You are viewing a plain text version of this content. The canonical link for it is here.
Posted to general@incubator.apache.org by Niklas Gustavsson <ni...@protocol7.com> on 2008/09/15 11:54:06 UTC
Depending on incubating project
Hi
Within Apache FtpServer, a subproject of MINA, we would like to
investigate the use of JSecurity to replace our current home-brewed
security solution. Now, JSecurity is still in incubation. Would this
pose a formal problem? I believe I fully understand the risks
involved, I'm more in search for guidance on Apache policies on this
matter.
In this case, we could depend on the last non-Apache release (0.9)
while JSecurity works its way through incubation. But, I think it
would be beneficial for both projects for us to use the upcoming
Apache released versions.
/niklas
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: Depending on incubating project
Posted by Emmanuel Lécharny <el...@apache.org>.
Niklas Gustavsson wrote:
> On Wed, Sep 17, 2008 at 7:11 AM, Henning Schmiedehausen
> <he...@apache.org> wrote:
>
>> Branch and experiment. FtpServer does not need to be one-dimensional.
>> You will probably not release this code to an unsuspecting public
>> anyway, will you? ;-)
>>
>
> I wouldn't know about unsuspecting :-) Yes, I would like to include
> this code in the FtpServer releases. Of course we due warning in
> place, like the incubation disclaimer.
>
It might be better to used directly a JSecurit release. As they already
have released a 0.9 version outside of Apache, maybe helping them to get
a first release inside Apache would help. Branching may be a problem as
the code base will evolve in both projects, making it difficult to merge
later. (IMHO)
--
--
cordialement, regards,
Emmanuel Lécharny
www.iktek.com
directory.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: Depending on incubating project
Posted by Niklas Gustavsson <ni...@protocol7.com>.
On Wed, Sep 17, 2008 at 7:11 AM, Henning Schmiedehausen
<he...@apache.org> wrote:
> Branch and experiment. FtpServer does not need to be one-dimensional.
> You will probably not release this code to an unsuspecting public
> anyway, will you? ;-)
I wouldn't know about unsuspecting :-) Yes, I would like to include
this code in the FtpServer releases. Of course we due warning in
place, like the incubation disclaimer.
/niklas
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: Depending on incubating project
Posted by Henning Schmiedehausen <he...@apache.org>.
Branch and experiment. FtpServer does not need to be one-dimensional.
You will probably not release this code to an unsuspecting public
anyway, will you? ;-)
Ciao
Henning
On Mon, 2008-09-15 at 11:54 +0200, Niklas Gustavsson wrote:
> Hi
>
> Within Apache FtpServer, a subproject of MINA, we would like to
> investigate the use of JSecurity to replace our current home-brewed
> security solution. Now, JSecurity is still in incubation. Would this
> pose a formal problem? I believe I fully understand the risks
> involved, I'm more in search for guidance on Apache policies on this
> matter.
>
> In this case, we could depend on the last non-Apache release (0.9)
> while JSecurity works its way through incubation. But, I think it
> would be beneficial for both projects for us to use the upcoming
> Apache released versions.
>
> /niklas
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: Depending on incubating project
Posted by Niklas Gustavsson <ni...@protocol7.com>.
On Mon, Sep 15, 2008 at 3:20 PM, Emmanuel Lecharny <el...@gmail.com> wrote:
> The thing is that it can be a fairly long process...
Agreed, and it will add a risk for FtpServer if JSecurity would have
trouble releasing, for example due to IP problems.
> But if FtpServer
> committers can give an hand to the JSecurity team to fulfill the release
> constrainsts, this can be a good thing for this project, accelerating it's
> incubation process, for sure.
Agreed.
/niklas
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: Depending on incubating project
Posted by Les Hazlewood <lh...@apache.org>.
> The thing is that it can be a fairly long process... But if FtpServer
> committers can give an hand to the JSecurity team to fulfill the release
> constrainsts, this can be a good thing for this project, accelerating it's
> incubation process, for sure.
This would be great! We'll accommodate however we can.
- Les
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: Depending on incubating project
Posted by Emmanuel Lecharny <el...@gmail.com>.
