You are viewing a plain text version of this content. The canonical link for it is here.
Posted to general@incubator.apache.org by Davanum Srinivas <da...@gmail.com> on 2008/07/07 23:09:22 UTC
[DISCUSS] Do we really need an incubator?
Sorry...Need to take this off my chest before the official VOTE.
Looking at the maven repo thread, begs the question. Do we really need
an incubator?
Isn't it just a IP Clearance SVN now once people have their way with
no distinction at all between incubator and non-incubator code?
What incentives are there left to graduate? How come a little bit of
pain that makes something obvious to end users is such a no-no? Why is
it such a big deal to remove one tiny pebble in their path? A lot of
folks have made it thru...including CXF. gathering users on the merits
of their code/community. It's not like the pebble stopped users from
trying things out. So what's the big deal?
My 2 cents,
Thanks,
dims
--
Davanum Srinivas :: http://davanum.wordpress.com
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [DISCUSS] Do we really need an incubator?
Posted by Davanum Srinivas <da...@gmail.com>.
if one set of users never see them, why should everyone else?
-- dims
On Tue, Jul 8, 2008 at 8:18 AM, Bertrand Delacretaz
<bd...@apache.org> wrote:
> On Tue, Jul 8, 2008 at 1:56 PM, Davanum Srinivas <da...@gmail.com> wrote:
>> ...Ok. Next we get rid of disclaimers everywhere? What purpose does that serve?...
>
> I don't see why we would get rid of disclaimers.
> -Bertrand
>
>>
>> Bertrand Delacretaz wrote:
>> | Hi Dims,
>> |
>> | On Tue, Jul 8, 2008 at 12:25 PM, Davanum Srinivas <da...@gmail.com>
>> wrote:
>> |
>> |> ...Any PMC that ships incubator developed code is responsible for what
>> |> happens when a community does not form around the code base used. Any
>> |> one outside Apache that ships incubator code should be totally aware
>> |> of what they are getting into....
>> |
>> | Agreed.
>> |
>> |> ...Bottom line, who ever used abdera code should do it consciously. I
>> |> agree that adding a second repo may be causing pain to the end users.
>> |> But this is for better or worse a "feature" because we don't have a
>> |> better way of doing this given the tools we have and the use cases the
>> |> tools are pushing on unsuspecting users :)...
>> |
>> | It might be a feature when someone has add the incubating repository
>> | to their configs the first time they need it, but after that any
>> | incubating artifacts might sneak in without people noticing it. People
>> | will add the incubating repository to their parent poms, and it will
>> | be mostly invisible after that.
>> |
>> |> ...So can we figure out another way to make the end user make a conscious
>> |> decision?...
>> |
>> | The final solution to this probably belongs in Maven, where the
>> | general case of "I want to approve any transitive dependency
>> | explicitely" should be solved. I'm not following Maven enough to know
>> | if that's on their todo list.
>> |
>> |> ...I doubt we will get much help from the maven team to support this use
>> |> case. They would rather get the central repo and get it done! What
>> |> bugs me is that in this whole discussion, no one even mentions how
>> |> easy it is to add another repo in the poms or the settings....
>> |
>> | I agree that it is easy, but as explained above it probably only
>> | solves a small part of the problem, and some of us think that that's
>> | not worth the hassle. Add on top of that the varying perception of the
>> | quality and "Apacheness" of incubator releases, and you get the whole
>> | range of opinions about a separate repository, which we're seeing in
>> | this and other discussions.
>> |
>> |> ...Why can't people at least pretend to come up with some alternatives
>> |> rather than just chant "central repo!" :)...
>> |
>> | The central repository is very useful for Maven users, so I guess we
>> | want it to be as complete as possible.
>> |
>> | -Bertrand
>> |
>> | ---------------------------------------------------------------------
>> | To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>> | For additional commands, e-mail: general-help@incubator.apache.org
>> |
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.6 (GNU/Linux)
>>
>> iD8DBQFIc1XzgNg6eWEDv1kRAhvcAKCPrbUsWR7hM70VHOIzzdI3mvtO2ACeObL4
>> r3vI/cKBW5IPBcbUK01PwvA=
>> =NCss
>> -----END PGP SIGNATURE-----
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>> For additional commands, e-mail: general-help@incubator.apache.org
>>
>>
>
>
>
> --
> Bertrand Delacretaz
> http://www.codeconsult.ch
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
>
--
Davanum Srinivas :: http://davanum.wordpress.com
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [DISCUSS] Do we really need an incubator?
Posted by Bertrand Delacretaz <bd...@apache.org>.
On Tue, Jul 8, 2008 at 1:56 PM, Davanum Srinivas <da...@gmail.com> wrote:
> ...Ok. Next we get rid of disclaimers everywhere? What purpose does that serve?...
I don't see why we would get rid of disclaimers.
-Bertrand
>
> Bertrand Delacretaz wrote:
> | Hi Dims,
> |
> | On Tue, Jul 8, 2008 at 12:25 PM, Davanum Srinivas <da...@gmail.com>
> wrote:
> |
> |> ...Any PMC that ships incubator developed code is responsible for what
> |> happens when a community does not form around the code base used. Any
> |> one outside Apache that ships incubator code should be totally aware
> |> of what they are getting into....
> |
> | Agreed.
> |
> |> ...Bottom line, who ever used abdera code should do it consciously. I
> |> agree that adding a second repo may be causing pain to the end users.
> |> But this is for better or worse a "feature" because we don't have a
> |> better way of doing this given the tools we have and the use cases the
> |> tools are pushing on unsuspecting users :)...
> |
> | It might be a feature when someone has add the incubating repository
> | to their configs the first time they need it, but after that any
> | incubating artifacts might sneak in without people noticing it. People
> | will add the incubating repository to their parent poms, and it will
> | be mostly invisible after that.
> |
> |> ...So can we figure out another way to make the end user make a conscious
> |> decision?...
> |
> | The final solution to this probably belongs in Maven, where the
> | general case of "I want to approve any transitive dependency
> | explicitely" should be solved. I'm not following Maven enough to know
> | if that's on their todo list.
> |
> |> ...I doubt we will get much help from the maven team to support this use
> |> case. They would rather get the central repo and get it done! What
> |> bugs me is that in this whole discussion, no one even mentions how
> |> easy it is to add another repo in the poms or the settings....
> |
> | I agree that it is easy, but as explained above it probably only
> | solves a small part of the problem, and some of us think that that's
> | not worth the hassle. Add on top of that the varying perception of the
> | quality and "Apacheness" of incubator releases, and you get the whole
> | range of opinions about a separate repository, which we're seeing in
> | this and other discussions.
> |
> |> ...Why can't people at least pretend to come up with some alternatives
> |> rather than just chant "central repo!" :)...
> |
> | The central repository is very useful for Maven users, so I guess we
> | want it to be as complete as possible.
> |
> | -Bertrand
> |
> | ---------------------------------------------------------------------
> | To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> | For additional commands, e-mail: general-help@incubator.apache.org
> |
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
>
> iD8DBQFIc1XzgNg6eWEDv1kRAhvcAKCPrbUsWR7hM70VHOIzzdI3mvtO2ACeObL4
> r3vI/cKBW5IPBcbUK01PwvA=
> =NCss
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
>
--
Bertrand Delacretaz
http://www.codeconsult.ch
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [DISCUSS] Do we really need an incubator?
Posted by Davanum Srinivas <da...@gmail.com>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ok. Next we get rid of disclaimers everywhere? What purpose does that serve?
- -- dims
Bertrand Delacretaz wrote:
| Hi Dims,
|
| On Tue, Jul 8, 2008 at 12:25 PM, Davanum Srinivas <da...@gmail.com> wrote:
|
|> ...Any PMC that ships incubator developed code is responsible for what
|> happens when a community does not form around the code base used. Any
|> one outside Apache that ships incubator code should be totally aware
|> of what they are getting into....
|
| Agreed.
|
|> ...Bottom line, who ever used abdera code should do it consciously. I
|> agree that adding a second repo may be causing pain to the end users.
|> But this is for better or worse a "feature" because we don't have a
|> better way of doing this given the tools we have and the use cases the
|> tools are pushing on unsuspecting users :)...
|
| It might be a feature when someone has add the incubating repository
| to their configs the first time they need it, but after that any
| incubating artifacts might sneak in without people noticing it. People
| will add the incubating repository to their parent poms, and it will
| be mostly invisible after that.
|
|> ...So can we figure out another way to make the end user make a conscious
|> decision?...
|
| The final solution to this probably belongs in Maven, where the
| general case of "I want to approve any transitive dependency
| explicitely" should be solved. I'm not following Maven enough to know
| if that's on their todo list.
|
|> ...I doubt we will get much help from the maven team to support this use
|> case. They would rather get the central repo and get it done! What
|> bugs me is that in this whole discussion, no one even mentions how
|> easy it is to add another repo in the poms or the settings....
|
| I agree that it is easy, but as explained above it probably only
| solves a small part of the problem, and some of us think that that's
| not worth the hassle. Add on top of that the varying perception of the
| quality and "Apacheness" of incubator releases, and you get the whole
| range of opinions about a separate repository, which we're seeing in
| this and other discussions.
|
|> ...Why can't people at least pretend to come up with some alternatives
|> rather than just chant "central repo!" :)...
|
| The central repository is very useful for Maven users, so I guess we
| want it to be as complete as possible.
|
| -Bertrand
|
| ---------------------------------------------------------------------
| To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
| For additional commands, e-mail: general-help@incubator.apache.org
|
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFIc1XzgNg6eWEDv1kRAhvcAKCPrbUsWR7hM70VHOIzzdI3mvtO2ACeObL4
r3vI/cKBW5IPBcbUK01PwvA=
=NCss
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [DISCUSS] Do we really need an incubator?
Posted by Bertrand Delacretaz <bd...@apache.org>.
Hi Dims,
On Tue, Jul 8, 2008 at 12:25 PM, Davanum Srinivas <da...@gmail.com> wrote:
> ...Any PMC that ships incubator developed code is responsible for what
> happens when a community does not form around the code base used. Any
> one outside Apache that ships incubator code should be totally aware
> of what they are getting into....
Agreed.
> ...Bottom line, who ever used abdera code should do it consciously. I
> agree that adding a second repo may be causing pain to the end users.
> But this is for better or worse a "feature" because we don't have a
> better way of doing this given the tools we have and the use cases the
> tools are pushing on unsuspecting users :)...
It might be a feature when someone has add the incubating repository
to their configs the first time they need it, but after that any
incubating artifacts might sneak in without people noticing it. People
will add the incubating repository to their parent poms, and it will
be mostly invisible after that.
> ...So can we figure out another way to make the end user make a conscious
> decision?...
The final solution to this probably belongs in Maven, where the
general case of "I want to approve any transitive dependency
explicitely" should be solved. I'm not following Maven enough to know
if that's on their todo list.
> ...I doubt we will get much help from the maven team to support this use
> case. They would rather get the central repo and get it done! What
> bugs me is that in this whole discussion, no one even mentions how
> easy it is to add another repo in the poms or the settings....
I agree that it is easy, but as explained above it probably only
solves a small part of the problem, and some of us think that that's
not worth the hassle. Add on top of that the varying perception of the
quality and "Apacheness" of incubator releases, and you get the whole
range of opinions about a separate repository, which we're seeing in
this and other discussions.
> ...Why can't people at least pretend to come up with some alternatives
> rather than just chant "central repo!" :)...
The central repository is very useful for Maven users, so I guess we
want it to be as complete as possible.
-Bertrand
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [DISCUSS] Do we really need an incubator?
Posted by Niclas Hedhman <ni...@hedhman.org>.
Sorry, for entering this late (too much travel makes it hard to keep
up-to-date)...
On Tue, Jul 8, 2008 at 9:38 PM, William A. Rowe, Jr.
<wr...@rowe-clan.net> wrote:
> Davanum Srinivas wrote:
>> I doubt we will get much help from the maven team to support this use
>> case. They would rather get the central repo and get it done! What
>> bugs me is that in this whole discussion, no one even mentions how
>> easy it is to add another repo in the poms or the settings.
Well, there is a general Central Repo requirement that you are not
allowed to have <repository> in artifacts deployed to central. Not
sure if someone is ensuring this, but becomes an issue if incubator
artifacts are not mirrored to "central".
> Look, Maven serves packages. Websites describe projects. Yes, every
> project dependent on an incubating artifact should provide *website*
> disclaimers that a piece of their project could fall off the earth.
The "fall off the earth" for dependencies is a really weird argument
for end-users. (Which I think Bill is trying to say).
