Am Fri, 23 Dec 2016 12:54:14 -0800 schrieb Charles Honton <c...@honton.org>:
> The > official release source tarball contains just the sources, not all > the project files. Building the artifact from just the src directory > without the pom would be extremely difficult. Can you name a component where this is true? Afaik all Commons components have a full featured source archive which is buildable and a limited source attachment for maven. > The commons parent pom > attaches the source tarball to the maven release for the side effects > of signing/checksumming the source tarball. Only for the -src classifier, this is Maven best practice since IDEs can download and display this. > This induces a manual > step of removing the source tarballs from the staging repository. I dont think removing them is the actual intention. > We > publish convenience binaries to > https://www.apache.org/dist/commons/XXX/binaries. I doubt anyone > consumes these binaries. Most developers use Maven Central. This depends entirely on the project type they are used in. I would not divert from this as it helps to actually find the artifacts and especially release notes. > Extremely security conscious downstream projects consume the > distribution source tarballs. The distribution artifacts are doubled > in size by providing both .zip and tar.gz versions. Why would we care? > Slightly > different artifacts are published to Apache Distribution Site vs > Maven Central. Uh, how can that happen, the release process verifies the checksums. Gruss Bernd --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
