Guys, I did a quick check using the scanner at http://www.sonatype.com/application-health-check. According to that report we need to do some additional checking of our dependencies.
Licenses: Copyleft: 2 Non-standard: 9 Weak-copyleft: 15 Liberal: 82 I can’t get the exact details as that requires the full report ($499 ouch..), but at least it warrants investigation before we can release. Here is the printout of the report: https://dl.dropboxusercontent.com/u/70226362/app-check.pdf Cheers, Hugo On 23 feb. 2014, at 07:24, Rayees Namathponnan <rayees.namathpon...@citrix.com> wrote: > Hi David, > > One doubt, while building cloudstack we are using "mysql-connector-java > version 5.1.29"; is it not mandatory we should supposed to use same version > of mysql-connector during run time? > > Regards, > Rayees > > -----Original Message----- > From: David Nalley [mailto:da...@gnsa.us] > Sent: Saturday, February 22, 2014 7:59 PM > To: dev@cloudstack.apache.org > Subject: Re: [DISCUSS] Policy blocker? > > Hi folks: > > I think this issue is resolved in the 4.3 branch. The default build system no > longer seems to grab the mysql jar, and I've adjusted tomcat to load the > mysql jar from the system library. > > Commit 0c2ad0338e34f6117cecc24ec00c7746dd481465 should have the necessary > changes. > > I did some quick testing, and this seems to work, but obviously it needs more > eyes and testing. > > --David > > On Thu, Feb 20, 2014 at 8:37 AM, David Nalley <da...@gnsa.us> wrote: >> Hi folks, >> >> I cringe to raise this issue. After 6 RCs I am sure we are all feeling >> a little bit of release vote fatigue. Especially Animesh. I apologize >> in advance; in all other respects I am ready to give a +1 to RC6. >> >> I've been playing with 4.3.0-rc6 for a couple of days now. I attempted >> to build some RPMs and had problems with dependency resolution in >> maven. This led me to looking at a number of different poms, and I >> noticed mysql-connector-java is listed as a runtime dependency. For >> our end users, this really isn't necessary - the debs and rpms specify >> a requirement (effectively a system requirement in the terms of >> policy) for mysql-connector-java. We don't need it to build the >> software (at least not in any location I've seen) - just when running. >> (And thus its a system dependency, much like MySQL is.) >> >> mysql-connector-java is GPLv2; which is Cat X. By including it as a >> dependency in the pom it automatically gets downloaded. The 3rd Party >> software policy has this line in it: >> >> "YOU MUST NOT distribute build scripts or documentation within an >> Apache product with the purpose of causing the default/standard build >> of an Apache product to include any part of aprohibited work." >> >> We've released software with this dependency previously. Is this a >> blocker for 4.3 or do we fix going forward? (If we hadn't already >> shipped releases with this problem I'd lean a bit more towards it >> being a blocker - but its more murky now.) >> >> Thoughts, comments, flames? >> >> --David >> >> [1] https://www.apache.org/legal/3party.html