Niklas Gustavsson wrote:
> On Mon, Sep 15, 2008 at 2:57 PM, Emmanuel Lecharny <el...@gmail.com> wrote:
>
>> - legal, as while incubating, AFAIK, JSecurity can't release, when FtpServer
>> can : how does it fit ?
>>
>
> I believe incubating projects can now release as long as releases are
> clearly marked as incubating. And, if I understand things correctly,
> they are formal Apache releases as they have been voted by the IPMC.
>
Yeah, as described by the following page :
http://incubator.apache.org/guides/releasemanagement.html (my first post
was rather inexact, in that respect)
The thing is that it can be a fairly long process... But if FtpServer
committers can give an hand to the JSecurity team to fulfill the release
constrainsts, this can be a good thing for this project, accelerating
it's incubation process, for sure.
--
--
cordialement, regards,
Emmanuel Lécharny
www.iktek.com
directory.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: Depending on incubating project
Posted by Niklas Gustavsson <ni...@protocol7.com>.
On Mon, Sep 15, 2008 at 2:57 PM, Emmanuel Lecharny <el...@gmail.com> wrote:
> - legal, as while incubating, AFAIK, JSecurity can't release, when FtpServer
> can : how does it fit ?
I believe incubating projects can now release as long as releases are
clearly marked as incubating. And, if I understand things correctly,
they are formal Apache releases as they have been voted by the IPMC.
/niklas
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: Depending on incubating project
Posted by Niklas Gustavsson <ni...@protocol7.com>.
On Tue, Sep 16, 2008 at 9:10 AM, Bertrand Delacretaz
<bd...@apache.org> wrote:
> On Mon, Sep 15, 2008 at 11:28 PM, Kevan Miller <ke...@gmail.com> wrote:
>
>> ...Geronimo has released with multiple Incubator project dependencies in the
>> past (CXF, Yoko, ActiveMQ). Happily, they've all graduated :) In this
>> regard, not that Geronimo can take much credit, I think usage of Incubator
>> projects is a good thing. It brings additional Apache eyes onto the
>> project...
>
> Very good point - if ASF folks do not promote incubating projects, who will?
Agreed, this is the reason why I would like FtpServer to use the
releases made in incubation rather than use the non-Apache releases.
> As long as the appropriate disclaimers are in place, and as long as
> the project is ready to go to plan B if needed, I'm fine with
> depending on incubating projects.
Plan B in our case would be what Niclas described above, using
JSecurity as a complement to our current implementation. That way,
should JSecurity go feet up we can always go back to our own stuff
again.
Thanks all for your very valuable input!
/niklas
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: Depending on incubating project
Posted by Bertrand Delacretaz <bd...@apache.org>.
On Mon, Sep 15, 2008 at 11:28 PM, Kevan Miller <ke...@gmail.com> wrote:
> ...Geronimo has released with multiple Incubator project dependencies in the
> past (CXF, Yoko, ActiveMQ). Happily, they've all graduated :) In this
> regard, not that Geronimo can take much credit, I think usage of Incubator
> projects is a good thing. It brings additional Apache eyes onto the
> project...
Very good point - if ASF folks do not promote incubating projects, who will?
As long as the appropriate disclaimers are in place, and as long as
the project is ready to go to plan B if needed, I'm fine with
depending on incubating projects.
-Bertrand
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: Depending on incubating project
Posted by Davanum Srinivas <da...@gmail.com>.
Kevan,
Need to bring up that Yoko failed, but Geronimo PMC took care of the
code to provide continuity.
thanks,
dims
On Mon, Sep 15, 2008 at 5:28 PM, Kevan Miller <ke...@gmail.com> wrote:
>
> On Sep 15, 2008, at 10:03 AM, Noel J. Bergman wrote:
>
>> Emmanuel Lecharny wrote:
>>
>>> - legal, as while incubating, AFAIK, JSecurity can't release,
>>> when FtpServer can : how does it fit ?
