You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@maven.apache.org by Abel Muiño <am...@gmail.com> on 2009/02/28 11:48:34 UTC
[Off Topic] Re: Code provenance checks for Plexus components
Arnaud HERITIER wrote:
>
> No it's not the case.I often find Apache processes heavy,, but if in
> eclipse
> you have to validate all dependencies I better understand why its quality
> is
> lower day after day. All teams are probably checking their dependencies
> instead of writting tests.
>
I think there is a misconception about the Eclipse Process and how heavy it
is.
We have checked a sheer number of dependencies and, so far, the only problem
is with Plexus. The ip-team takes care of everything for us, so it is just a
matter of getting in the mental state to file a bug report stating what you
will use.
However, the case of the embedder is a very speciall one, given the number
of dependencies required from so many different sources, and the lack of
information about its licensing terms or process in a few of them.
The intent of the Eclipse Process is that commercial tools can be built on
top of eclipse projects and, given that the Plexus license page [1] states
that "No project license is defined for this project.", I can understand
that the legal team is worried.
[1] http://plexus.codehaus.org/license.html
On Fri, Feb 27, 2009 at 8:34 PM, Abel Muiño <am...@gmail.com> wrote:
>
> Ok, sorry for the noise then... I thoght that Apache would somehow review
> the
> code from third parties before distributing it (that's the Eclipse way).
>
>
> Brian E Fox wrote:
> >
> > Plexus is a codehaus component, so Apache would most likely not have
> these
> > checks.
> >
> > -----Original Message-----
> > From: Abel Muiño [mailto:amuino@gmail.com]
> > Sent: Friday, February 27, 2009 1:18 PM
> > To: dev@maven.apache.org
> > Subject: Code provenance checks for Plexus components
> >
> >
> > The Eclipse legal team is having a hard time trying to confirm code
> > provenance for the plexus components required by the 3.0 maven embedder.
> >
> > I suppose that the Apache Foundation has already done similar provenance
> > checks before distributing the components... so can you please help us
> > with
> > the Eclipse review?
> >
> > Specifically, the legal team has asked:
> > ···
> >
> >
> >> For example, it would be helpful to know whether Plexus project members
> >> and
> >> contributors are asked to acknowledge anything regarding their
> >> contribution in
> >> an e-mail (e.g. I wrote the code, it's mine, and I'm contributing it to
> >> Plexus
> >> for distribution under the Apache 1.1 or Apache 2.0 license).
> >>
> > ···
> >
> > Does such thing (or anything similar) exist? Does Apache keep some
> records
> > regarding the 3rd party checks it performs before a release?
> >
> > Thanks!
> >
> >
> > -----
> > http://www.linkedin.com/in/amuino Abel Muiño Vizcaino -
> > http://ramblingabout.wordpress.com http://ramblingabout.wordpress.com
> > --
> > View this message in context:
> >
> http://www.nabble.com/Code-provenance-checks-for-Plexus-components-tp22251436p22251436.html
> > Sent from the Maven Developers mailing list archive at Nabble.com.
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> > For additional commands, e-mail: dev-help@maven.apache.org
> >
> >
> >
>
>
> -----
> http://www.linkedin.com/in/amuino Abel Muiño Vizcaino -
> http://ramblingabout.wordpress.com http://ramblingabout.wordpress.com
> --
> View this message in context:
> http://www.nabble.com/Code-provenance-checks-for-Plexus-components-tp22251436p22252875.html
> Sent from the Maven Developers mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> For additional commands, e-mail: dev-help@maven.apache.org
>
>
--
Arnaud
-----
http://www.linkedin.com/in/amuino Abel Muiño Vizcaino -
http://ramblingabout.wordpress.com http://ramblingabout.wordpress.com
--
View this message in context: http://www.nabble.com/Code-provenance-checks-for-Plexus-components-tp22251436p22260868.html
Sent from the Maven Developers mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
Re: [Off Topic] Re: Code provenance checks for Plexus components
Posted by Robert Burrell Donkin <ro...@gmail.com>.
On Sat, Feb 28, 2009 at 8:28 PM, Arnaud HERITIER <ah...@gmail.com> wrote:
> Ok I understand. The problem is for commercial products based on Eclipse. I
> forgot that.For plexus it's annoying but it mustn't be to difficult to
> solve. The number of committers is limited and the major part is in the
> maven's team.