Let's say Apache TLP Flooba depends on Splinka, which is a SF hosted
project. Noone is discussing here that we should have processes
warning users that Splinka may fall off the earth, yet it is just as
likely. Instead (I am convinced) that the user will "depend on" Flooba
community toe deal with that if and when necessary. Sometimes when I
hear this argument of community dissolution, one easily get the
impression that the code vanishes from the planet and a black hole in
my software appears. That is not the case...
So, taking Roy's statement into account of "Incubator Releases are
100% ASF releases", then I see no reason why other projects can't
depend on podlings, why there are disclaimers and being worried that
the user is misled. Example; Felix have a dependency on Jetty. No one
thinks twice about it. Jetty goes into Incubation (now they chose
CodeHaus but could have been here), and suddenly we need to warn
people, disclaimers that Jetty community might fall of the earth, it
is not fully endorsed by ASF and what not. When there is no material
change in code nor community.
The user will make the conscious decision to have his/her own direct
dependency on any project, and if that happens to be an Incubating
project, it happens either from a download via the website
(/dist/incubator/splinka) or via entering
<groupId>org.apache.incubator.splinka</groupId> in the pom.xml.
IMNSHO, all other indirect dependencies are irrelevant, considering
the PMCs fairly strict vetting (making the legal aspect at least as
good as any SF/CodeHaus/Berlios/OW2/... project) of podling releases.
And so on for each level...
While being on the topic; IMHO, podlings that are Sponsored by other
PMCs, expected to become sub-projects there, should all be
fast-tracked through the Incubator. Import -> Vett Legal -> Release ->
Out to TLP. No reason to "educate" the new folks into be able to
sustain a life on their own. The PMC where they are going will be
responsible. If the receiving PMC don't want that, then they should
not Sponsor and we get a natural valve in the intake, and a better
ability to scale as work is distributed out of the Incubator.
Now I crawl back under my seat, put on the life jacket and fly back to
Malaysia. ;o)
Cheers
Niclas
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [DISCUSS] Do we really need an incubator?
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
Davanum Srinivas wrote:
>
> So can we figure out another way to make the end user make a conscious
> decision?
>
> I doubt we will get much help from the maven team to support this use
> case. They would rather get the central repo and get it done! What
> bugs me is that in this whole discussion, no one even mentions how
> easy it is to add another repo in the poms or the settings.
No - that doesn't help the user make any decision whatsoever. If you plug
your fedora distribution into the livna repository for a single package
that you -know- might be patent encumbered, you probably won't realize
when you yum install 20 more encumbered packages.
It's the top-level package that maven cares about. That package's choice
to pick up an incubating dependency is the package issue. Nobody is going
to even know what Apache Incubating Foo project was about, all they will
know is that the Bar project broke if Foo disappears.
If people think more in terms of a filesystem repository, which is what
Maven provides, rather than a website presentation dependency graph, this
really does become a dead issue. Do we demand that your local checkout
of incubator respositories is to /tmp/... ? Maven provides many third
party objects that are of top quality, and those of subpar quality.
It's simply a mirroring system. We just got finished determining that
/dist/incubator/ must be on the mirrored main tree. Why are people so
upset that we would follow the *exact same pattern* for maven?
Look, Maven serves packages. Websites describe projects. Yes, every
project dependent on an incubating artifact should provide *website*
disclaimers that a piece of their project could fall off the earth.
They probably won't. But what's handy is that crawling Maven, you might
actually learn what projects consume incubating artifacts already, and
possibly grow some incubating communities due to such dependencies.
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [DISCUSS] Do we really need an incubator?
Posted by Davanum Srinivas <da...@gmail.com>.
Bertrand,
Facts:
- We have 11 failures so far in the incubator
(http://incubator.apache.org/projects/index.html)
- We have had G PMC pick up the code from a failed incubation (Yoko)
- We have disclaimers all over the place
(http://incubator.apache.org/guides/branding.html)
Any PMC that ships incubator developed code is responsible for what
happens when a community does not form around the code base used. Any
one outside Apache that ships incubator code should be totally aware
of what they are getting into. Example we used yesterday on IRC was if
Mule ships Abdera. Mule is taking ownership of the risk of abdera
failure. Same as was the case with G PMC and Yoko. This is not about
whether we are legally clear w.r.t the releases.
Bottom line, who ever used abdera code should do it consciously. I
agree that adding a second repo may be causing pain to the end users.
But this is for better or worse a "feature" because we don't have a
better way of doing this given the tools we have and the use cases the
tools are pushing on unsuspecting users :)
So can we figure out another way to make the end user make a conscious
decision?
I doubt we will get much help from the maven team to support this use
case. They would rather get the central repo and get it done! What
bugs me is that in this whole discussion, no one even mentions how
easy it is to add another repo in the poms or the settings.
Why can't people at least pretend to come up with some alternatives
rather than just chant "central repo!" :)
thanks,
dims
On Tue, Jul 8, 2008 at 1:51 AM, Bertrand Delacretaz
<bd...@apache.org> wrote:
> Hi Dims,
>
> On Mon, Jul 7, 2008 at 11:09 PM, Davanum Srinivas <da...@gmail.com> wrote:
>> Sorry...Need to take this off my chest before the official VOTE.
>
> Thanks for this.
>
>> ...Looking at the maven repo thread, begs the question. Do we really need
>> an incubator?
>>
>> Isn't it just a IP Clearance SVN now once people have their way with
>> no distinction at all between incubator and non-incubator code?...
>
> It took me a few seconds to understand your concern, I had never
> thought about it like that before.
>
> I don't think putting incubator artifacts in the main Maven repository
> removes all distinction between incubator and non-incubator code. If
> we require incubator artifacts to have "-incubating" in their version
> names, that's perfectly clear.
>
> Such a dependency might be made somewhat invisible by transitive
> dependencies on incubating projects, but the problem is exactly the
> same if a non-incubating project depends on GPL stuff transitively.
> That's a Maven problem, not an incubator problem.
>
> Currently, one has to explicitely check their complete dependency tree
> to sure about what their code uses, when working with Maven. Or use
> private repositories exclusively, with controlled addition of
> artifacts. That's not in any way an incubator problem.
>
> To answer your question, to me the value of the incubator is as much
> in creating communities as in creating clean code. Having been a
> mentor of Wicket, I think this is a perfect example of a community
> that already worked quite well, but needed some mentoring to ease into
> the Apache way, and I think the results were very successful.
>
> Other projects don't incubate as well, especially now that the
> incubator has grown larger with relatively few people (IMHO) taking
> care of the health of the incubator at large.
>
> To me this means that a few things need to be fixed in the incubator -
> like reducing bureaucracy to a minimum while avoiding losing track of
> incubating projects, making docs more consistent and minimalistic, and
> making sure companies do not hijack their way into the ASF via the
> incubator.
>
> That doesn't mean we don't need an incubator, quite the contrary in my
> opinion: we need a stronger and more fun incubator.
>
> -Bertrand
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
>
--
Davanum Srinivas :: http://davanum.wordpress.com
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [DISCUSS] Do we really need an incubator?
Posted by Davanum Srinivas <da...@gmail.com>.
Understood. Taking a bit out of the email:
"
Such a dependency might be made somewhat invisible by transitive
dependencies on incubating projects, but the problem is exactly the
same if a non-incubating project depends on GPL stuff transitively.
That's a Maven problem, not an incubator problem.
"
So, why are we trying to fix a mistake in the tool?
thanks,
dims
On Tue, Jul 8, 2008 at 1:51 AM, Bertrand Delacretaz
<bd...@apache.org> wrote:
> Hi Dims,
>
> On Mon, Jul 7, 2008 at 11:09 PM, Davanum Srinivas <da...@gmail.com> wrote:
>> Sorry...Need to take this off my chest before the official VOTE.
>
> Thanks for this.
>
>> ...Looking at the maven repo thread, begs the question. Do we really need
>> an incubator?
>>
>> Isn't it just a IP Clearance SVN now once people have their way with
>> no distinction at all between incubator and non-incubator code?...
>
> It took me a few seconds to understand your concern, I had never
> thought about it like that before.
>
> I don't think putting incubator artifacts in the main Maven repository
> removes all distinction between incubator and non-incubator code. If
> we require incubator artifacts to have "-incubating" in their version
> names, that's perfectly clear.
>
> Such a dependency might be made somewhat invisible by transitive
> dependencies on incubating projects, but the problem is exactly the
> same if a non-incubating project depends on GPL stuff transitively.
> That's a Maven problem, not an incubator problem.
>
> Currently, one has to explicitely check their complete dependency tree
> to sure about what their code uses, when working with Maven. Or use
> private repositories exclusively, with controlled addition of
> artifacts. That's not in any way an incubator problem.
>
> To answer your question, to me the value of the incubator is as much
> in creating communities as in creating clean code. Having been a
> mentor of Wicket, I think this is a perfect example of a community
> that already worked quite well, but needed some mentoring to ease into
> the Apache way, and I think the results were very successful.
>
> Other projects don't incubate as well, especially now that the
> incubator has grown larger with relatively few people (IMHO) taking
> care of the health of the incubator at large.
>
> To me this means that a few things need to be fixed in the incubator -
> like reducing bureaucracy to a minimum while avoiding losing track of
> incubating projects, making docs more consistent and minimalistic, and
> making sure companies do not hijack their way into the ASF via the
> incubator.
>
> That doesn't mean we don't need an incubator, quite the contrary in my
> opinion: we need a stronger and more fun incubator.
>
> -Bertrand
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
>
--
Davanum Srinivas :: http://davanum.wordpress.com
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [DISCUSS] Do we really need an incubator?
Posted by Bertrand Delacretaz <bd...@apache.org>.
Hi Dims,
On Mon, Jul 7, 2008 at 11:09 PM, Davanum Srinivas <da...@gmail.com> wrote:
> Sorry...Need to take this off my chest before the official VOTE.
Thanks for this.
> ...Looking at the maven repo thread, begs the question. Do we really need
> an incubator?
>
> Isn't it just a IP Clearance SVN now once people have their way with
> no distinction at all between incubator and non-incubator code?...
It took me a few seconds to understand your concern, I had never
thought about it like that before.
I don't think putting incubator artifacts in the main Maven repository
removes all distinction between incubator and non-incubator code. If
we require incubator artifacts to have "-incubating" in their version
names, that's perfectly clear.
Such a dependency might be made somewhat invisible by transitive
dependencies on incubating projects, but the problem is exactly the
same if a non-incubating project depends on GPL stuff transitively.
That's a Maven problem, not an incubator problem.
Currently, one has to explicitely check their complete dependency tree
to sure about what their code uses, when working with Maven. Or use
private repositories exclusively, with controlled addition of
artifacts. That's not in any way an incubator problem.
To answer your question, to me the value of the incubator is as much
in creating communities as in creating clean code. Having been a
mentor of Wicket, I think this is a perfect example of a community
that already worked quite well, but needed some mentoring to ease into
the Apache way, and I think the results were very successful.
Other projects don't incubate as well, especially now that the
incubator has grown larger with relatively few people (IMHO) taking
care of the health of the incubator at large.
To me this means that a few things need to be fixed in the incubator -
like reducing bureaucracy to a minimum while avoiding losing track of
incubating projects, making docs more consistent and minimalistic, and
making sure companies do not hijack their way into the ASF via the
incubator.
That doesn't mean we don't need an incubator, quite the contrary in my
opinion: we need a stronger and more fun incubator.
-Bertrand
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [DISCUSS] Do we really need an incubator?
Posted by Davanum Srinivas <da...@gmail.com>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Happy to confirm it was indeed a rant :) Just wanted folks to see all points of view before they cast their vote.
Especially to at least understand why a particular "feature" was in place and think thru the pros and cons.
thanks,
dims
William A. Rowe, Jr. wrote:
|
|
| Angela Cymbalak wrote:
|> I think that I am in a unique position to comment on this question. I
|> am sure there are a lot of legal things and the Maven repository that
|> can be pointed to as reasons why not to have an Incubator but I have
|> been very pleased with the fact that Apache *does* have the
|> Incubator. It has been incredibly helpful to me as I attempt to find
|> the right people to show me the ropes at Apache. Code releases aside,
|> it appears that it is generally accepted that people and projects who
|> are part of the incubator are either novices with Apache or those who
|> are willing to help the novices. Without that starting point, finding
|> new people and projects could become limited. There is a centralized
|> place at Apache for those who are starting out, and without the
|> incubator, it doesn't appear that Apache has that.
|
| Thanks Angie, yes your perspective is very interesting, and I hope it's
| already in line with what folks are thinking.
|
| I think Davanum's subject line was mostly a rant w.r.t. the Maven issue
| and not really a commentary on having an incubation process for podlings.
| At least, I hope it was ;-) The mixed results that came out of Jakarta
| and others proved long ago that we needed /something/. I think we are
| awfully close right now, but it is (and always will be) based on the
| then-current collection of volunteers and mentors. Today we are doing
| better than I had hoped :)
|
| Bill
|
| ---------------------------------------------------------------------
| To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
| For additional commands, e-mail: general-help@incubator.apache.org
|
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFIdQJkgNg6eWEDv1kRApPJAJ9R2sB7rmGFoZY1t2QYOiAEhtVwfgCeMU5W
nXqwLfjK3TxDjYk7VEGj6LI=
=LV0b
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [DISCUSS] Do we really need an incubator?
