> On 14 Apr 2016, at 23:11, Joan Touzet <woh...@apache.org> wrote: > > Based on this information, are we in violation of ASF requirements? Can > anyone clarify for me what we actually need to be doing here?
There is no such policy. We are also not bundling SpiderMonkey or Erlang either. Neither do any of the Java projects bundle e.g. OpenJDK. The question of whether to have a “safe copy“ to be ensured against suddenly disappearing upstream is entirely* up to the project, but not ASF policy. *upstream dependencies that have dual licensing that includes a GPL flavour or other incompatible license[1] can’t be mirrored on ASF source control and distribution servers (that’s why we don’t mirror SpiderMonkey or Erlang (although we could do Erlang now, that they switched to ASF 2, but I would not suggest we do this). [1]: http://www.apache.org/legal/resolved.html#category-x * * * Personally, with npm’s new unpublish policy[2], I’m okay with having our dependencies there. Because of the deep dependency tree, we should be very diligent about not accidentally including category-x licensed modules. I’m sure we can automate this into a npm postinstall script, so we know as soon as possible. At the very least, we need an audit prior to any release. [2]: http://blog.npmjs.org/post/141905368000/changes-to-npms-unpublish-policy Best Jan -- > > -Joan > > ----- Original Message ----- >> From: "Garren Smith" <gar...@apache.org> >> To: dev@couchdb.apache.org, "Joan Touzet" <woh...@apache.org> >> Sent: Thursday, April 14, 2016 2:43:10 AM >> Subject: Re: On dependency management and CI issues associated with it >> >> Hi Joan, >> >> Good point. Until about a week ago we use to keep all our >> dependencies in >> our repo. But we have just switched to webpack which allows us to >> manage >> our dependencies via npm (in case you are wondering, we don't depend >> on >> leftpad directly). So some of them are in our repo but the majority >> are >> downloaded and then bundled. >> >> >> Cheers >> Garren >> >> On Wed, Apr 13, 2016 at 11:29 PM, Joan Touzet <woh...@apache.org> >> wrote: >> >>> Garren, correct me if I'm wrong but Fauxton depends on a large >>> number >>> of JS dependencies that we don't keep copies of, correct? Or is it >>> just >>> for the build process? >>> >>> -Joan >>> >>> ----- Original Message ----- >>>> From: "Alexander Shorin" <kxe...@gmail.com> >>>> To: dev@couchdb.apache.org >>>> Sent: Wednesday, April 13, 2016 2:08:20 PM >>>> Subject: Re: On dependency management and CI issues associated >>>> with it >>>> >>>> On Wed, Apr 13, 2016 at 8:39 PM, Robert Newson >>>> <rnew...@apache.org> >>>> wrote: >>>>> It's a thread derail but this notion that we're being "fairly >>>>> rude" >>>>> needs resolving. It might be lost to history now but we got >>>>> here, >>>>> I think, with the best intentions of ensuring all the code that >>>>> appears in couchdb can be traced back to code hosted at asf. Is >>>>> it >>>>> a concrete requirement? I honestly forget but I thought so. >>>> >>>> Yes, that's the answer why. If one day mochiweb owner will decide >>>> to >>>> drop his github repo, we shouldn't be leave with broken builds. >>>> See >>>> leftpad story as well. Initially, that requirement seems >>>> redundant, >>>> but recent npm drama showed that it has a huge point. Also there >>>> are >>>> some legal bits about. >>>> >>>> -- >>>> ,,,^..^,,, >>>> >>> >> -- Professional Support for Apache CouchDB: https://neighbourhood.ie/couchdb-support/