>>
>> Not a legal issue, unless there is a legal issue blocking JSecurity
>> releases. MINA should first work with JSecurity to make sure that all
>> issues are resolved, first, e.g., any IP issues. Once done, the actual
>> bottom line is that if the MINA project wants to release JSecurity as an
>> *internal* dependency, that is the MINA project's "problem" to support.
>
> Geronimo has released with multiple Incubator project dependencies in the
> past (CXF, Yoko, ActiveMQ). Happily, they've all graduated :) In this
> regard, not that Geronimo can take much credit, I think usage of Incubator
> projects is a good thing. It brings additional Apache eyes onto the
> project...
>
> FYI, we included their Incubator "Disclaimer" in our source/artifacts -- not
> that it was really necessary, but seemed appropriate.
>
> --kevan
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
>
--
Davanum Srinivas :: http://davanum.wordpress.com
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: Depending on incubating project
Posted by Kevan Miller <ke...@gmail.com>.
On Sep 15, 2008, at 10:03 AM, Noel J. Bergman wrote:
> Emmanuel Lecharny wrote:
>
>> - legal, as while incubating, AFAIK, JSecurity can't release,
>> when FtpServer can : how does it fit ?
>
> Not a legal issue, unless there is a legal issue blocking JSecurity
> releases. MINA should first work with JSecurity to make sure that all
> issues are resolved, first, e.g., any IP issues. Once done, the
> actual
> bottom line is that if the MINA project wants to release JSecurity
> as an
> *internal* dependency, that is the MINA project's "problem" to
> support.
Geronimo has released with multiple Incubator project dependencies in
the past (CXF, Yoko, ActiveMQ). Happily, they've all graduated :) In
this regard, not that Geronimo can take much credit, I think usage of
Incubator projects is a good thing. It brings additional Apache eyes
onto the project...
FYI, we included their Incubator "Disclaimer" in our source/artifacts
-- not that it was really necessary, but seemed appropriate.
--kevan
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: Depending on incubating project
Posted by Niklas Gustavsson <ni...@protocol7.com>.
On Mon, Sep 15, 2008 at 4:39 PM, Emmanuel Lecharny <el...@gmail.com> wrote:
> Niklas Gustavsson wrote:
>> They can be kept in a Maven repo, not just central. Thus, should we
>> want to take the route of using JSecurity we would have to add the
>> incubating repo in our POM.
>>
>
> Which maven repo do you have in mind ?
That would be http://people.apache.org/repo/m2-incubating-repository/
unless the ongoing vote changes things.
/niklas
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: Depending on incubating project
Posted by Emmanuel Lecharny <el...@gmail.com>.
Niklas Gustavsson wrote:
> On Mon, Sep 15, 2008 at 4:19 PM, Emmanuel Lecharny <el...@gmail.com> wrote:
>
>> Yes. As we haven't stated if we can store incubated projects jars into
>> maven, I guess that means we will have to store the JSecurity jar within
>> Mina SVN repo.
>>
>
> They can be kept in a Maven repo, not just central. Thus, should we
> want to take the route of using JSecurity we would have to add the
> incubating repo in our POM.
>
Which maven repo do you have in mind ?
--
--
cordialement, regards,
Emmanuel Lécharny
www.iktek.com
directory.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: Depending on incubating project
Posted by Gilles Scokart <gs...@gmail.com>.
2008/9/16 Upayavira <uv...@odoko.co.uk>:
>
> As has been said in this thread already, so long as all IP concerns have
> been addressed and thus the podling is able to make releases, it is up
> to the PMC to decide whether to use an incubator artifact. If the
> podling should fail, the PMC then has the responsibility for supporting
> that artifact to its consumers. If the PMC is okay with that, then go
> ahead, use it like any normal resource.
>
> Upayavira
>
>
You make here the asumption that if the project fail in the incubation, it die.
It is 'theoriticaly' not always the case. The project may very well
continue outside apache, may be (probably) with the same community.
--
Gilles Scokart
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: Depending on incubating project
Posted by Upayavira <uv...@odoko.co.uk>.