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
Angela Cymbalak wrote:
> I think that I am in a unique position to comment on this question. I
> am sure there are a lot of legal things and the Maven repository that
> can be pointed to as reasons why not to have an Incubator but I have
> been very pleased with the fact that Apache *does* have the Incubator.
> It has been incredibly helpful to me as I attempt to find the right
> people to show me the ropes at Apache. Code releases aside, it appears
> that it is generally accepted that people and projects who are part of
> the incubator are either novices with Apache or those who are willing to
> help the novices. Without that starting point, finding new people and
> projects could become limited. There is a centralized place at Apache
> for those who are starting out, and without the incubator, it doesn't
> appear that Apache has that.
Thanks Angie, yes your perspective is very interesting, and I hope it's
already in line with what folks are thinking.
I think Davanum's subject line was mostly a rant w.r.t. the Maven issue
and not really a commentary on having an incubation process for podlings.
At least, I hope it was ;-) The mixed results that came out of Jakarta
and others proved long ago that we needed /something/. I think we are
awfully close right now, but it is (and always will be) based on the
then-current collection of volunteers and mentors. Today we are doing
better than I had hoped :)
Bill
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [DISCUSS] Do we really need an incubator?
Posted by Angela Cymbalak <a....@nechtan.org>.
I think that I am in a unique position to comment on this
question. I am sure there are a lot of legal things and the Maven
repository that can be pointed to as reasons why not to have an
Incubator but I have been very pleased with the fact that Apache
*does* have the Incubator. It has been incredibly helpful to me as I
attempt to find the right people to show me the ropes at
Apache. Code releases aside, it appears that it is generally
accepted that people and projects who are part of the incubator are
either novices with Apache or those who are willing to help the
novices. Without that starting point, finding new people and
projects could become limited. There is a centralized place at
Apache for those who are starting out, and without the incubator, it
doesn't appear that Apache has that.
I agree that people may be using projects that are part if the
incubator and not realizing that it doesn't have the same level of
support that the TLPs have. I also agree that a naming convention
may solve part of that problem. You might also see if you have
modify the Apache License a little so that in first few lines of an
incubator project the license file clearly states that a project is
in incubation and therefore has additional risks to it.
Angie
At 07:00 PM 7/7/2008, Davanum Srinivas wrote:
>Jukka,
>
>Yes, this is related. But i think folks have made up their mind about
>the repo. this is about the role of the incubator itself which is
>becoming over cumbersome and meaningless to many folks...
>
>thanks,
>dims
>
>On Mon, Jul 7, 2008 at 6:22 PM, Jukka Zitting <ju...@gmail.com> wrote:
> > Hi,
> >
> > On Tue, Jul 8, 2008 at 12:09 AM, Davanum Srinivas
> <da...@gmail.com> wrote:
> >> Sorry...Need to take this off my chest before the official VOTE.
> >
> > Good, thanks! It's best to have all relevant points discussed
> before voting.
> >
> > I'll wait at least a week after the last message on a related thread
> > before starting the vote to avoid interfering with ongoing discussion.
> >
> > BR,
> >
> > Jukka Zitting
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> > For additional commands, e-mail: general-help@incubator.apache.org
> >
> >
>
>
>
>--
>Davanum Srinivas :: http://davanum.wordpress.com
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>For additional commands, e-mail: general-help@incubator.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [DISCUSS] Do we really need an incubator?
Posted by Davanum Srinivas <da...@gmail.com>.
Jukka,
Yes, this is related. But i think folks have made up their mind about
the repo. this is about the role of the incubator itself which is
becoming over cumbersome and meaningless to many folks...
thanks,
dims
On Mon, Jul 7, 2008 at 6:22 PM, Jukka Zitting <ju...@gmail.com> wrote:
> Hi,
>
> On Tue, Jul 8, 2008 at 12:09 AM, Davanum Srinivas <da...@gmail.com> wrote:
>> Sorry...Need to take this off my chest before the official VOTE.
>
> Good, thanks! It's best to have all relevant points discussed before voting.
>
> I'll wait at least a week after the last message on a related thread
> before starting the vote to avoid interfering with ongoing discussion.
>
> BR,
>
> Jukka Zitting
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
>
--
Davanum Srinivas :: http://davanum.wordpress.com
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [DISCUSS] Do we really need an incubator?
Posted by Jukka Zitting <ju...@gmail.com>.
Hi,
On Tue, Jul 8, 2008 at 12:09 AM, Davanum Srinivas <da...@gmail.com> wrote:
> Sorry...Need to take this off my chest before the official VOTE.
Good, thanks! It's best to have all relevant points discussed before voting.
I'll wait at least a week after the last message on a related thread
before starting the vote to avoid interfering with ongoing discussion.
BR,
Jukka Zitting
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [DISCUSS] Do we really need an incubator?
Posted by Aidan Skinner <ai...@apache.org>.
On Mon, Jul 7, 2008 at 10:09 PM, Davanum Srinivas <da...@gmail.com> wrote:
> Isn't it just a IP Clearance SVN now once people have their way with
> no distinction at all between incubator and non-incubator code?
>
> What incentives are there left to graduate? How come a little bit of
> pain that makes something obvious to end users is such a no-no? Why is
> it such a big deal to remove one tiny pebble in their path? A lot of
>From my PoV, the incubator isn't about stopping people getting code,
it's about helping the project build a mature, functioning community,
which is the hardest part of the process. Writing code in a public
repository, pushing releases out and accepting feedback through a
mailing list and a bugzilla/jira are all well documented standard
operating practice. It's so standard now that, modulo the publicness,
it's basically (AFAICT) how the majority of software is developed
these days in corporate towers.
The value of the incubator is in helping new projects build a
self-sustaining community around a project, something which the mentor
system helps a lot with, particularly those who are from a more
traditional background and find it less easy to air what they consider
dirty laundry in public.
Surely then, it should be as easy as possible for users to get the
code, and the incubator's role is interacting with the committers and
PPMC?
I realise this is quite carrot heavy, and I know the incubator has
another role in ensuring that the Apache brand is not compromised etc,
but surely the disclaimer on the website and artifact naming are
sufficent? I would be surprised if anybody actually using the software
does so without ever reading the projects website. That would be some
very impressive javadoc if so. ;)
If more stick is necessary with a project, that's probably so
concerning that a warning during the first build for a few developers
that they'll almost certainly just click yes to without reading
properly anyway isn't going to help much anyway.
- Aidan (who, having said all that, has many issues with maven as a
build system and is quite glad that Qpid just switched back, but
that's a deep, tangential rat hole)
--
Apache Qpid - World Domination through Advanced Message Queueing
http://cwiki.apache.org/qpid
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [DISCUSS] Do we really need an incubator?
Posted by Jukka Zitting <ju...@gmail.com>.
Hi,
On Tue, Jul 8, 2008 at 12:09 AM, Davanum Srinivas <da...@gmail.com> wrote:
> What incentives are there left to graduate?
I don't think we have a problem with projects not graduating once
they're ready. Yes, we've had to prod some projects to take that step,
but generally that hasn't been an issue and I don't see how changing
the policy on the Maven repository could change this.
Do we need to make life difficult for incubating projects so they'd be
more eager to graduate? I think not.
BR,
Jukka Zitting
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
RE: [DISCUSS] Do we really need an incubator?
Posted by "Noel J. Bergman" <no...@devtech.com>.
Justin Erenkrantz wrote:
> In the past, we've been quite happy to import code into the Incubator
> repository before all of the legal issues are resolved
That's not a release, though.
> and we have very often issued releases without the appropriate
disclaimers,
> CLAs, license texts, etc, etc.
I could consider that a problem to solve, and believe that we have largely
done so.
> I know that many (if not most!) previously open-sourced projects
> within our Incubator only get iCLAs on file well after the code
> has been imported and very likely after a few releases were made.
Examples, especially of the latter?
--- Noel
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [DISCUSS] Do we really need an incubator?
Posted by Justin Erenkrantz <ju...@erenkrantz.com>.
On Mon, Jul 7, 2008 at 5:21 PM, Roy T. Fielding <fi...@gbiv.com> wrote:
> Huh? The only difference I know of is the possible presence
> of external dependencies on LGPL code, which is not a legal
> question at all. All legal issues are satisfied before we
> even let the code be imported, let alone released.
My understanding is quite the opposite.
In the past, we've been quite happy to import code into the Incubator
repository before all of the legal issues are resolved, and we have
very often issued releases without the appropriate disclaimers, CLAs,
license texts, etc, etc. I know that many (if not most!) previously
open-sourced projects within our Incubator only get iCLAs on file well
after the code has been imported and very likely after a few releases
were made. -- justin
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [DISCUSS] Do we really need an incubator?
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
Craig L Russell wrote:
>
> On Jul 7, 2008, at 5:21 PM, Roy T. Fielding wrote:
>
>> On Jul 7, 2008, at 5:01 PM, Justin Erenkrantz wrote:
>>> Apache isn't about 'community over code'. The code is just as
>>> important - if not more so. For Incubator releases, the releases
>>> aren't held to the same legal standard as releases from other PMCs.
>>
>> Huh? The only difference I know of is the possible presence
>> of external dependencies on LGPL code, which is not a legal
>> question at all. All legal issues are satisfied before we
>> even let the code be imported, let alone released.
>
> Huh? What are the legal issues that are satisfied before importing code?
A Code Grant
One or More Contributor License Agreements
Zero or More Corporate Contributor License Agreements as required,
as determined by CLA signators
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [DISCUSS] Do we really need an incubator?
Posted by Craig L Russell <Cr...@Sun.COM>.
On Jul 7, 2008, at 5:21 PM, Roy T. Fielding wrote:
> On Jul 7, 2008, at 5:01 PM, Justin Erenkrantz wrote:
>> Apache isn't about 'community over code'. The code is just as
>> important - if not more so. For Incubator releases, the releases
>> aren't held to the same legal standard as releases from other PMCs.
>
> Huh? The only difference I know of is the possible presence
> of external dependencies on LGPL code, which is not a legal
> question at all. All legal issues are satisfied before we
> even let the code be imported, let alone released.
Huh? What are the legal issues that are satisfied before importing code?
Craig
>
>
> ....Roy
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
Craig L Russell
Architect, Sun Java Enterprise System http://java.sun.com/products/jdo
408 276-5638 mailto:Craig.Russell@sun.com
P.S. A good JDO? O, Gasp!
RE: [DISCUSS] Do we really need an incubator?
Posted by "Noel J. Bergman" <no...@devtech.com>.
Roy T. Fielding wrote:
> Justin Erenkrantz wrote:
> > For Incubator releases, the releases aren't held to the same legal
standard
> > as releases from other PMCs.
> Huh? The only difference I know of is the possible presence
> of external dependencies on LGPL code, which is not a legal
> question at all. All legal issues are satisfied before we
> even let the code be imported, let alone released.
That would be my take, as well. The code prior to release might have issues
to clear up, but they must be cleared prior to any release.
--- Noel
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [DISCUSS] Do we really need an incubator?
Posted by "Roy T. Fielding" <fi...@gbiv.com>.
On Jul 7, 2008, at 5:01 PM, Justin Erenkrantz wrote:
> Apache isn't about 'community over code'. The code is just as
> important - if not more so. For Incubator releases, the releases
> aren't held to the same legal standard as releases from other PMCs.
Huh? The only difference I know of is the possible presence
of external dependencies on LGPL code, which is not a legal
question at all. All legal issues are satisfied before we
even let the code be imported, let alone released.
....Roy
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [DISCUSS] Do we really need an incubator?
Posted by Justin Erenkrantz <ju...@erenkrantz.com>.
