I will try to work on this a bit this evening, but others may be faster. --David
On Thu, Feb 20, 2014 at 1:44 PM, Animesh Chaturvedi <animesh.chaturv...@citrix.com> wrote: > Chip, David thanks for the detailed explanation, is one of you taking care of > fixing this issue or we need to find other volunteers > > Thanks > Animesh > >> -----Original Message----- >> From: Chip Childers [mailto:chipchild...@apache.org] >> Sent: Thursday, February 20, 2014 10:13 AM >> To: dev@cloudstack.apache.org >> Subject: Re: [DISCUSS] Policy blocker? >> >> On Thu, Feb 20, 2014 at 11:32 AM, Chip Childers <chipchild...@apache.org> >> wrote: >> > On Thu, Feb 20, 2014 at 08:37:46AM -0500, David Nalley wrote: >> >> Hi folks, >> >> >> >> I cringe to raise this issue. After 6 RCs I am sure we are all >> >> feeling a little bit of release vote fatigue. Especially Animesh. I >> >> apologize in advance; in all other respects I am ready to give a +1 to >> >> RC6. >> >> >> >> I've been playing with 4.3.0-rc6 for a couple of days now. I >> >> attempted to build some RPMs and had problems with dependency >> >> resolution in maven. This led me to looking at a number of different >> >> poms, and I noticed mysql-connector-java is listed as a runtime >> >> dependency. For our end users, this really isn't necessary - the debs >> >> and rpms specify a requirement (effectively a system requirement in >> >> the terms of >> >> policy) for mysql-connector-java. We don't need it to build the >> >> software (at least not in any location I've seen) - just when running. >> >> (And thus its a system dependency, much like MySQL is.) >> >> >> >> mysql-connector-java is GPLv2; which is Cat X. By including it as a >> >> dependency in the pom it automatically gets downloaded. The 3rd Party >> >> software policy has this line in it: >> >> >> >> "YOU MUST NOT distribute build scripts or documentation within an >> >> Apache product with the purpose of causing the default/standard build >> >> of an Apache product to include any part of aprohibited work." >> >> >> >> We've released software with this dependency previously. Is this a >> >> blocker for 4.3 or do we fix going forward? (If we hadn't already >> >> shipped releases with this problem I'd lean a bit more towards it >> >> being a blocker - but its more murky now.) >> >> >> >> Thoughts, comments, flames? >> >> >> >> --David >> >> >> >> [1] https://www.apache.org/legal/3party.html >> > >> > During incubation, this dependency was raised as an issue. Generally, >> > there are 2 ways to deal with Category X dependencies within an ASF >> > project: >> > >> > 1) Make it an optional part of the software. This is what we do with >> > the nonoss build target, but won't work for the mysql-connector. >> > >> > 2) Make it a "system dependency" that is expected to be installed on >> > the system prior to our software. >> > >> > mysql-connector-java (and the python equiv) were supposed to be >> > handled using option 2 (system dependency). >> > >> > Currently, our RPM packaging depends on the relevant RPM to pull this >> > in as a system dependency. I can't tell with the DEBs, but that would >> > need to be reviewed. >> > >> > The problem is that our maven poms pull down the jar automatically >> > right now. This is the blocker for us. I'm certainly not a lawyer, >> > but my understanding of ASF policy is that we need to make some >> > changes before making another release. >> > >> > So, there appear to be three things that have to happen: >> > >> > 1) Confirm that the mysql-connector-java is a system dependency in the >> > DEB packaging. >> > >> > 2) Ensure that a "normal build" of the project using mvn does not >> > automatically download the mysql-connector-java jar files. >> > >> > 3) Retest the project to ensure that the above changes work. >> > >> > Then we can re-spin an RC. >> > >> > -chip >> >> For those following along at home, here are some relevant links: >> >> http://www.apache.org/legal/resolved.html >> >> http://www.apache.org/dev/licensing-howto.html
