You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@river.apache.org by Simon IJskes - QCG <si...@qcg.nl> on 2013/12/19 01:35:42 UTC

Re: [jira] [Commented] (RIVER-432) Jar files in svn and src distributions

http://mail-archives.apache.org/mod_mbox/incubator-general/201203.mbox/%3C0F5691A1-97C0-444F-A514-B2E4E8E907DA%40gbiv.com%3E

> The only jar files we should have in subversion are the non-product
> trees -- the places where we store build tools, the artifacts for binary
> packages, website tools, and the dist directories themselves.  They do
> not belong in our open source product trees.

IMHO this is about jars in the 'src release' not the 'subversion'.


On 19-12-13 00:40, Greg Trasuk (JIRA) wrote:
>
>      [ https://issues.apache.org/jira/browse/RIVER-432?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13852317#comment-13852317 ]
>
> Greg Trasuk commented on RIVER-432:
> -----------------------------------
>
>
> The topic came up in regards to a release of Apache Spark Incubating.  I quote Marvin Humphrey from that list (http://mail-archives.apache.org/mod_mbox/incubator-general/201312.mbox/%3CCAAS6%3D7iQSKTgNdO-0Qyd3T9--%2B%2BHQFEmhJi7CHoByqvQvp9_bg%40mail.gmail.com%3E)
>
> Please read these messages from ASF Board member Roy Fielding:
>
>      http://s.apache.org/roy-binary-deps-0
>      http://s.apache.org/roy-binary-deps-1
>      http://s.apache.org/roy-binary-deps-2
>      http://s.apache.org/roy-binary-deps-3
>
> This has to be fixed.  If some TLP PMCs have not been made aware that binary
> dependencies may not be bundled in source releases, the Incubator must not
> compound the problem by failing to educate current podlings.
>
> Cheers,
>
> Greg.
>
>
>
>
>
>> Jar files in svn and src distributions
>> --------------------------------------
>>
>>                  Key: RIVER-432
>>                  URL: https://issues.apache.org/jira/browse/RIVER-432
>>              Project: River
>>           Issue Type: Bug
>>             Reporter: Greg Trasuk
>>
>> Recent traffic on the incubator lists has pointed out that including jar files for dependencies in the subversion repository and the source distributions is against Apache policy.
>> In River, the following libraries appear in the Subversion repository and the source distributions (these are from trunk, a smaller set appear in the 2.2 branch):
>> animal-sniffer
>> asm
>> bouncy-castle
>> dnsjava
>> high-scale-lib
>> rc-libs
>> velocity
>> They all have to go.  What are we using them for?  As I understand it, we were going to remove the VelocityConfigurationBuilder, so that's not a problem.  Some of the others are available from Maven Central, so we can get them at build time using Ivy or another build tool.  Which ones are actually required?  And where did they come from?
>
>
>
> --
> This message was sent by Atlassian JIRA
> (v6.1.4#6159)
>

Re: [jira] [Commented] (RIVER-432) Jar files in svn and src distributions

Posted by Simon IJskes - QCG <si...@qcg.nl>.

On 19-12-13 02:38, Greg Trasuk wrote:
> Put another way, wearing my “PMC Chair” hat, as the one who is
> legally answerable to the board, I plan to delete the compiled jars
> from our svn trees as soon as possible, after we’ve ensured that the
> project can be built without them (probably using Ivy or requiring
> people to do a separate download of any additional tools that they
> might require).  If anyone feels strongly that I’m acting in error,
> let me know and I’ll refer the question to either legal@ or board@.

Yes i do. Please refer the questions: "is having something in the svn 
the same as distributing" and "do i need to delete all jars from svn to 
be compliant" to the legal@ list.

Gr. Simon

-- 
QCG, Software voor het MKB, 071-5890970, http://www.qcg.nl
Quality Consultancy Group b.v., Leiderdorp, Kvk Den Haag: 28088397

Re: [jira] [Commented] (RIVER-432) Jar files in svn and src distributions

Posted by Simon IJskes - QCG <si...@qcg.nl>.

Quote from Roy Fielding:

> The only jar files we should have in subversion are the non-product
> trees -- the places where we store build tools, the artifacts for binary
> packages, website tools, and the dist directories themselves.  They do
> not belong in our open source product trees.