On Mon, Jul 7, 2008 at 2:49 PM, Daniel Kulp <dk...@apache.org> wrote:
> So, my question is, if Apache is about "Community over code", why are we
> putting up barriers to getting the code if that is also creating barriers to
> building the community?
Apache isn't about 'community over code'. The code is just as
important - if not more so. For Incubator releases, the releases
aren't held to the same legal standard as releases from other PMCs.
The Incubator PMC is generally comfortable releasing code that is not
yet legally at the same standard as other PMCs would. Everyone
understands that and it's okay. This is why we have explicit
disclaimers regarding releases. In light of that, I believe it is
prudent for us to place certain reasonable low barriers at getting the
code. Since Maven can't display any notices when it downloads a
binary, then that isn't a tool that we should be recommending for
implicit distribution. The Maven devs are fully aware what it would
take to satisfy that, but it's not very high on their priority list.
Hence, it's not high on my list to work around a tool that doesn't
support our desired policies. -- justin
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [DISCUSS] Do we really need an incubator?
Posted by Jason van Zyl <ja...@maven.org>.
On 9-Jul-08, at 4:42 PM, William A. Rowe, Jr. wrote:
> Jochen Wiedmann wrote:
>> On Wed, Jul 9, 2008 at 6:16 PM, Noel J. Bergman <no...@devtech.com>
>> wrote:
>>> However, the Maven repository situation has little to do with the
>>> need for
>>> an Incubator.
>> Obviously you choose to pick out everying Ron's writing about the
>> flaws in Maven / the Maven repository while at the same time
>> carefully
>> ignoring everything he's writing about the "necessity" of a special
>> incubator repository.
>
> I think you need to reread Roy's post, which spelled out exactly why
> he
> believes "There is no reason for a separate repository."
>
> Noel isn't cherry picking, but your comment is flailing about
> without any
> contribution to what that necessity actually is.
>
> Folks seem to believe maven helps users make decisions about the
> individual
> components they want. It does no such thing. It helps users decide
> to
> use a particular top level package with all of its warts, wrinkles and
> obscure dependencies, and *shields* the user from those details.
That is not true.
We allow the convenience of allowing the specification of compile time
dependencies, but the information for the corresponding dependency
graph is present and available in tools like m2eclipse:
http://docs.codehaus.org/display/MAVEN/Developing+Maven+2.1
That is not obscuring the dependencies in the slightest. The fact is
_all_ the dependency information is available. Even on the command
line with the -X option you can see what is there. We also have the
dependency convergence report which shows everything that's being
used. Lots of people are interested in everything they use, and that
information is available to users in many convenient ways. The next
versions of the visualization will also annotate the origin of a
specific artifact.
You can take as much or as little. You can override any individual
dependency, anywhere in the graph.
A lot of people here at Apache are talking a keen interest in Maven.
If you don't understand how it works ask because there are lots of
people, most likely inadvertently, completely describing Maven's
capabilities and behaviors incorrectly.
> Having
> a separate repository would actually run against the end user goals
> for
> Maven. If they inspect package dependencies, and see foo-incubating
> rev 0.0.1 or higher in those dependencies, that's all we need to
> insure.
> It's no different than encountering thirdparty bar rev 0.0.1 beta or
> higher.
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
Thanks,
Jason
----------------------------------------------------------
Jason van Zyl
Founder, Apache Maven
jason at sonatype dot com
----------------------------------------------------------
What matters is not ideas, but the people who have them. Good people
can fix bad ideas, but good ideas can't save bad people.
-- Paul Graham
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [DISCUSS] Do we really need an incubator?
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
Jochen Wiedmann wrote:
> On Wed, Jul 9, 2008 at 6:16 PM, Noel J. Bergman <no...@devtech.com> wrote:
>
>> However, the Maven repository situation has little to do with the need for
>> an Incubator.
>
> Obviously you choose to pick out everying Ron's writing about the
> flaws in Maven / the Maven repository while at the same time carefully
> ignoring everything he's writing about the "necessity" of a special
> incubator repository.
I think you need to reread Roy's post, which spelled out exactly why he
believes "There is no reason for a separate repository."
Noel isn't cherry picking, but your comment is flailing about without any
contribution to what that necessity actually is.
Folks seem to believe maven helps users make decisions about the individual
components they want. It does no such thing. It helps users decide to
use a particular top level package with all of its warts, wrinkles and
obscure dependencies, and *shields* the user from those details. Having
a separate repository would actually run against the end user goals for
Maven. If they inspect package dependencies, and see foo-incubating
rev 0.0.1 or higher in those dependencies, that's all we need to insure.
It's no different than encountering thirdparty bar rev 0.0.1 beta or higher.
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [DISCUSS] Do we really need an incubator?
Posted by Jochen Wiedmann <jo...@gmail.com>.
On Wed, Jul 9, 2008 at 6:16 PM, Noel J. Bergman <no...@devtech.com> wrote:
> However, the Maven repository situation has little to do with the need for
> an Incubator.
Obviously you choose to pick out everying Ron's writing about the
flaws in Maven / the Maven repository while at the same time carefully
ignoring everything he's writing about the "necessity" of a special
incubator repository.
Jochen
--
Look, that's why there's rules, understand? So that you think before
you break 'em.
-- (Terry Pratchett, Thief of Time)
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [DISCUSS] Do we really need an incubator?
Posted by Carl Trieloff <cc...@redhat.com>.
From what I have seen many of the incubator releases have been better
vetted than those
from graduated projects. So I don't buy the argument.
I also had to bite my tough on the maven thread.. I think it is mostly
BS to give Java an easy
route to publicity from inside incubator if no other coding language
gets the same perks. So
to be consistent, we might as well throw it all open. At that point the
motivation to graduate
is mostly removed. i.e. are we turning incubator into - did the project
stay active to n months and
is the IP clear? That would be what we are practically doing.
I would personally vote -1 on the maven thread until Dims questions and
the role of incubator
in the new world is defined.
Carl.
Davanum Srinivas wrote:
> Roy,
>
> I see what you are saying...
>
> Do you agree that the intention is for the end user to pause for a
> second to understand what he/she is using and understand that there
> are some disclaimers etc that go along with a set of artifacts?
>
> Yes. may be this is the wrong way to enforce that intention. But may
> be the clever minds on the list can come up with brilliant ideas/patch
> to maven to make this happen in a better way? then we would not have
> this issue at all. Right?
>
> Yes, we are 100% behind our released artifacts. But we do need to let
> folks know that next month the code may not have a community behind it
> and hence a liability on the users since not all our projects pass
> incubation. No?
>
> thanks,
> dims
>
> On Mon, Jul 7, 2008 at 8:06 PM, Roy T. Fielding <fi...@gbiv.com> wrote:
>
>> Dims, I have to disagree. The releases that we allow incubating projects
>> to make, with three +1s and a majority approval, are full Apache releases.
>> They have been officially approved by the foundation and we are 100%
>> responsible for their content. That's okay, because they also tend to
>> receive far more detailed inspection and thus are better quality and more
>> conforming to our policies then our pre-incubator TLPs.
>>
>> There is no reason for a separate repository. It certainly isn't relevant
>> to a podling's desire to become a TLP -- that is more than adequately
>> compensated by the freedom from slow IPMC approvals and ability to host
>> their own website without the butt-ugly egg icon and disclaimers. A
>> separate repo does not help protect "users" from incubator code, since
>> users don't set the Maven configs that define which repos to use and
>> which modules are dependencies. At best, what it does is add an
>> irrelevant incubator layer on top of all Maven repo requests that masks
>> the "normal" repo path from developers, introduces another way to inject
>> insecure code, and wastes our bandwidth sending 404 responses to
>> automated build requests.
>>
>> In contrast, if real incubator releases are allowed to be placed in the
>> normal Maven locations, then the incubating config does not mask the
>> normal Maven path, there is no need to send *all* repo requests to
>> incubator first, the project documentation for Maven doesn't have to
>> be a special-case, and releases are still subject to the same quality
>> controls as all Apache releases.
>>
>> Regardless, the user never makes a decision regarding incubator code
>> in the Maven repo. The user is either going to pull the incubator
>> release directly and then build it using Maven with the provided pom,
>> or some other project is going to make a decision to add the artifact
>> (with incubator in its name) as a dependency. The Maven repo path is
>> irrelevant to the user's decisions -- it just changes the background
>> bit traffic and the load on our servers. In short, the policy is
>> just plain stupid (speaking as a C developer who builds a few
>> projects via Maven only a couple times a year).
>>
>> Yes, it would be nice if Maven was more secure, properly checked
>> signatures, and properly delegated namespaces so that third-parties
>> would be unable to add artifacts within other org's trees. None of
>> those issues are specific to incubator.
>>
>> ....Roy
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>> For additional commands, e-mail: general-help@incubator.apache.org
>>
>>
>>
>
>
>
>
Re: [DISCUSS] Do we really need an incubator?
Posted by Davanum Srinivas <da...@gmail.com>.
Roy,
I see what you are saying...
Do you agree that the intention is for the end user to pause for a
second to understand what he/she is using and understand that there
are some disclaimers etc that go along with a set of artifacts?
Yes. may be this is the wrong way to enforce that intention. But may
be the clever minds on the list can come up with brilliant ideas/patch
to maven to make this happen in a better way? then we would not have
this issue at all. Right?
Yes, we are 100% behind our released artifacts. But we do need to let
folks know that next month the code may not have a community behind it
and hence a liability on the users since not all our projects pass
incubation. No?
thanks,
dims
On Mon, Jul 7, 2008 at 8:06 PM, Roy T. Fielding <fi...@gbiv.com> wrote:
> Dims, I have to disagree. The releases that we allow incubating projects
> to make, with three +1s and a majority approval, are full Apache releases.
> They have been officially approved by the foundation and we are 100%
> responsible for their content. That's okay, because they also tend to
> receive far more detailed inspection and thus are better quality and more
> conforming to our policies then our pre-incubator TLPs.
>
> There is no reason for a separate repository. It certainly isn't relevant
> to a podling's desire to become a TLP -- that is more than adequately
> compensated by the freedom from slow IPMC approvals and ability to host
> their own website without the butt-ugly egg icon and disclaimers. A
> separate repo does not help protect "users" from incubator code, since
> users don't set the Maven configs that define which repos to use and
> which modules are dependencies. At best, what it does is add an
> irrelevant incubator layer on top of all Maven repo requests that masks
> the "normal" repo path from developers, introduces another way to inject
> insecure code, and wastes our bandwidth sending 404 responses to
> automated build requests.
>
> In contrast, if real incubator releases are allowed to be placed in the
> normal Maven locations, then the incubating config does not mask the
> normal Maven path, there is no need to send *all* repo requests to
> incubator first, the project documentation for Maven doesn't have to
> be a special-case, and releases are still subject to the same quality
> controls as all Apache releases.
>
> Regardless, the user never makes a decision regarding incubator code
> in the Maven repo. The user is either going to pull the incubator
> release directly and then build it using Maven with the provided pom,
> or some other project is going to make a decision to add the artifact
> (with incubator in its name) as a dependency. The Maven repo path is
> irrelevant to the user's decisions -- it just changes the background
> bit traffic and the load on our servers. In short, the policy is
> just plain stupid (speaking as a C developer who builds a few
> projects via Maven only a couple times a year).
>
> Yes, it would be nice if Maven was more secure, properly checked
> signatures, and properly delegated namespaces so that third-parties
> would be unable to add artifacts within other org's trees. None of
> those issues are specific to incubator.
>
> ....Roy
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
>
--
Davanum Srinivas :: http://davanum.wordpress.com
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [DISCUSS] Do we really need an incubator?
Posted by Henning Schmiedehausen <he...@apache.org>.
On Mon, 2008-07-07 at 17:06 -0700, Roy T. Fielding wrote:
> Yes, it would be nice if Maven was more secure, properly checked
> signatures, and properly delegated namespaces so that third-parties
> would be unable to add artifacts within other org's trees. None of
> those issues are specific to incubator.
In the light of these reports:
http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html
http://www.heise.de/newsticker/Bericht-Paket-Management-Systeme-unter-Linux-nur-bedingt-vertrauenswuerdig--/meldung/110908/
the question on attacks on the maven repository is probably no longer
"how" but only "when". These are attacks on Linux repositories, which
might be larger and more distributed than the maven repos, but the
jackpot of cracking *the* central Java artifact distribution center
would probably be bigger than getting a few thousand Linux systems to
run a repo delivered backdoor.
This is definitely an issue that needs resolving sooner than later.
Ciao
Henning
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [DISCUSS] Do we really need an incubator?
