian Schneider <ch...@die-schneider.net>:
> 
> Good idea. I would be fine if we can build kind of a post or preprocess to publishing a release in apache nexus.
> We could use some heuristics to determine which of the artifacts is the source release. 
> 
> From my side this would be good enough as I then only need to use maven and the nexus UI to do a release.
> The legal side should also be fine as dist remains the official place for source releases.
> 
> Christian
> 
>> Am Mo., 20. Aug. 2018 um 21:21 Uhr schrieb Romain Manni-Bucau <rm...@gmail.com>:
>> Hi guys,
>> 
>> If we have a maven plugin which pushes to dist/dev during -Prelease and a nexus plugin grabbing dist/dev and promoting it (with validation) to dist/release on repo close, would that thread exist?
>> 
>> High level the idea would be to automate the dist management for maven based builds which are more about nexus instead of changing the overall process by itself.
> 
> 
> -- 
> -- 
> Christian Schneider
> http://www.liquid-reality.de
> 
> Computer Scientist
> http://www.adobe.com
>

Re: [Discuss] Apache Nexus as allowed distribution for releases

Posted by Christian Schneider <ch...@die-schneider.net>.

Good idea. I would be fine if we can build kind of a post or preprocess to
publishing a release in apache nexus.
We could use some heuristics to determine which of the artifacts is the
source release.

From my side this would be good enough as I then only need to use maven and
the nexus UI to do a release.
The legal side should also be fine as dist remains the official place for
source releases.

Christian

Am Mo., 20. Aug. 2018 um 21:21 Uhr schrieb Romain Manni-Bucau <
rmannibucau@gmail.com>:

> Hi guys,
>
> If we have a maven plugin which pushes to dist/dev during -Prelease and a
> nexus plugin grabbing dist/dev and promoting it (with validation) to
> dist/release on repo close, would that thread exist?
>
> High level the idea would be to automate the dist management for maven
> based builds which are more about nexus instead of changing the overall
> process by itself.
>


-- 
-- 
Christian Schneider
http://www.liquid-reality.de

Computer Scientist
http://www.adobe.com

Re: [Discuss] Apache Nexus as allowed distribution for releases

Posted by Romain Manni-Bucau <rm...@gmail.com>.

Hi guys,

If we have a maven plugin which pushes to dist/dev during -Prelease and a
nexus plugin grabbing dist/dev and promoting it (with validation) to
dist/release on repo close, would that thread exist?

High level the idea would be to automate the dist management for maven
based builds which are more about nexus instead of changing the overall
process by itself.

Le lun. 20 août 2018 19:26, Chris Mattmann <ma...@apache.org> a écrit :

> Hi, all,
>
>
>
> I’ve covered this in prior threads, see:
>
>
>
> https://issues.apache.org/jira/browse/LEGAL-323
>
> https://s.apache.org/8eOM
>
>
>
> The distribution and release policy applies to source releases.
>
> There is nothing for the Legal committee to weigh in on here, unless
> you are proposing that we move away from putting source-releases on
> dist.apache.org, and then move to using repository.apache.org for those.
> If so, I am -1 on that issue for much of the same reasons at David below.
>
>
>
> Thanks,
>
> Chris
>
>
>
>
>
>
>
>
>
> *From: *David Nalley <da...@gnsa.us>
> *Reply-To: *"legal-discuss@apache.org" <le...@apache.org>
> *Date: *Monday, August 20, 2018 at 9:57 AM
> *To: *"legal-discuss@apache.org" <le...@apache.org>
> *Subject: *Re: [Discuss] Apache Nexus as allowed distribution for releases
>
>
>
>
>
> So I propose to allow projects to put a release in dist OR in Apache Nexus
>
> (which publishes to maven central).
>
> I think this would make the life of release managers a lot easier as
>
> currently they have to copy to dist AND publish in Apache Nexus.
>
> Practically all projects I work on use Apache Nexus as the staging for the
>
> votes anyway.
>
>
>
>
>
> Not a member of the legal affairs committee, and thus no real effect
>
> on this policy (which is set by the Legal Affairs Committee) - but
>
> here's my take anyway:
>
>
>
> The main advantage of requiring the use of /dist/ is that we have a
>
> canonical source of truth about our releases. We have archive and
>
> backup processes already in place for that, and downstream users
>
> actively monitor and mirror /dist/.
>
>
>
> Our Nexus implementation doesn't have the same SLA expectations, or
>
> longevity expectations. We also aren't currently setup to permit Nexus
>
> to be a source of truth that people mirror and audit. In fact we
>
> recently blocked a large user who was mirroring our Nexus
>
> implementation, and we have told people that Nexus is not intended to
>
> be public/end-user facing. Nexus is primarily a place for projects to
>
> send artifacts to maven central, which is a third party resource that
>
> we don't control. (I am not saying that pejoratively, I am just saying
>
> that Maven Central isn't under our control)
>
>
>
> Occasionally, we receive civil process demanding versions of our
>
> products (source code) and knowing that they all exist at dist.a.o or
>
> archives.a.o makes the process for complying much simpler.
>
> Additionally, we have tooling that deals with auditing/verification of
>
> items that show up on dist.a.o/archive.a.o (see examples like
>
> checker.a.o)
>
>
>
> TL;DR I'm -1 on moving away from dist.a.o at the moment.
>
>
>
> ---------------------------------------------------------------------
>
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>
> For additional commands, e-mail: legal-discuss-help@apache.org
>
>
>
>
>