Gr. Simon



On 19-12-13 02:38, Greg Trasuk wrote:
>
> There seems to be some debate about that in the incubator lists.  Some people seem to think that having jars in Apache’s svn is effectively distributing them, which is counter to the foundation’s charter of producing free software in source code form.
>
> In my opinion, “if we aren’t distributing it, why would we have it in svn?”.  It follows that if we can’t distribute anything but source (see footnote 1), we shouldn't have anything but source in the project’s repositories.  If a jar is a valid build tool, one would assume it is available from whoever is running that project.  Recent Incubator practice has been to ban binaries, since it is possible to download them at build time with Ant, Ivy, Maven, or just about any other build tool.
>
> Put another way, wearing my “PMC Chair” hat, as the one who is legally answerable to the board, I plan to delete the compiled jars from our svn trees as soon as possible, after we’ve ensured that the project can be built without them (probably using Ivy or requiring people to do a separate download of any additional tools that they might require).  If anyone feels strongly that I’m acting in error, let me know and I’ll refer the question to either legal@ or board@.
>
> I believe there are one or two Apache Members on this list - perhaps someone could chime in?
>
> Cheers,
>
> Greg
>
> (1) I will confess to some confusion over how projects go about distributing binary releases - best I can make out is that these are “convenience binaries” that are the responsibility of whoever makes them, and we shouldn’t be voting on them or considering them “Apache” releases.
>
> On Dec 18, 2013, at 7:35 PM, Simon IJskes - QCG <si...@qcg.nl> wrote:
>
>> http://mail-archives.apache.org/mod_mbox/incubator-general/201203.mbox/%3C0F5691A1-97C0-444F-A514-B2E4E8E907DA%40gbiv.com%3E
>
>


-- 
QCG, Software voor het MKB, 071-5890970, http://www.qcg.nl
Quality Consultancy Group b.v., Leiderdorp, Kvk Den Haag: 28088397

Re: [jira] [Commented] (RIVER-432) Jar files in svn and src distributions

Posted by Greg Trasuk <tr...@stratuscom.com>.

@Sim - Fair enough, I’ll refer the questions.  First, though I’m going through the archives on legal-discuss@ to see if there’s already been a discussion.  As with many things, there seems to be much opinion, but little policy.  For example, in http://mail-archives.apache.org/mod_mbox/www-legal-discuss/201305.mbox/%3CED615624-F77B-487F-BA82-F8BD0E50CA46%40gmail.com%3E Sam Ruby says he thinks projects shouldn’t but binaries into svn, however, at the same time I asked the question over on general@incubator.a.o, and it was pointed out that projects like Apache Open Office and Apache Cassandra have many binaries in svn.

At the same time, I’ll mention that I did some experimenting last night with Apache Ivy (http://ant.apache.org/ivy), and it seems almost trivially easy to get dependencies at build time, so long as they’re in Maven Central.  I’ll post a patch for the 2.2 branch for people to take a look at (probably on Monday as I’m a little busy in the next few days).   It’s about 20 lines added to “build.xml" and about a 20-line “ivy.xml” file.  So I wonder, is there a reason we’d want to keep jars in svn if they weren’t strictly necessary?

By the way, I realize in re-reading it that my initial comments may have seemed heavy-handed, and I’m sorry about that.  I’m really just concerned that consensus seems to be converging (at least in the Incubator, which is often the de-facto policy body) on “no jars in svn, download them at build time”, and we’re not currently doing that.

Regards,

Greg Trasuk.

On Dec 19, 2013, at 7:12 AM, Peter <ji...@zeus.net.au> wrote:

> No, we can't distribute external binaries either.  The binary has to be the compiled version of the source.
> 
> 
> ----- Original message -----
>> I dont think the pathnames constitute a whole lot of difference in 
>> copyright terms. I think this issue revolves around having no binary 
>> products of anyone in the source distribution (the source release).
>> 
>> I've no opinion yet on if 'tool' jars belong in a binary distribution.
>> 
>> Gr. Simon
>> 
>> On 19-12-13 12:10, Peter wrote:
>>> Looking at the last paragraph in Sam's email he goes on to say we can
>>> have jar files in svn for build tools etc, but not in our open source
>>> product trees.
>>> 
>>> In that case the easiest temporary solution would be to move them
>>> into a designated directory outside of our product tree, then we can
>>> have ant retrieve them as needed for jenkins tests until we work out
>>> a more permanent solution.
>>> 
>>> Cheers,
>>> 
>>> Peter.
>>> 
>>> 
>> 
>> 
>> -- 
>> QCG, Software voor het MKB, 071-5890970, http://www.qcg.nl
>> Quality Consultancy Group b.v., Leiderdorp, Kvk Den Haag: 28088397
>

Re: [jira] [Commented] (RIVER-432) Jar files in svn and src distributions

Posted by Peter <ji...@zeus.net.au>.

No, we can't distribute external binaries either.  The binary has to be the compiled version of the source.


----- Original message -----
> I dont think the pathnames constitute a whole lot of difference in 
> copyright terms. I think this issue revolves around having no binary 
> products of anyone in the source distribution (the source release).
> 
> I've no opinion yet on if 'tool' jars belong in a binary distribution.
> 
> Gr. Simon
> 
> On 19-12-13 12:10, Peter wrote:
> > Looking at the last paragraph in Sam's email he goes on to say we can
> > have jar files in svn for build tools etc, but not in our open source
> > product trees.
> > 
> > In that case the easiest temporary solution would be to move them
> > into a designated directory outside of our product tree, then we can
> > have ant retrieve them as needed for jenkins tests until we work out
> > a more permanent solution.
> > 
> > Cheers,
> > 
> > Peter.
> > 
> > 
> 
> 
> -- 
> QCG, Software voor het MKB, 071-5890970, http://www.qcg.nl
> Quality Consultancy Group b.v., Leiderdorp, Kvk Den Haag: 28088397

Re: [jira] [Commented] (RIVER-432) Jar files in svn and src distributions

Posted by Simon IJskes - QCG <si...@qcg.nl>.