Posted by Davanum Srinivas <da...@gmail.com>.
Roy,
I've created a JIRA here on the securing the artifacts request :
http://jira.codehaus.org/browse/MNG-3659
Thanks,
dims
PS: Seriously why can't the mvn issue tracker be inhouse and not at codehaus? :(
On Mon, Jul 7, 2008 at 8:06 PM, Roy T. Fielding <fi...@gbiv.com> wrote:
> Dims, I have to disagree. The releases that we allow incubating projects
> to make, with three +1s and a majority approval, are full Apache releases.
> They have been officially approved by the foundation and we are 100%
> responsible for their content. That's okay, because they also tend to
> receive far more detailed inspection and thus are better quality and more
> conforming to our policies then our pre-incubator TLPs.
>
> There is no reason for a separate repository. It certainly isn't relevant
> to a podling's desire to become a TLP -- that is more than adequately
> compensated by the freedom from slow IPMC approvals and ability to host
> their own website without the butt-ugly egg icon and disclaimers. A
> separate repo does not help protect "users" from incubator code, since
> users don't set the Maven configs that define which repos to use and
> which modules are dependencies. At best, what it does is add an
> irrelevant incubator layer on top of all Maven repo requests that masks
> the "normal" repo path from developers, introduces another way to inject
> insecure code, and wastes our bandwidth sending 404 responses to
> automated build requests.
>
> In contrast, if real incubator releases are allowed to be placed in the
> normal Maven locations, then the incubating config does not mask the
> normal Maven path, there is no need to send *all* repo requests to
> incubator first, the project documentation for Maven doesn't have to
> be a special-case, and releases are still subject to the same quality
> controls as all Apache releases.
>
> Regardless, the user never makes a decision regarding incubator code
> in the Maven repo. The user is either going to pull the incubator
> release directly and then build it using Maven with the provided pom,
> or some other project is going to make a decision to add the artifact
> (with incubator in its name) as a dependency. The Maven repo path is
> irrelevant to the user's decisions -- it just changes the background
> bit traffic and the load on our servers. In short, the policy is
> just plain stupid (speaking as a C developer who builds a few
> projects via Maven only a couple times a year).
>
> Yes, it would be nice if Maven was more secure, properly checked
> signatures, and properly delegated namespaces so that third-parties
> would be unable to add artifacts within other org's trees. None of
> those issues are specific to incubator.
>
> ....Roy
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
>
--
Davanum Srinivas :: http://davanum.wordpress.com
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [DISCUSS] Do we really need an incubator?
Posted by James Carman <ja...@carmanconsulting.com>.
On Sat, Jul 12, 2008 at 4:14 PM, Paul Querna <pq...@apache.org> wrote:
> However, AFAIK, CPAN doesn't allow every CPAN author to overwrite the files
> of every other CPAN author. Thats the situation we are in now with the
> Maven Repository, because we just use the filesystem on people.apache.org as
> the pristine copy.
Which is why I suggested we put our Maven repository contents into SVN
and only give write permissions to certain trusted individuals. That
way, we could SVN export the contents of our repository to some
directory that can be rsynced to the main repo.
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [DISCUSS] Do we really need an incubator?
Posted by Paul Querna <pq...@apache.org>.
Jukka Zitting wrote:
> Hi,
>
> On Wed, Jul 9, 2008 at 8:46 PM, Paul Querna <pq...@apache.org> wrote:
>> Noel J. Bergman wrote:
>>> [...] Until the Maven PMC stops abrogating its responsibility and addresses
>>> the issues, there does not appear to be anything that we can do about
>>> Maven's flaws short of banning use of the public Maven repositories entirely.
>> +1.
>>
>> If this was how debian ran packages or freebsd managed the ports collection,
>> there would of already been an exploit incident.
>>
>> We are running on borrowed time, and I don't understand why the PMC
>> continues to promote features with a completely broken security model.
>
> Frankly I don't see what's so "completely broken" about the Maven
> repository. Lack of automatic signature checking?
>
> For comparison: CPAN has been available for well over a decade and it
> has had signature checking for less than three years now. And the
> feature is still optional, disabled by default.
However, AFAIK, CPAN doesn't allow every CPAN author to overwrite the
files of every other CPAN author. Thats the situation we are in now
with the Maven Repository, because we just use the filesystem on
people.apache.org as the pristine copy.
To me there are two main flaws with how we manage the repository today:
1) No Authenticated Modifications to the Repository.
2) No Automated Signature Checking Enabled by Default.
To address #1, we are looking at using a Subversion repository, instead
of the file system on people.apache.org.
By using a subversion repository, all modifications of the repo could be
tracked via email and revision histories, and the mirrors ran by infra
would just be exported copies.
> So, while I do appreciate the enthusiasm, I think cries about Maven
> security being broken and the use of the repository being
> irresponsible are IMHO greatly exaggerated. Having automatic signature
> checking in Maven would be nice, but it's not a bit enough itch that
> I'd personally want to scratch that and IMHO certainly not serious
> enough that I'd for example consider not using the Maven repository in
> projects I'm involved with.
You are saying you trust all 1600+ shell accounts on people.apache.org?
That not one of them is hacked, or will be hacked at some point?
Thats not a risk I believe we should expose ourselves to. Moving to a
subversion based repository would be a first good step, adding real
signature checking should also be done, but I can live with just getting
the repository moved off a central machine.
-Paul
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [DISCUSS] Do we really need an incubator?
Posted by Jukka Zitting <ju...@gmail.com>.
Hi,
On Thu, Jul 10, 2008 at 2:42 AM, Davanum Srinivas <da...@gmail.com> wrote:
> fwiw. My objection(s) had nothing to do with security.
I was just responding to comments by Noel and Paul. Sorry for the tangent.
BR,
Jukka Zitting
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [DISCUSS] Do we really need an incubator?
Posted by Davanum Srinivas <da...@gmail.com>.
Jukka,
fwiw. My objection(s) had nothing to do with security.
thanks,
dims
On Wed, Jul 9, 2008 at 6:25 PM, Jukka Zitting <ju...@gmail.com> wrote:
> Hi,
>
> On Wed, Jul 9, 2008 at 8:46 PM, Paul Querna <pq...@apache.org> wrote:
>> Noel J. Bergman wrote:
>>> [...] Until the Maven PMC stops abrogating its responsibility and addresses
>>> the issues, there does not appear to be anything that we can do about
>>> Maven's flaws short of banning use of the public Maven repositories entirely.
>>
>> +1.
>>
>> If this was how debian ran packages or freebsd managed the ports collection,
>> there would of already been an exploit incident.
>>
>> We are running on borrowed time, and I don't understand why the PMC
>> continues to promote features with a completely broken security model.
>
> Frankly I don't see what's so "completely broken" about the Maven
> repository. Lack of automatic signature checking?
>
> For comparison: CPAN has been available for well over a decade and it
> has had signature checking for less than three years now. And the
> feature is still optional, disabled by default.
>
> Another comparison: Apache releases come with digital signatures, but
> it's up to the users to manually verify them. Download statistics
> indicate that the vast majority of users never even look at the
> signatures. As it stands, signature checking is optional and disabled
> by default.
>
> So, while I do appreciate the enthusiasm, I think cries about Maven
> security being broken and the use of the repository being
> irresponsible are IMHO greatly exaggerated. Having automatic signature
> checking in Maven would be nice, but it's not a bit enough itch that
> I'd personally want to scratch that and IMHO certainly not serious
> enough that I'd for example consider not using the Maven repository in
> projects I'm involved with.
>
> BR,
>
> Jukka Zitting
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
>
--
Davanum Srinivas :: http://davanum.wordpress.com
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [DISCUSS] Do we really need an incubator?
Posted by Jukka Zitting <ju...@gmail.com>.
Hi,
On Wed, Jul 9, 2008 at 8:46 PM, Paul Querna <pq...@apache.org> wrote:
> Noel J. Bergman wrote:
>> [...] Until the Maven PMC stops abrogating its responsibility and addresses
>> the issues, there does not appear to be anything that we can do about
>> Maven's flaws short of banning use of the public Maven repositories entirely.
>
> +1.
>
> If this was how debian ran packages or freebsd managed the ports collection,
> there would of already been an exploit incident.
>
> We are running on borrowed time, and I don't understand why the PMC
> continues to promote features with a completely broken security model.
Frankly I don't see what's so "completely broken" about the Maven
repository. Lack of automatic signature checking?
For comparison: CPAN has been available for well over a decade and it
has had signature checking for less than three years now. And the
feature is still optional, disabled by default.
Another comparison: Apache releases come with digital signatures, but
it's up to the users to manually verify them. Download statistics
indicate that the vast majority of users never even look at the
signatures. As it stands, signature checking is optional and disabled
by default.
So, while I do appreciate the enthusiasm, I think cries about Maven
security being broken and the use of the repository being
irresponsible are IMHO greatly exaggerated. Having automatic signature
checking in Maven would be nice, but it's not a bit enough itch that
I'd personally want to scratch that and IMHO certainly not serious
enough that I'd for example consider not using the Maven repository in
projects I'm involved with.
BR,
Jukka Zitting
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [DISCUSS] Do we really need an incubator?
Posted by Paul Querna <pq...@apache.org>.
Noel J. Bergman wrote:
> Roy T. Fielding wrote:
>
>> There is no reason for a separate repository. [A separate repo] does not
>> help protect "users" from incubator code, since users don't set the Maven
>> configs that define which repos to use and which modules are dependencies.
>> At best, what it does is add an irrelevant incubator layer on top of all
> Maven
>> repo requests that masks the "normal" repo path from developers,
> introduces
>> another way to inject insecure code, and wastes our bandwidth sending 404
>> responses to automated build requests.
>
>> the user never makes a decision regarding incubator code in the Maven
> repo.
>> The user is either going to pull the incubator release directly and then
> build it
>> using Maven with the provided pom, or some other project is going to make
> a
>> decision to add the artifact (with incubator in its name) as a dependency.
> The
>> Maven repo path is irrelevant to the user's decisions
>
>> Yes, it would be nice if Maven was more secure, properly checked
> signatures,
>> and properly delegated namespaces so that third-parties would be unable to
>> add artifacts within other org's trees. None of those issues are specific
> to incubator.
>
> I am forced to agree with Roy on these points. Until the Maven PMC stops
> abrogating its responsibility and addresses the issues, there does not
> appear to be anything that we can do about Maven's flaws short of banning
> use of the public Maven repositories entirely.
+1.
If this was how debian ran packages or freebsd managed the ports
collection, there would of already been an exploit incident.
We are running on borrowed time, and I don't understand why the PMC
continues to promote features with a completely broken security model.
> Given that I consider promoting Maven's insecurre, uncontrolled, and
> unmanaged repositories to be at the height of irresponsibility, I would vote
> in favor of such a ban -- ASF-wide, not limited to the Incubator -- until
> Maven's flaws were addressed, but unfortunately, I doubt that there is a
> consensus to do so. At least not until there is an actual exploit in the
> wild, at which point the Maven PMC might finally open its eyes in panic.
I'm not involved in Maven at all, I can understand a project skimping on
more complicated security issues early on -- but at this point Maven
seems like a well established project that isn't just an experiment --
people will be using it in mass for years to come. For the security
infrastructure to be completely missing, to me, is completely unacceptable.
> However, the Maven repository situation has little to do with the need for
> an Incubator.
I agree :-)
-Paul
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [DISCUSS] Do we really need an incubator?
Posted by Brett Porter <br...@gmail.com>.
2008/7/12 Andrus Adamchik <an...@objectstyle.org>:
> So let's approach it in an open source way
> - try to persuade Maven committers to pay attention and/or contribute the
> code to fix the problem.
Thanks Andrus - this is certainly the best thing anyone can do. It's
unfortunate that there hasn't been more demand for this over the last
couple of years, and that it has been drowned out by requests for
improvements, documentation, and so on.
I've been prodded to pick it up, and Joe has already provided some
helpful feedback. For those that want to see it happen, please comment
on the merits of the proposal I made [1], or vote for the attached
issue. Anyone that wants to further contribute to it, or help with
testing it and it's ease of use, is more than welcome over at
dev@maven IMO.
It's best to continue anything to do with that over there. As Roy said
long ago in this thread, this isn't really a matter for the incubator.
Cheers,
Brett
--
Brett Porter
Blog: http://blogs.exist.com/bporter/
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [DISCUSS] Do we really need an incubator?
Posted by Andrus Adamchik <an...@objectstyle.org>.