On Mon, 2008-09-15 at 23:07 +0300, Jukka Zitting wrote:
> Hi,
>
> On Mon, Sep 15, 2008 at 5:24 PM, Niklas Gustavsson <ni...@protocol7.com> wrote:
> > They can be kept in a Maven repo, not just central. Thus, should we
> > want to take the route of using JSecurity we would have to add the
> > incubating repo in our POM.
>
> As far as I correctly understand the concerns about the central Maven
> repository, the point is to avoid incubating dependencies to be
> downloaded automatically without some explicit user action.
>
> So instead of adding the incubating repository in your POM, you should
> instruct your users (or downstream developers) to manually add the
> repository to their local Maven settings.
>
> I believe the same applies also to non-Maven projects where for
> example the dependencies are kept in a lib directory in svn. In such
> cases the user should be instructed to manually download the
> incubating dependency and place it in the correct location.
As has been said in this thread already, so long as all IP concerns have
been addressed and thus the podling is able to make releases, it is up
to the PMC to decide whether to use an incubator artifact. If the
podling should fail, the PMC then has the responsibility for supporting
that artifact to its consumers. If the PMC is okay with that, then go
ahead, use it like any normal resource.
Upayavira
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: Depending on incubating project
Posted by Jukka Zitting <ju...@gmail.com>.
Hi,
On Mon, Sep 15, 2008 at 5:24 PM, Niklas Gustavsson <ni...@protocol7.com> wrote:
> They can be kept in a Maven repo, not just central. Thus, should we
> want to take the route of using JSecurity we would have to add the
> incubating repo in our POM.
As far as I correctly understand the concerns about the central Maven
repository, the point is to avoid incubating dependencies to be
downloaded automatically without some explicit user action.
So instead of adding the incubating repository in your POM, you should
instruct your users (or downstream developers) to manually add the
repository to their local Maven settings.
I believe the same applies also to non-Maven projects where for
example the dependencies are kept in a lib directory in svn. In such
cases the user should be instructed to manually download the
incubating dependency and place it in the correct location.
BR,
Jukka Zitting
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: Depending on incubating project
Posted by Niklas Gustavsson <ni...@protocol7.com>.
On Mon, Sep 15, 2008 at 4:19 PM, Emmanuel Lecharny <el...@gmail.com> wrote:
> Yes. As we haven't stated if we can store incubated projects jars into
> maven, I guess that means we will have to store the JSecurity jar within
> Mina SVN repo.
They can be kept in a Maven repo, not just central. Thus, should we
want to take the route of using JSecurity we would have to add the
incubating repo in our POM.
/niklas
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: Depending on incubating project
Posted by Emmanuel Lecharny <el...@gmail.com>.
Noel J. Bergman wrote:
> Emmanuel Lecharny wrote:
>
>
>> - legal, as while incubating, AFAIK, JSecurity can't release,
>> when FtpServer can : how does it fit ?
>>
>
> Not a legal issue, unless there is a legal issue blocking JSecurity
> releases.
> MINA should first work with JSecurity to make sure that all
> issues are resolved, first, e.g., any IP issues. Once done, the actual
> bottom line is that if the MINA project wants to release JSecurity as an
> *internal* dependency, that is the MINA project's "problem" to support.
>
Yes. As we haven't stated if we can store incubated projects jars into
maven, I guess that means we will have to store the JSecurity jar within
Mina SVN repo.
Thanks for the clarification, Noel.
--
--
cordialement, regards,
Emmanuel Lécharny
www.iktek.com
directory.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
RE: Depending on incubating project
Posted by "Noel J. Bergman" <no...@devtech.com>.
Emmanuel Lecharny wrote:
> - legal, as while incubating, AFAIK, JSecurity can't release,
> when FtpServer can : how does it fit ?
Not a legal issue, unless there is a legal issue blocking JSecurity
releases. MINA should first work with JSecurity to make sure that all
issues are resolved, first, e.g., any IP issues. Once done, the actual
bottom line is that if the MINA project wants to release JSecurity as an
*internal* dependency, that is the MINA project's "problem" to support.
--- Noel
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: Depending on incubating project
Posted by Emmanuel Lecharny <el...@gmail.com>.