I dont think the pathnames constitute a whole lot of difference in 
copyright terms. I think this issue revolves around having no binary 
products of anyone in the source distribution (the source release).

I've no opinion yet on if 'tool' jars belong in a binary distribution.

Gr. Simon

On 19-12-13 12:10, Peter wrote:
> Looking at the last paragraph in Sam's email he goes on to say we can
> have jar files in svn for build tools etc, but not in our open source
> product trees.
>
> In that case the easiest temporary solution would be to move them
> into a designated directory outside of our product tree, then we can
> have ant retrieve them as needed for jenkins tests until we work out
> a more permanent solution.
>
> Cheers,
>
> Peter.
>
>

-- 
QCG, Software voor het MKB, 071-5890970, http://www.qcg.nl
Quality Consultancy Group b.v., Leiderdorp, Kvk Den Haag: 28088397

Re: [jira] [Commented] (RIVER-432) Jar files in svn and src distributions

Posted by Peter <ji...@zeus.net.au>.

Looking at the last paragraph in Sam's email he goes on to say we can have jar files in svn for build tools etc, but not in our open source product trees.

In that case the easiest temporary solution would be to move them into a designated directory outside of our product tree, then we can have ant retrieve them as needed for jenkins tests until we work out a more permanent solution.

Cheers,

Peter.


----- Original message -----
> 
> There seems to be some debate about that in the incubator lists.   Some
> people seem to think that having jars in Apache’s svn is effectively
> distributing them, which is counter to the foundation’s charter of
> producing free software in source code form.
> 
> In my opinion, “if we aren’t distributing it, why would we have it in
> svn?”.   It follows that if we can’t distribute anything but source (see
> footnote 1), we shouldn't have anything but source in the project’s
> repositories.   If a jar is a valid build tool, one would assume it is
> available from whoever is running that project.   Recent Incubator
> practice has been to ban binaries, since it is possible to download them
> at build time with Ant, Ivy, Maven, or just about any other build tool.
> 
> Put another way, wearing my “PMC Chair” hat, as the one who is legally
> answerable to the board, I plan to delete the compiled jars from our svn
> trees as soon as possible, after we’ve ensured that the project can be
> built without them (probably using Ivy or requiring people to do a
> separate download of any additional tools that they might require).   If
> anyone feels strongly that I’m acting in error, let me know and I’ll
> refer the question to either legal@ or board@.
> 
> I believe there are one or two Apache Members on this list - perhaps
> someone could chime in?
> 
> Cheers,
> 
> Greg
> 
> (1) I will confess to some confusion over how projects go about
> distributing binary releases - best I can make out is that these are
> “convenience binaries” that are the responsibility of whoever makes
> them, and we shouldn’t be voting on them or considering them “Apache”
> releases.
> 
> On Dec 18, 2013, at 7:35 PM, Simon IJskes - QCG <si...@qcg.nl> wrote:
> 
> > http://mail-archives.apache.org/mod_mbox/incubator-general/201203.mbox/%3C0F5691A1-97C0-444F-A514-B2E4E8E907DA%40gbiv.com%3E
>

Re: [jira] [Commented] (RIVER-432) Jar files in svn and src distributions

Posted by Greg Trasuk <tr...@stratuscom.com>.

There seems to be some debate about that in the incubator lists.  Some people seem to think that having jars in Apache’s svn is effectively distributing them, which is counter to the foundation’s charter of producing free software in source code form.

In my opinion, “if we aren’t distributing it, why would we have it in svn?”.  It follows that if we can’t distribute anything but source (see footnote 1), we shouldn't have anything but source in the project’s repositories.  If a jar is a valid build tool, one would assume it is available from whoever is running that project.  Recent Incubator practice has been to ban binaries, since it is possible to download them at build time with Ant, Ivy, Maven, or just about any other build tool.

Put another way, wearing my “PMC Chair” hat, as the one who is legally answerable to the board, I plan to delete the compiled jars from our svn trees as soon as possible, after we’ve ensured that the project can be built without them (probably using Ivy or requiring people to do a separate download of any additional tools that they might require).  If anyone feels strongly that I’m acting in error, let me know and I’ll refer the question to either legal@ or board@.

I believe there are one or two Apache Members on this list - perhaps someone could chime in?

Cheers,

Greg

(1) I will confess to some confusion over how projects go about distributing binary releases - best I can make out is that these are “convenience binaries” that are the responsibility of whoever makes them, and we shouldn’t be voting on them or considering them “Apache” releases.

On Dec 18, 2013, at 7:35 PM, Simon IJskes - QCG <si...@qcg.nl> wrote:

> http://mail-archives.apache.org/mod_mbox/incubator-general/201203.mbox/%3C0F5691A1-97C0-444F-A514-B2E4E8E907DA%40gbiv.com%3E