>
> good luck
clear provenance is important to apache too but not to the level of
granularity of checking contributors to third party jars
- robert
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
Re: [Off Topic] Re: Code provenance checks for Plexus components
Posted by Arnaud HERITIER <ah...@gmail.com>.
Ok I understand. The problem is for commercial products based on Eclipse. I
forgot that.For plexus it's annoying but it mustn't be to difficult to
solve. The number of committers is limited and the major part is in the
maven's team.
good luck
Arnaud
On Sat, Feb 28, 2009 at 11:48 AM, Abel Muiño <am...@gmail.com> wrote:
>
>
> Arnaud HERITIER wrote:
> >
> > No it's not the case.I often find Apache processes heavy,, but if in
> > eclipse
> > you have to validate all dependencies I better understand why its quality
> > is
> > lower day after day. All teams are probably checking their dependencies
> > instead of writting tests.
> >
>
> I think there is a misconception about the Eclipse Process and how heavy it
> is.
>
> We have checked a sheer number of dependencies and, so far, the only
> problem
> is with Plexus. The ip-team takes care of everything for us, so it is just
> a
> matter of getting in the mental state to file a bug report stating what you
> will use.
>
> However, the case of the embedder is a very speciall one, given the number
> of dependencies required from so many different sources, and the lack of
> information about its licensing terms or process in a few of them.
>
> The intent of the Eclipse Process is that commercial tools can be built on
> top of eclipse projects and, given that the Plexus license page [1] states
> that "No project license is defined for this project.", I can understand
> that the legal team is worried.
>
> [1] http://plexus.codehaus.org/license.html
>
>
> On Fri, Feb 27, 2009 at 8:34 PM, Abel Muiño <am...@gmail.com> wrote:
>
> >
> > Ok, sorry for the noise then... I thoght that Apache would somehow review
> > the
> > code from third parties before distributing it (that's the Eclipse way).
> >
> >
> > Brian E Fox wrote:
> > >
> > > Plexus is a codehaus component, so Apache would most likely not have
> > these
> > > checks.
> > >
> > > -----Original Message-----
> > > From: Abel Muiño [mailto:amuino@gmail.com]
> > > Sent: Friday, February 27, 2009 1:18 PM
> > > To: dev@maven.apache.org
> > > Subject: Code provenance checks for Plexus components
> > >
> > >
> > > The Eclipse legal team is having a hard time trying to confirm code
> > > provenance for the plexus components required by the 3.0 maven
> embedder.
> > >
> > > I suppose that the Apache Foundation has already done similar
> provenance
> > > checks before distributing the components... so can you please help us
> > > with
> > > the Eclipse review?
> > >
> > > Specifically, the legal team has asked:
> > > ···
> > >
> > >
> > >> For example, it would be helpful to know whether Plexus project
> members
> > >> and
> > >> contributors are asked to acknowledge anything regarding their
> > >> contribution in
> > >> an e-mail (e.g. I wrote the code, it's mine, and I'm contributing it
> to
> > >> Plexus
> > >> for distribution under the Apache 1.1 or Apache 2.0 license).
> > >>
> > > ···
> > >
> > > Does such thing (or anything similar) exist? Does Apache keep some
> > records
> > > regarding the 3rd party checks it performs before a release?
> > >
> > > Thanks!
> > >
> > >
> > > -----
> > > http://www.linkedin.com/in/amuino Abel Muiño Vizcaino -
> > > http://ramblingabout.wordpress.com http://ramblingabout.wordpress.com
> > > --
> > > View this message in context:
> > >
> >
> http://www.nabble.com/Code-provenance-checks-for-Plexus-components-tp22251436p22251436.html
> > > Sent from the Maven Developers mailing list archive at Nabble.com.
> > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> > > For additional commands, e-mail: dev-help@maven.apache.org
> > >
> > >
> > >
> >
> >
> > -----
> > http://www.linkedin.com/in/amuino Abel Muiño Vizcaino -
> > http://ramblingabout.wordpress.com http://ramblingabout.wordpress.com
> > --
> > View this message in context:
> >
> http://www.nabble.com/Code-provenance-checks-for-Plexus-components-tp22251436p22252875.html
> > Sent from the Maven Developers mailing list archive at Nabble.com.