Niclas Hedhman wrote:
> On Mon, Sep 15, 2008 at 5:54 PM, Niklas Gustavsson <ni...@protocol7.com> wrote:
>
>> Hi
>>
>> Within Apache FtpServer, a subproject of MINA, we would like to
>> investigate the use of JSecurity to replace our current home-brewed
>> security solution. Now, JSecurity is still in incubation. Would this
>> pose a formal problem?
>>
>
> If you can "complement" instead of "replace", then I think you have an
> ideal situation.
>
There are many aspects :
- legal, as while incubating, AFAIK, JSecurity can't release, when
FtpServer can : how does it fit ?
- to cover case #1, you can still use the external JSecurity version, as
an external jar (but what about the IP problems ?)
- cross-improvements : as mentioned by Niclas, if FtpServer can
complement Jsecurity, and vice-versa, that would be interesting for both
projects.
I don't know about #1, but I think this is the main concern, so far.
Anyone has a strong opinion on this point ?
--
--
cordialement, regards,
Emmanuel Lécharny
www.iktek.com
directory.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: Depending on incubating project
Posted by Niklas Gustavsson <ni...@protocol7.com>.
On Mon, Sep 15, 2008 at 2:51 PM, Niclas Hedhman <ni...@hedhman.org> wrote:
> On Mon, Sep 15, 2008 at 5:54 PM, Niklas Gustavsson <ni...@protocol7.com> wrote:
>> Within Apache FtpServer, a subproject of MINA, we would like to
>> investigate the use of JSecurity to replace our current home-brewed
>> security solution. Now, JSecurity is still in incubation. Would this
>> pose a formal problem?
>
> If you can "complement" instead of "replace", then I think you have an
> ideal situation.
Yes, this is probably how things will work out anyways. At least for
some time until we have had the time to do the full replacement.
However, pretty much everything that is currently in FtpServer
security-wise has a better replacement in JSecurity. So, for the
long-run I think a full replacement would be the best option. But,
while JSecurity is incubating, this might be a good option, also to
have us get a better feeling for JSecurity before betting fully on it.
/niklas
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: Depending on incubating project
Posted by Niclas Hedhman <ni...@hedhman.org>.
On Mon, Sep 15, 2008 at 5:54 PM, Niklas Gustavsson <ni...@protocol7.com> wrote:
> Hi
>
> Within Apache FtpServer, a subproject of MINA, we would like to
> investigate the use of JSecurity to replace our current home-brewed
> security solution. Now, JSecurity is still in incubation. Would this
> pose a formal problem?
If you can "complement" instead of "replace", then I think you have an
ideal situation.
Cheers
Niclas
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: Depending on incubating project
Posted by Niklas Gustavsson <ni...@protocol7.com>.
On Mon, Sep 15, 2008 at 4:09 PM, Gilles Scokart <gs...@gmail.com> wrote:
> Why would an incubating project being more risky to use than an
> external project?
I don't think it is. But, I would feel more secure depending on a
Apache release as that would have gone through a formal release
process which includes a lot of legal verification. That might or
might not be true for an external project.
/niklas
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: Depending on incubating project
Posted by Gilles Scokart <gs...@gmail.com>.
2008/9/15 Niklas Gustavsson <ni...@protocol7.com>:
> Hi
>
> Within Apache FtpServer, a subproject of MINA, we would like to
> investigate the use of JSecurity to replace our current home-brewed
> security solution. Now, JSecurity is still in incubation. Would this
> pose a formal problem? I believe I fully understand the risks
> involved, I'm more in search for guidance on Apache policies on this
> matter.
>
> In this case, we could depend on the last non-Apache release (0.9)
> while JSecurity works its way through incubation. But, I think it
> would be beneficial for both projects for us to use the upcoming
> Apache released versions.
>
> /niklas
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
>
I don't know about any guidelines, but I guess that at the end it is
up to the PMC to consider the risk of using an external library. If
the PMC consider the risk of using a non-Apache library acceptable, I
guess that the risk of using the incubating version of the library
would be acceptable as well.
Why would an incubating project being more risky to use than an
external project?
--
Gilles Scokart
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org