Re: [Discuss] Apache Nexus as allowed distribution for releases

Posted by Chris Mattmann <ma...@apache.org>.

Hi, all,

 

I’ve covered this in prior threads, see:

 

https://issues.apache.org/jira/browse/LEGAL-323 

https://s.apache.org/8eOM 

 

The distribution and release policy applies to source releases.

There is nothing for the Legal committee to weigh in on here, unless
you are proposing that we move away from putting source-releases on 
dist.apache.org, and then move to using repository.apache.org for those.
If so, I am -1 on that issue for much of the same reasons at David below.

 

Thanks,

Chris

 

 

 

 

From: David Nalley <da...@gnsa.us>
Reply-To: "legal-discuss@apache.org" <le...@apache.org>
Date: Monday, August 20, 2018 at 9:57 AM
To: "legal-discuss@apache.org" <le...@apache.org>
Subject: Re: [Discuss] Apache Nexus as allowed distribution for releases

 

 

So I propose to allow projects to put a release in dist OR in Apache Nexus

(which publishes to maven central).

I think this would make the life of release managers a lot easier as

currently they have to copy to dist AND publish in Apache Nexus.

Practically all projects I work on use Apache Nexus as the staging for the

votes anyway.

 

 

Not a member of the legal affairs committee, and thus no real effect

on this policy (which is set by the Legal Affairs Committee) - but

here's my take anyway:

 

The main advantage of requiring the use of /dist/ is that we have a

canonical source of truth about our releases. We have archive and

backup processes already in place for that, and downstream users

actively monitor and mirror /dist/.

 

Our Nexus implementation doesn't have the same SLA expectations, or

longevity expectations. We also aren't currently setup to permit Nexus

to be a source of truth that people mirror and audit. In fact we

recently blocked a large user who was mirroring our Nexus

implementation, and we have told people that Nexus is not intended to

be public/end-user facing. Nexus is primarily a place for projects to

send artifacts to maven central, which is a third party resource that

we don't control. (I am not saying that pejoratively, I am just saying

that Maven Central isn't under our control)

 

Occasionally, we receive civil process demanding versions of our

products (source code) and knowing that they all exist at dist.a.o or

archives.a.o makes the process for complying much simpler.

Additionally, we have tooling that deals with auditing/verification of

items that show up on dist.a.o/archive.a.o (see examples like

checker.a.o)

 

TL;DR I'm -1 on moving away from dist.a.o at the moment.

 

---------------------------------------------------------------------

To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org

For additional commands, e-mail: legal-discuss-help@apache.org

Re: [Discuss] Apache Nexus as allowed distribution for releases

Posted by David Nalley <da...@gnsa.us>.

>
> So I propose to allow projects to put a release in dist OR in Apache Nexus
> (which publishes to maven central).
> I think this would make the life of release managers a lot easier as
> currently they have to copy to dist AND publish in Apache Nexus.
> Practically all projects I work on use Apache Nexus as the staging for the
> votes anyway.
>

Not a member of the legal affairs committee, and thus no real effect
on this policy (which is set by the Legal Affairs Committee) - but
here's my take anyway:

The main advantage of requiring the use of /dist/ is that we have a
canonical source of truth about our releases. We have archive and
backup processes already in place for that, and downstream users
actively monitor and mirror /dist/.

Our Nexus implementation doesn't have the same SLA expectations, or
longevity expectations. We also aren't currently setup to permit Nexus
to be a source of truth that people mirror and audit. In fact we
recently blocked a large user who was mirroring our Nexus
implementation, and we have told people that Nexus is not intended to
be public/end-user facing. Nexus is primarily a place for projects to
send artifacts to maven central, which is a third party resource that
we don't control. (I am not saying that pejoratively, I am just saying
that Maven Central isn't under our control)

Occasionally, we receive civil process demanding versions of our
products (source code) and knowing that they all exist at dist.a.o or
archives.a.o makes the process for complying much simpler.
Additionally, we have tooling that deals with auditing/verification of
items that show up on dist.a.o/archive.a.o (see examples like
checker.a.o)

TL;DR I'm -1 on moving away from dist.a.o at the moment.

---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org