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> > For additional commands, e-mail: dev-help@maven.apache.org
> >
> >
>
>
> --
> Arnaud
>
>
>
>
> -----
> http://www.linkedin.com/in/amuino Abel Muiño Vizcaino -
> http://ramblingabout.wordpress.com http://ramblingabout.wordpress.com
> --
> View this message in context:
> http://www.nabble.com/Code-provenance-checks-for-Plexus-components-tp22251436p22260868.html
> Sent from the Maven Developers mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> For additional commands, e-mail: dev-help@maven.apache.org
>
>
--
Arnaud
Re: [Off Topic] Re: Code provenance checks for Plexus components
Posted by Rahul Thakur <ra...@gmail.com>.
IIRC, some of the sources are under ASL 2.0. I think I have seen some
source headers with MIT and some with Common Public License.
Rahul
On 28/02/2009 4:18 p.m., Abel Muiño wrote:
> Arnaud HERITIER wrote:
>
>> No it's not the case.I often find Apache processes heavy,, but if in
>> eclipse
>> you have to validate all dependencies I better understand why its quality
>> is
>> lower day after day. All teams are probably checking their dependencies
>> instead of writting tests.
>>
>>
>
> I think there is a misconception about the Eclipse Process and how heavy it
> is.
>
> We have checked a sheer number of dependencies and, so far, the only problem
> is with Plexus. The ip-team takes care of everything for us, so it is just a
> matter of getting in the mental state to file a bug report stating what you
> will use.
>
> However, the case of the embedder is a very speciall one, given the number
> of dependencies required from so many different sources, and the lack of
> information about its licensing terms or process in a few of them.
>
> The intent of the Eclipse Process is that commercial tools can be built on
> top of eclipse projects and, given that the Plexus license page [1] states
> that "No project license is defined for this project.", I can understand
> that the legal team is worried.
>
> [1] http://plexus.codehaus.org/license.html
>
>
> On Fri, Feb 27, 2009 at 8:34 PM, Abel Muiño<am...@gmail.com> wrote:
>
>
>> Ok, sorry for the noise then... I thoght that Apache would somehow review
>> the
>> code from third parties before distributing it (that's the Eclipse way).
>>
>>
>> Brian E Fox wrote:
>>
>>> Plexus is a codehaus component, so Apache would most likely not have
>>>
>> these
>>
>>> checks.
>>>
>>> -----Original Message-----
>>> From: Abel Muiño [mailto:amuino@gmail.com]
>>> Sent: Friday, February 27, 2009 1:18 PM
>>> To: dev@maven.apache.org
>>> Subject: Code provenance checks for Plexus components
>>>
>>>
>>> The Eclipse legal team is having a hard time trying to confirm code
>>> provenance for the plexus components required by the 3.0 maven embedder.
>>>
>>> I suppose that the Apache Foundation has already done similar provenance
>>> checks before distributing the components... so can you please help us
>>> with
>>> the Eclipse review?
>>>
>>> Specifically, the legal team has asked:
>>> ···
>>>
>>>
>>>
>>>> For example, it would be helpful to know whether Plexus project members
>>>> and
>>>> contributors are asked to acknowledge anything regarding their
>>>> contribution in
>>>> an e-mail (e.g. I wrote the code, it's mine, and I'm contributing it to
>>>> Plexus
>>>> for distribution under the Apache 1.1 or Apache 2.0 license).
>>>>
>>>>
>>> ···
>>>
>>> Does such thing (or anything similar) exist? Does Apache keep some
>>>
>> records
>>
>>> regarding the 3rd party checks it performs before a release?
>>>
>>> Thanks!
>>>
>>>
>>> -----
>>> http://www.linkedin.com/in/amuino Abel Muiño Vizcaino -
>>> http://ramblingabout.wordpress.com http://ramblingabout.wordpress.com
>>> --
>>> View this message in context:
>>>
>>>
>> http://www.nabble.com/Code-provenance-checks-for-Plexus-components-tp22251436p22251436.html
>>
>>> Sent from the Maven Developers mailing list archive at Nabble.com.
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
>>> For additional commands, e-mail: dev-help@maven.apache.org
>>>
>>>
>>>
>>>
>> -----
>> http://www.linkedin.com/in/amuino Abel Muiño Vizcaino -
>> http://ramblingabout.wordpress.com http://ramblingabout.wordpress.com
>> --
>> View this message in context:
>> http://www.nabble.com/Code-provenance-checks-for-Plexus-components-tp22251436p22252875.html
>> Sent from the Maven Developers mailing list archive at Nabble.com.
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
>> For additional commands, e-mail: dev-help@maven.apache.org
>>
>>
>>
>
>
>