The two are different things. I agree about the technical problem (and
can add a dozen of other Maven-related things that drive me crazy as a
user). I don't agree that ignoring this problem by the Maven folks
constitutes a violation of some Apache policy. So let's approach it in
an open source way - try to persuade Maven committers to pay attention
and/or contribute the code to fix the problem. I guess that's what we
are doing already in this thread, but I just wanted to steer clear
from the notion that Maven PMC has an obligation to the ASF to fix it.
Andrus
On Jul 11, 2008, at 4:53 PM, Jim Jagielski wrote:
> On Jul 11, 2008, at 9:40 AM, Andrus Adamchik wrote:
>
>> Hi Jim,
>>
>>> It's no surprise that Maven chomps at the bit quite a bit regarding
>>> ASF policies, but values the "Apache brand" enough to tow the
>>> line.
>>
>> Did you mean Maven as "Maven repo deployed @Apache" or "Maven the
>> PMC"? As Noel was talking specifically about the PMC. We can
>> certainly ban Maven repo use until better security, etc. is
>> implemented, but I don't think ASF policies apply to the
>> architecture decisions (good or bad) and development direction of
>> any given project.
>>
>
> Quite simply, if Maven the PMC (or any PMC) or Maven the repo deployed
> at the ASF (or any infra @ASF) is increasing the risks or
> exposure of the ASF to security or other related concerns,
> then we all should be concerned.
>
> To be more clear: the Maven repo is a *huge* benefit to the
> ASF and the entire community. Unless it is done "right", it also has
> the potential of exposing the ASF to high risk. That is the
> concern that Roy, Noel and Paul appeared to be noting and
> one that I am also starting to listen to...
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [DISCUSS] Do we really need an incubator?
Posted by Jim Jagielski <ji...@jaguNET.com>.
On Jul 11, 2008, at 9:40 AM, Andrus Adamchik wrote:
> Hi Jim,
>
>> It's no surprise that Maven chomps at the bit quite a bit regarding
>> ASF policies, but values the "Apache brand" enough to tow the
>> line.
>
> Did you mean Maven as "Maven repo deployed @Apache" or "Maven the
> PMC"? As Noel was talking specifically about the PMC. We can
> certainly ban Maven repo use until better security, etc. is
> implemented, but I don't think ASF policies apply to the
> architecture decisions (good or bad) and development direction of
> any given project.
>
Quite simply, if Maven the PMC (or any PMC) or Maven the repo deployed
at the ASF (or any infra @ASF) is increasing the risks or
exposure of the ASF to security or other related concerns,
then we all should be concerned.
To be more clear: the Maven repo is a *huge* benefit to the
ASF and the entire community. Unless it is done "right", it also has
the potential of exposing the ASF to high risk. That is the
concern that Roy, Noel and Paul appeared to be noting and
one that I am also starting to listen to...
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [DISCUSS] Do we really need an incubator?
Posted by Andrus Adamchik <an...@objectstyle.org>.
On Jul 11, 2008, at 5:04 PM, Jim Jagielski wrote:
>> but I don't think ASF policies apply to the architecture decisions
>> (good or bad) and development direction of any given project.
>>
>
> They don't. Sorry if that wasn't clear :)
Yep. That's where I was getting. You can ignore my last message then
("The two are different things...."), as it was making the same point.
Andrus
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [DISCUSS] Do we really need an incubator?
Posted by Jim Jagielski <ji...@jaguNET.com>.
> but I don't think ASF policies apply to the architecture decisions
> (good or bad) and development direction of any given project.
>
They don't. Sorry if that wasn't clear :)
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [DISCUSS] Do we really need an incubator?
Posted by Andrus Adamchik <an...@objectstyle.org>.
Hi Jim,
> It's no surprise that Maven chomps at the bit quite a bit regarding
> ASF policies, but values the "Apache brand" enough to tow the
> line.
Did you mean Maven as "Maven repo deployed @Apache" or "Maven the
PMC"? As Noel was talking specifically about the PMC. We can certainly
ban Maven repo use until better security, etc. is implemented, but I
don't think ASF policies apply to the architecture decisions (good or
bad) and development direction of any given project.
Andrus
On Jul 11, 2008, at 4:23 PM, Jim Jagielski wrote:
> On Jul 9, 2008, at 12:16 PM, Noel J. Bergman wrote:
>>
>> I am forced to agree with Roy on these points. Until the Maven PMC
>> stops
>> abrogating its responsibility and addresses the issues, there does
>> not
>> appear to be anything that we can do about Maven's flaws short of
>> banning
>> use of the public Maven repositories entirely.
>>
>> Given that I consider promoting Maven's insecurre, uncontrolled, and
>> unmanaged repositories to be at the height of irresponsibility, I
>> would vote
>> in favor of such a ban -- ASF-wide, not limited to the Incubator --
>> until
>> Maven's flaws were addressed, but unfortunately, I doubt that there
>> is a
>> consensus to do so. At least not until there is an actual exploit
>> in the
>> wild, at which point the Maven PMC might finally open its eyes in
>> panic.
>>
>
> And I am forced to agree as well... To be honest, I still at times
> question exactly the "relationship" between the ASF and Maven is.
> It's no surprise that Maven chomps at the bit quite a bit regarding
> ASF policies, but values the "Apache brand" enough to tow the
> line. But IMO it is time for the ASF to see how this is increasing
> the risk and potential for trouble with the whole foundation.
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [DISCUSS] Do we really need an incubator?
Posted by Jim Jagielski <ji...@jaguNET.com>.
On Jul 13, 2008, at 10:15 AM, Henning Schmiedehausen wrote:
> On Fri, 2008-07-11 at 09:23 -0400, Jim Jagielski wrote:
>
>> And I am forced to agree as well... To be honest, I still at times
>> question exactly the "relationship" between the ASF and Maven is.
>> It's no surprise that Maven chomps at the bit quite a bit regarding
>> ASF policies, but values the "Apache brand" enough to tow the
>> line. But IMO it is time for the ASF to see how this is increasing
>> the risk and potential for trouble with the whole foundation.
>
> Uhm, can you give examples for "only values the brand"? While I had a
> number of clashes with Maven people about the direction of the
> project,
> I always found that every member of the Maven PMC that I ever worked
> with and ever talked to, values Apache for what it is and how it
> works.
>
<replying only because Henning asked :) >
Not to belabor the point, but it is true that within Maven, there is
a range of "value-ing" the ASF and the ASF processes and procedures.
I think that everyone there values the ASF, at a deep core value.
But I also think it is true that there is a wider range of feelings
regarding more "peripheral" aspects of being an ASF project, such
as use of marks, (up until recently) control over infra, etc... as
the board minutes of the last several years clearly show. In other
words, if Maven was not an ASF project, I don't think people
would be surprised to see it managed in some very different
ways, but that *being* an ASF project (with all the various benefits)
is important enough (as well as value-ing the core philosophy of
the ASF) to "accept" some of the things some people within the PMC
would prefer was different.
This is not unique to Maven, of course... not at all. Nor is it
something which, in and of itself, is a Bad Thing... not at all.
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [DISCUSS] Do we really need an incubator?
Posted by Henning Schmiedehausen <hp...@intermeta.de>.
On Fri, 2008-07-11 at 09:23 -0400, Jim Jagielski wrote:
> And I am forced to agree as well... To be honest, I still at times
> question exactly the "relationship" between the ASF and Maven is.
> It's no surprise that Maven chomps at the bit quite a bit regarding
> ASF policies, but values the "Apache brand" enough to tow the
> line. But IMO it is time for the ASF to see how this is increasing
> the risk and potential for trouble with the whole foundation.
Uhm, can you give examples for "only values the brand"? While I had a
number of clashes with Maven people about the direction of the project,
I always found that every member of the Maven PMC that I ever worked
with and ever talked to, values Apache for what it is and how it works.
The one thing that Maven PMC members are (and BTW many other members,
committers and contributes), is being deeply frustrated about is the
level of red tape and stop gaps that exist whenever anything that is not
"100% existing for years" technology at Apache is requested.
That is why the JIRA of Maven is at codehaus (because infra denied a
JIRA install at Apache for a long time), that is why other parts of the
infrastructure (e.g. the CI system) are at Codehaus (because infra did
not want to support these parts) and that is why sometimes people just
step ahead and *do* things (like the Contegix deal or registering
maven.org) instead of waiting for infra to catch up.
That is an *ASF* problem, not a Maven problem. *We* must staff our infra
group to be able to deal with the requests of PMCs that want more than
"some webspace to serve, subversion and a bugtracker". The inability of
infra to serve the demands of our PMCs is driving them slowly but surely
off-ASF. I can give you a number of people who stopped working at Apache
exactly for that reason.
Ciao
Henning
--
Henning P. Schmiedehausen -- hps@intermeta.de | JEE, Linux, Unix
91054 Buckenhof, Germany -- +49 9131 506540 | Apache Java Software
Open Source Consulting, Development, Design |
INTERMETA - Gesellschaft fuer Mehrwertdienste mbH - RG Fuerth, HRB 7350
Gesellschaftssitz: Buckenhof. Geschaeftsfuehrer: Henning Schmiedehausen
char name_buf[257]; /* max unix filename is 256, right? */
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [DISCUSS] Do we really need an incubator?
Posted by Jim Jagielski <ji...@jaguNET.com>.
On Jul 11, 2008, at 12:07 PM, Brett Porter wrote:
> Hi Jim,
>
> 2008/7/11 Jim Jagielski <ji...@jagunet.com>:
>> And I am forced to agree as well... To be honest, I still at times
>> question exactly the "relationship" between the ASF and Maven is.
>> It's no surprise that Maven chomps at the bit quite a bit regarding
>> ASF policies, but values the "Apache brand" enough to tow the
>> line.
>
> The Maven PMC is a pretty large and diverse group of people, and while
> I can only speak for myself, I think you'll find that the majority of
> the individual members don't share that attitude, and do value the ASF
> for what it is and not the brand.
I agree, btw. I did not intend to "lump in" all PMC members
with that characterization.
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [DISCUSS] Do we really need an incubator?
Posted by Brett Porter <br...@gmail.com>.
Hi Jim,
2008/7/11 Jim Jagielski <ji...@jagunet.com>:
> And I am forced to agree as well... To be honest, I still at times
> question exactly the "relationship" between the ASF and Maven is.
> It's no surprise that Maven chomps at the bit quite a bit regarding
> ASF policies, but values the "Apache brand" enough to tow the
> line.
The Maven PMC is a pretty large and diverse group of people, and while
I can only speak for myself, I think you'll find that the majority of
the individual members don't share that attitude, and do value the ASF
for what it is and not the brand.
Cheers,
Brett
--
Brett Porter
Blog: http://blogs.exist.com/bporter/
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [DISCUSS] Do we really need an incubator?
Posted by Jim Jagielski <ji...@jaguNET.com>.
On Jul 9, 2008, at 12:16 PM, Noel J. Bergman wrote:
>
> I am forced to agree with Roy on these points. Until the Maven PMC
> stops
> abrogating its responsibility and addresses the issues, there does not
> appear to be anything that we can do about Maven's flaws short of
> banning
> use of the public Maven repositories entirely.
>
> Given that I consider promoting Maven's insecurre, uncontrolled, and
> unmanaged repositories to be at the height of irresponsibility, I
> would vote
> in favor of such a ban -- ASF-wide, not limited to the Incubator --
> until
> Maven's flaws were addressed, but unfortunately, I doubt that there
> is a
> consensus to do so. At least not until there is an actual exploit
> in the
> wild, at which point the Maven PMC might finally open its eyes in
> panic.
>
And I am forced to agree as well... To be honest, I still at times
question exactly the "relationship" between the ASF and Maven is.
It's no surprise that Maven chomps at the bit quite a bit regarding
ASF policies, but values the "Apache brand" enough to tow the
line. But IMO it is time for the ASF to see how this is increasing
the risk and potential for trouble with the whole foundation.
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [DISCUSS] Do we really need an incubator?
Posted by Paul Querna <ch...@force-elite.com>.
Noel J. Bergman wrote:
> Roy T. Fielding wrote:
>
>> There is no reason for a separate repository. [A separate repo] does not
>> help protect "users" from incubator code, since users don't set the Maven
>> configs that define which repos to use and which modules are dependencies.
>> At best, what it does is add an irrelevant incubator layer on top of all
> Maven
>> repo requests that masks the "normal" repo path from developers,
> introduces
>> another way to inject insecure code, and wastes our bandwidth sending 404
>> responses to automated build requests.
>
>> the user never makes a decision regarding incubator code in the Maven
> repo.
