Hi all, (and possibly mentors in particular)
As a module reviewer I'm uncertain/confused about how to deal with 3rd party libraries. Here's how I understand it: An Apache release need to comply with certain standards, one of them being that any bundled 3rd party binary must be duly vetted. We can't have a build process where we collect 3rd party binaries from just about any location on the internet. So far so good. Understood. But what does it mean practically? Reading the various e-mails it seems that for our release process to be approved, we must limit the location from where we fetch 3rd party libs to the following: * Apache's own Maven repo * Maven Central, but only if the project of the 3rd party lib is an Apache project. * The project's VCS (we are trying to avoid this solution) * A location fully under the project's control, e.g. like hg.netbeans.org/binaries. Note the things NOT on the list. Can anyone summarize/conclude here? Thx Lars