>> The user is either going to pull the incubator release directly and then
> build it
>> using Maven with the provided pom, or some other project is going to make
> a
>> decision to add the artifact (with incubator in its name) as a dependency.
> The
>> Maven repo path is irrelevant to the user's decisions
>
>> Yes, it would be nice if Maven was more secure, properly checked
> signatures,
>> and properly delegated namespaces so that third-parties would be unable to
>> add artifacts within other org's trees. None of those issues are specific
> to incubator.
>
> I am forced to agree with Roy on these points. Until the Maven PMC stops
> abrogating its responsibility and addresses the issues, there does not
> appear to be anything that we can do about Maven's flaws short of banning
> use of the public Maven repositories entirely.
+1.
If this was how debian ran packages or freebsd managed the ports
collection, there would of already been an exploit incident.
We are running on borrowed time, and I don't understand why the PMC
continues to promote features with a completely broken security model.
> Given that I consider promoting Maven's insecurre, uncontrolled, and
> unmanaged repositories to be at the height of irresponsibility, I would vote
> in favor of such a ban -- ASF-wide, not limited to the Incubator -- until
> Maven's flaws were addressed, but unfortunately, I doubt that there is a
> consensus to do so. At least not until there is an actual exploit in the
> wild, at which point the Maven PMC might finally open its eyes in panic.
I'm not involved in Maven at all, I can understand a project skimping on
more complicated security issues early on -- but at this point Maven
seems like a well established project that isn't just an experiment --
people will be using it in mass for years to come. For the security
infrastructure to be completely missing, to me, is completely
unacceptable in an ASF Project.
> However, the Maven repository situation has little to do with the need for
> an Incubator.
I agree :-)
-Paul
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
RE: [DISCUSS] Do we really need an incubator?
Posted by "Noel J. Bergman" <no...@devtech.com>.
Roy T. Fielding wrote:
> There is no reason for a separate repository. [A separate repo] does not
> help protect "users" from incubator code, since users don't set the Maven
> configs that define which repos to use and which modules are dependencies.
> At best, what it does is add an irrelevant incubator layer on top of all
Maven
> repo requests that masks the "normal" repo path from developers,
introduces
> another way to inject insecure code, and wastes our bandwidth sending 404
> responses to automated build requests.
> the user never makes a decision regarding incubator code in the Maven
repo.
> The user is either going to pull the incubator release directly and then
build it
> using Maven with the provided pom, or some other project is going to make
a
> decision to add the artifact (with incubator in its name) as a dependency.
The
> Maven repo path is irrelevant to the user's decisions
> Yes, it would be nice if Maven was more secure, properly checked
signatures,
> and properly delegated namespaces so that third-parties would be unable to
> add artifacts within other org's trees. None of those issues are specific
to incubator.
I am forced to agree with Roy on these points. Until the Maven PMC stops
abrogating its responsibility and addresses the issues, there does not
appear to be anything that we can do about Maven's flaws short of banning
use of the public Maven repositories entirely.
Given that I consider promoting Maven's insecurre, uncontrolled, and
unmanaged repositories to be at the height of irresponsibility, I would vote
in favor of such a ban -- ASF-wide, not limited to the Incubator -- until
Maven's flaws were addressed, but unfortunately, I doubt that there is a
consensus to do so. At least not until there is an actual exploit in the
wild, at which point the Maven PMC might finally open its eyes in panic.
However, the Maven repository situation has little to do with the need for
an Incubator.
--- Noel
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [DISCUSS] Do we really need an incubator?
Posted by "Roy T. Fielding" <fi...@gbiv.com>.
Dims, I have to disagree. The releases that we allow incubating
projects
to make, with three +1s and a majority approval, are full Apache
releases.
They have been officially approved by the foundation and we are 100%
responsible for their content. That's okay, because they also tend to
receive far more detailed inspection and thus are better quality and
more
conforming to our policies then our pre-incubator TLPs.
There is no reason for a separate repository. It certainly isn't
relevant
to a podling's desire to become a TLP -- that is more than adequately
compensated by the freedom from slow IPMC approvals and ability to host
their own website without the butt-ugly egg icon and disclaimers. A
separate repo does not help protect "users" from incubator code, since
users don't set the Maven configs that define which repos to use and
which modules are dependencies. At best, what it does is add an
irrelevant incubator layer on top of all Maven repo requests that masks
the "normal" repo path from developers, introduces another way to inject
insecure code, and wastes our bandwidth sending 404 responses to
automated build requests.
In contrast, if real incubator releases are allowed to be placed in the
normal Maven locations, then the incubating config does not mask the
normal Maven path, there is no need to send *all* repo requests to
incubator first, the project documentation for Maven doesn't have to
be a special-case, and releases are still subject to the same quality
controls as all Apache releases.
Regardless, the user never makes a decision regarding incubator code
in the Maven repo. The user is either going to pull the incubator
release directly and then build it using Maven with the provided pom,
or some other project is going to make a decision to add the artifact
(with incubator in its name) as a dependency. The Maven repo path is
irrelevant to the user's decisions -- it just changes the background
bit traffic and the load on our servers. In short, the policy is
just plain stupid (speaking as a C developer who builds a few
projects via Maven only a couple times a year).
Yes, it would be nice if Maven was more secure, properly checked
signatures, and properly delegated namespaces so that third-parties
would be unable to add artifacts within other org's trees. None of
those issues are specific to incubator.
....Roy
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [DISCUSS] Do we really need an incubator?
Posted by Brett Porter <br...@gmail.com>.
2008/7/11 Jim Jagielski <ji...@jagunet.com>:
> But we could also say the fact that "CXF is in the Incubator" also
> prevented people from migrating, or discouraged attracting
> committers...
I've heard that stated before and I think it's something the podlings
should be keeping in mind.
> IMO, the Incubator is a place to build community and vet code.
> It should be a place which *encourages* podlings to work
> towards graduation. Instead, it appears to be more and more
> moving to a place where codebases and projects can happily
> live for awhile. Other than removing the '-incubating' tag,
> what incentive is there for graduation?
I tend to agree. I think if the incubator focuses on tackling this
problem, everything else should fall out in the process - releases are
releases and if allowed, should be treated equally. As much as I
understand the points raised and recognise there is more Maven can do
to help, I don't think it's the core issue here. The incubator should
be concerned with communicating the status to the user at the point
when they decide to use the project - and the time when they are
typing that into a POM as a dependency is surely well past that point.
Cheers,
Brett
--
Brett Porter
Blog: http://blogs.exist.com/bporter/
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [DISCUSS] Do we really need an incubator?
Posted by Jim Jagielski <ji...@jaguNET.com>.
On Jul 7, 2008, at 11:06 PM, Daniel Kulp wrote:
>
>> Again, Are u stating that removing this restriction would have
>> reduced
>> the time taken to graduate from 2 years to 1 year?
>
> We'll never know. It certainly affected some of the features we
> concentrated on and thus may or may not have affected who we could
> have attracted as committers. It would all be conjecture. I know
> it DID prevent people migrating from xfire (see above) so I know our
> user base was lower than it could have been.
>
But we could also say the fact that "CXF is in the Incubator" also
prevented people from migrating, or discouraged attracting
committers...
IMO, the Incubator is a place to build community and vet code.
It should be a place which *encourages* podlings to work
towards graduation. Instead, it appears to be more and more
moving to a place where codebases and projects can happily
live for awhile. Other than removing the '-incubating' tag,
what incentive is there for graduation?
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [DISCUSS] Do we really need an incubator?
Posted by Davanum Srinivas <da...@gmail.com>.
Please see below:
On Mon, Jul 7, 2008 at 11:06 PM, Daniel Kulp <dk...@apache.org> wrote:
>
> On Jul 7, 2008, at 6:59 PM, Davanum Srinivas wrote:
>
>> Dan,
>>
>> Seriously, Can you please give me one concrete instance where a user
>> gave up because it was too hard?
>
> It falls into a few situations:
> 1) Without stuff in the main repo, you cannot do plugins that do things
> similar to the "mvn jetty:run" and have maven pick them up without wacky
> changes to your ~/.m2/settings.xml which would then affect all projects.
Is this the average user that uses the build process to generate jars
that they use?
> 2) It IS a support burden on the community as people ask "why can't it find
> it?" even if you document the hell out of it. People tend to not read docs
> when they expect their tool to work like it always works. Maven people
> expect to just declare dependencies and have it work. When it doesn't they
> get frustrated and blame the project for not deploying things correctly and
> move on.
Well, then the tools should have a way to inform users that there may
be additional configuration steps needed.
> 3) This is the killer one: we did have xfire folks not able to migrate as
> the corporate firewalls and proxies and such would NOT allow access to
> people.apache.org. (to be fair, they didn't allow direct access to central
> either, but their internal repo managers did have access, but only to very
> limitted repos like central and java.net)
Then maybe mvn is the wrong tool? :)
> 4) A couple of the recent versions of the archetype plugin was unable to
> create projects from archetypes not available in central. Yes, it was a bug
> in the plugin, but it affected any archetypes not in central. With mavens
> < 2.0.9's broken "automatically grab the latest plugin" thing, creating
> projects from archetypes for anything not in central was impossible. (yes,
> that was a bug in the plugin and the maven team did fix it fairly quickly,
> but only incubator projects would have been affected.....)
>
> So yes, there are instances.
see above
>
>> Again, Are u stating that removing this restriction would have reduced
>> the time taken to graduate from 2 years to 1 year?
>
> We'll never know. It certainly affected some of the features we
> concentrated on and thus may or may not have affected who we could have
> attracted as committers. It would all be conjecture. I know it DID
> prevent people migrating from xfire (see above) so I know our user base was
> lower than it could have been.
guess we'll never know.
>> We are *NOT* here to rubber stamp external code. Which is what we will
>> become.
>
> Huh? We would be approving proper Apache Incubator releases and making
> sure the meet Apache legal requirements prior to release. How is that
> rubber stamping external code?
Sorry "external" is a wrong word here.
>
> Basically, IMO, if a release from an incubator project completely meets ALL
> the legal requirements (none of the "it's ok, fix it for next time" things),
> it legally can go to central and it should. (also, this means the project
> needs to have all the CLA's for the imported code, all the LGPL stuff
> resolved, etc...) Saying incubator releases can only be used in places and
> with tools that will prompt with a "this is an incubator artifact, us it?
> y/n" is, IMO, placing a field of use restriction on them which is against
> our own ideals.
We need a way to inform our users that a community may not form in the
code that they are using. Seriously, it's far away from FOU's.
> Should maven have a feature that the user can enable to allow various
> filtering and stuff, certainly. That's a great idea. For users that
> care, that would be great. Should it be required? IMO, no. The license
> the artifacts are distributed under doesn't require it and thus, legally,
> it's not required.
See last comment above.
> Dan
>
>
>
>> My feeling is that pmc members are taking their mentor role more
>> prominence over incubator pmc role which is to make sure we setup
>> meaningful mechanisms to make sure all aspects are balanced.
>>
>> In this specific case, a trivial road block has been lifted and
>> incubator is no longer what it is supposed to be. There are no longer
>> any checks/balances in the system,
>>
>> So we should just promote IP Clearance as the primary mechanism and
>> get existing pmc's or even this PMC to just go ahead and rubber stamp
>> code and get it over with.
>>
>> thanks,
>> dims
>>
>>
>> On Mon, Jul 7, 2008 at 5:49 PM, Daniel Kulp <dk...@apache.org> wrote:
>>>
>>> On Jul 7, 2008, at 5:09 PM, Davanum Srinivas wrote:
>>>
>>>> Sorry...Need to take this off my chest before the official VOTE.
>>>>
>>>> Looking at the maven repo thread, begs the question. Do we really need
>>>> an incubator?
>>>>
>>>> Isn't it just a IP Clearance SVN now once people have their way with
>>>> no distinction at all between incubator and non-incubator code?
>>>>
>>>> What incentives are there left to graduate? How come a little bit of
>>>> pain that makes something obvious to end users is such a no-no? Why is
>>>> it such a big deal to remove one tiny pebble in their path? A lot of
>>>> folks have made it thru...including CXF. gathering users on the merits
>>>> of their code/community. It's not like the pebble stopped users from
>>>> trying things out. So what's the big deal?
>>>
>>> Honestly, I think CXF would have graduated significantly sooner if the
>>> central maven repo was used. We specifically did not do a lot of
>>> "maven"
>>> things (like creating archtypes and such) due to the extra difficulty in
>>> using those things. We don't yet use maven for any of the
>>> samples/demos,
>>> etc.... It IS a major barrier for a lot people so we didn't
>>> concentrate
>>> on it. Had the code gone to central, we could have worked on that as
>>> well
>>> which would have opened up new opportunities for "mavenites" to get
>>> involved.
>>>
>>> So, my question is, if Apache is about "Community over code", why are we
>>> putting up barriers to getting the code if that is also creating barriers
>>> to
>>> building the community? If the code is a proper release (legally OK,
>>> etc...), making it hard to use/get hinders the building of the community.
>>> Do we like projects taking 2 years to graduate or would we prefer that
>>> time
>>> to be shorter?
>>>
>>> So, to answer your question: yes, I think the incubator is important.
>>> It
>>> does legal vetting, but it also makes sure the communities are acting
>>> proper, learning apache ways, etc.... But the incubator should HELP the
>>> communities grow, not hinder it.
>>>
>>> Dan
>>>
>>>
>>>
>>>>
>>>>
>>>> My 2 cents,
>>>>
>>>> Thanks,
>>>> dims
>>>>
>>>> --
>>>> Davanum Srinivas :: http://davanum.wordpress.com
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>>>> For additional commands, e-mail: general-help@incubator.apache.org
>>>>
>>>
>>> ---
>>> Daniel Kulp
>>> dkulp@apache.org
>>> http://www.dankulp.com/blog
>>>
>>>
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>>> For additional commands, e-mail: general-help@incubator.apache.org
>>>
>>>
>>
>>
>>
>> --
>> Davanum Srinivas :: http://davanum.wordpress.com
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>> For additional commands, e-mail: general-help@incubator.apache.org
>>
>
> ---
> Daniel Kulp
> dkulp@apache.org
> http://www.dankulp.com/blog
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
>
--
Davanum Srinivas :: http://davanum.wordpress.com
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [DISCUSS] Do we really need an incubator?
Posted by Daniel Kulp <dk...@apache.org>.
On Jul 7, 2008, at 6:59 PM, Davanum Srinivas wrote:
> Dan,
>
> Seriously, Can you please give me one concrete instance where a user
> gave up because it was too hard?
It falls into a few situations:
1) Without stuff in the main repo, you cannot do plugins that do
things similar to the "mvn jetty:run" and have maven pick them up
without wacky changes to your ~/.m2/settings.xml which would then
affect all projects.
2) It IS a support burden on the community as people ask "why can't it
find it?" even if you document the hell out of it. People tend to
not read docs when they expect their tool to work like it always
works. Maven people expect to just declare dependencies and have it
work. When it doesn't they get frustrated and blame the project for
not deploying things correctly and move on.
3) This is the killer one: we did have xfire folks not able to migrate
as the corporate firewalls and proxies and such would NOT allow access
to people.apache.org. (to be fair, they didn't allow direct access
to central either, but their internal repo managers did have access,
but only to very limitted repos like central and java.net)
4) A couple of the recent versions of the archetype plugin was unable
to create projects from archetypes not available in central. Yes, it
was a bug in the plugin, but it affected any archetypes not in
central. With mavens < 2.0.9's broken "automatically grab the latest
plugin" thing, creating projects from archetypes for anything not in
central was impossible. (yes, that was a bug in the plugin and the
maven team did fix it fairly quickly, but only incubator projects
would have been affected.....)
So yes, there are instances.
> Again, Are u stating that removing this restriction would have reduced
> the time taken to graduate from 2 years to 1 year?
We'll never know. It certainly affected some of the features we
concentrated on and thus may or may not have affected who we could
have attracted as committers. It would all be conjecture. I know
it DID prevent people migrating from xfire (see above) so I know our
user base was lower than it could have been.
> We are *NOT* here to rubber stamp external code. Which is what we
> will become.
Huh? We would be approving proper Apache Incubator releases and
making sure the meet Apache legal requirements prior to release.
How is that rubber stamping external code?
Basically, IMO, if a release from an incubator project completely
meets ALL the legal requirements (none of the "it's ok, fix it for
next time" things), it legally can go to central and it should.
(also, this means the project needs to have all the CLA's for the
imported code, all the LGPL stuff resolved, etc...) Saying incubator
releases can only be used in places and with tools that will prompt
with a "this is an incubator artifact, us it? y/n" is, IMO, placing a
field of use restriction on them which is against our own ideals.
Should maven have a feature that the user can enable to allow various
filtering and stuff, certainly. That's a great idea. For users
that care, that would be great. Should it be required? IMO, no.
The license the artifacts are distributed under doesn't require it and
thus, legally, it's not required.
Dan
> My feeling is that pmc members are taking their mentor role more
> prominence over incubator pmc role which is to make sure we setup
> meaningful mechanisms to make sure all aspects are balanced.
>
> In this specific case, a trivial road block has been lifted and
> incubator is no longer what it is supposed to be. There are no longer
> any checks/balances in the system,
>
> So we should just promote IP Clearance as the primary mechanism and
> get existing pmc's or even this PMC to just go ahead and rubber stamp
> code and get it over with.
>
> thanks,
> dims
>
>
> On Mon, Jul 7, 2008 at 5:49 PM, Daniel Kulp <dk...@apache.org> wrote:
>>
>> On Jul 7, 2008, at 5:09 PM, Davanum Srinivas wrote:
>>
>>> Sorry...Need to take this off my chest before the official VOTE.
>>>
>>> Looking at the maven repo thread, begs the question. Do we really
>>> need
>>> an incubator?
>>>
>>> Isn't it just a IP Clearance SVN now once people have their way with
>>> no distinction at all between incubator and non-incubator code?
>>>
>>> What incentives are there left to graduate? How come a little bit of
>>> pain that makes something obvious to end users is such a no-no?
>>> Why is
>>> it such a big deal to remove one tiny pebble in their path? A lot of
>>> folks have made it thru...including CXF. gathering users on the
>>> merits
>>> of their code/community. It's not like the pebble stopped users from
>>> trying things out. So what's the big deal?
>>
>> Honestly, I think CXF would have graduated significantly sooner if
>> the
>> central maven repo was used. We specifically did not do a lot of
>> "maven"
>> things (like creating archtypes and such) due to the extra
>> difficulty in
>> using those things. We don't yet use maven for any of the samples/
>> demos,
>> etc.... It IS a major barrier for a lot people so we didn't
>> concentrate
>> on it. Had the code gone to central, we could have worked on that
>> as well
>> which would have opened up new opportunities for "mavenites" to get
>> involved.
>>
>> So, my question is, if Apache is about "Community over code", why
>> are we
>> putting up barriers to getting the code if that is also creating
>> barriers to
>> building the community? If the code is a proper release (legally
>> OK,
>> etc...), making it hard to use/get hinders the building of the
>> community.
>> Do we like projects taking 2 years to graduate or would we prefer
>> that time
>> to be shorter?
>>
>> So, to answer your question: yes, I think the incubator is
>> important. It
>> does legal vetting, but it also makes sure the communities are acting
>> proper, learning apache ways, etc.... But the incubator should
>> HELP the
>> communities grow, not hinder it.
>>
>> Dan
>>
>>
>>
>>>
>>>
>>> My 2 cents,
>>>
>>> Thanks,
>>> dims
>>>
>>> --
>>> Davanum Srinivas :: http://davanum.wordpress.com
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>>> For additional commands, e-mail: general-help@incubator.apache.org
>>>
>>
>> ---
>> Daniel Kulp
>> dkulp@apache.org
>> http://www.dankulp.com/blog
>>
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>> For additional commands, e-mail: general-help@incubator.apache.org
>>
>>
>
>
>
> --
> Davanum Srinivas :: http://davanum.wordpress.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
---
Daniel Kulp
dkulp@apache.org
http://www.dankulp.com/blog
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [DISCUSS] Do we really need an incubator?
Posted by Davanum Srinivas <da...@gmail.com>.
Dan,
Seriously, Can you please give me one concrete instance where a user
gave up because it was too hard?
Again, Are u stating that removing this restriction would have reduced
the time taken to graduate from 2 years to 1 year?
We are *NOT* here to rubber stamp external code. Which is what we will become.
My feeling is that pmc members are taking their mentor role more
prominence over incubator pmc role which is to make sure we setup
meaningful mechanisms to make sure all aspects are balanced.
In this specific case, a trivial road block has been lifted and
incubator is no longer what it is supposed to be. There are no longer
any checks/balances in the system,
So we should just promote IP Clearance as the primary mechanism and
get existing pmc's or even this PMC to just go ahead and rubber stamp
code and get it over with.
thanks,
dims
On Mon, Jul 7, 2008 at 5:49 PM, Daniel Kulp <dk...@apache.org> wrote:
>
> On Jul 7, 2008, at 5:09 PM, Davanum Srinivas wrote:
>
>> Sorry...Need to take this off my chest before the official VOTE.
>>
>> Looking at the maven repo thread, begs the question. Do we really need
>> an incubator?
>>
>> Isn't it just a IP Clearance SVN now once people have their way with
>> no distinction at all between incubator and non-incubator code?
>>
>> What incentives are there left to graduate? How come a little bit of
>> pain that makes something obvious to end users is such a no-no? Why is
>> it such a big deal to remove one tiny pebble in their path? A lot of
>> folks have made it thru...including CXF. gathering users on the merits
>> of their code/community. It's not like the pebble stopped users from
>> trying things out. So what's the big deal?
>
> Honestly, I think CXF would have graduated significantly sooner if the
> central maven repo was used. We specifically did not do a lot of "maven"
> things (like creating archtypes and such) due to the extra difficulty in
> using those things. We don't yet use maven for any of the samples/demos,
> etc.... It IS a major barrier for a lot people so we didn't concentrate
> on it. Had the code gone to central, we could have worked on that as well
> which would have opened up new opportunities for "mavenites" to get
> involved.
>
> So, my question is, if Apache is about "Community over code", why are we
> putting up barriers to getting the code if that is also creating barriers to
> building the community? If the code is a proper release (legally OK,
> etc...), making it hard to use/get hinders the building of the community.
> Do we like projects taking 2 years to graduate or would we prefer that time
> to be shorter?
>
> So, to answer your question: yes, I think the incubator is important. It
> does legal vetting, but it also makes sure the communities are acting
> proper, learning apache ways, etc.... But the incubator should HELP the
> communities grow, not hinder it.
>
> Dan
>
>
>
>>
>>
>> My 2 cents,
>>
>> Thanks,
>> dims
>>
>> --
>> Davanum Srinivas :: http://davanum.wordpress.com
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>> For additional commands, e-mail: general-help@incubator.apache.org
>>
>
> ---
> Daniel Kulp
> dkulp@apache.org
> http://www.dankulp.com/blog
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
>
--
Davanum Srinivas :: http://davanum.wordpress.com
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [DISCUSS] Do we really need an incubator?
Posted by Daniel Kulp <dk...@apache.org>.
On Jul 7, 2008, at 5:09 PM, Davanum Srinivas wrote:
> Sorry...Need to take this off my chest before the official VOTE.
>
> Looking at the maven repo thread, begs the question. Do we really need
> an incubator?
>
> Isn't it just a IP Clearance SVN now once people have their way with
> no distinction at all between incubator and non-incubator code?
>
> What incentives are there left to graduate? How come a little bit of
> pain that makes something obvious to end users is such a no-no? Why is
> it such a big deal to remove one tiny pebble in their path? A lot of
> folks have made it thru...including CXF. gathering users on the merits
> of their code/community. It's not like the pebble stopped users from
> trying things out. So what's the big deal?
Honestly, I think CXF would have graduated significantly sooner if the
central maven repo was used. We specifically did not do a lot of
"maven" things (like creating archtypes and such) due to the extra
difficulty in using those things. We don't yet use maven for any of
the samples/demos, etc.... It IS a major barrier for a lot people
so we didn't concentrate on it. Had the code gone to central, we
could have worked on that as well which would have opened up new
opportunities for "mavenites" to get involved.
So, my question is, if Apache is about "Community over code", why are
we putting up barriers to getting the code if that is also creating
barriers to building the community? If the code is a proper release
(legally OK, etc...), making it hard to use/get hinders the building
of the community. Do we like projects taking 2 years to graduate or
would we prefer that time to be shorter?
So, to answer your question: yes, I think the incubator is
important. It does legal vetting, but it also makes sure the
communities are acting proper, learning apache ways, etc.... But the
incubator should HELP the communities grow, not hinder it.
Dan
>
>
> My 2 cents,
>
> Thanks,
> dims
>
> --
> Davanum Srinivas :: http://davanum.wordpress.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
---
Daniel Kulp
dkulp@apache.org
http://www.dankulp.com/blog
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org