Hi Jacques, Sorry but I'm a little confused. I note the following:
- OFBiz did not create binary releases in the past - You started a thread to discuss whether we should create binary releases - When I ask you for the purpose of these releases you reply by saying, that's why I started this thread. What is it that you are seeking? Are you interested in binary releases and want to know if it is a good idea to pursue? If you are interested, then I would qualify that as the "purpose" that I asked you about. If you are not interested, then why did you start the thread? Regards, Taher Alkhateeb On Thu, Aug 25, 2016 at 7:32 AM, Jacques Le Roux < jacques.le.r...@les7arts.com> wrote: > Le 24/08/2016 à 23:15, Taher Alkhateeb a écrit : > >> Hi Jacques, >> >> I'm not sure how am I supposed to understand it? To me it seems clear .. >> You cannot add binaries unless they are the result of compiling the source >> code of the release you are preparing, it's written so very clearly. It >> also makes sense as it is saying that you can provide binary releases that >> represent the binary form of YOUR code. >> > > Eventually it boils down to this > http://mail-archives.apache.org/mod_mbox/www-legal-discuss/ > 201606.mbox/%3cCAAS6=7gVXGHqeKVeFV_r1849Qpi0+Ca0jc2QWQBQfRdZ > ncw...@mail.gmail.com%3e > > <<Untrusted jar files (from wherever) are allowed. They must represent > compilation of open source dependencies>> > > BTW from this complete answer it seems not recommended to release binaries > though they can also be done by a 3rd party (ie not endorsed by the ASF) > > On a different but relevant note, why do we want binary releases in the >> first place? What is the purpose? >> > > The question of this thread is "Should we do binary releases?" > > It seems more and more to me that we should neglect them, notably for > security reasons. > Note though that from my OWASP dependency checks (OWAPS-DC), so far > Gradle does not guarantee you from vulnerabilities as I was hoping for. > This still needs to be clarified because OWAPS-DC generates a lot of false > positive... > In this area there is nothing worse than a false sense of security. And > it's our responsibility to do our best for our users. > > But in last resort, it's the community to decide if we do binary releases > or not and the reasons for that. Should we do a vote for that? > > Jacques > > > This is not a desktop application or a >> web server that you just want to fire up and start using. There is >> preparation work (loading data, configuring, etc ...). It would make sense >> to have a binary version of Tomcat, because I just want to start it up >> with >> defaults and run web applications against it. It would also make sense to >> want a binary version of a desktop application because I just want to use >> it. The story is completely different with OFBiz, this is not some >> software >> that you just compile and ship, it's a very customizable, tweakable system >> with many moving parts, especially the database! Having the build system >> is >> essential to its operation, so the whole idea of a binary stripped out >> release does not make much sense to me. >> >> Taher Alkhateeb >> >> On Wed, Aug 24, 2016 at 11:54 PM, Jacques Le Roux < >> jacques.le.r...@les7arts.com> wrote: >> >> Taher, >>> >>> Wait, either Tomcat, Ant and JMeter are doing it wrong or we don't >>> understand this sentence (I agree with you) or it's incomplete. >>> >>> Because if you download each of their binary releases you will find in >>> them "binary/bytecode files" which are not the "result of compiling that >>> version of the source code release" >>> >>> Tomcat: ecj >>> >>> Ant: ivy (+ 3 optionals) >>> >>> JMeter: ~50 externals libs >>> >>> I just checked Wicket: only own binaries, not even optionals like Ant. >>> >>> For Tomcat and Ivy it's maybe optional, but for JMeter it's not it seems. >>> I mean JMeter seems to depends on these external libs and they are >>> delivered in the binary. To be confirmed because I did not dig deeper. >>> >>> It's even more obvious on Geronimo download page: >>> http://geronimo.apache.org/apache-geronimo-v301-release.html >>> >>> <<Following distributions use Tomcat as the Web container and Axis2 as >>> the >>> Web Services engine.>> >>> >>> I did download the 91 MB, and can confirm it has a total of 346 jars, >>> most >>> not being "result of compiling that version of the source code release" >>> >>> I guess the external libraries are runtime dependencies, in certain cases >>> only optional. >>> >>> I also read at http://www.apache.org/legal/resolved.html#category-b >>> >>> <<software under the following licenses may be included in binary form >>> within an Apache product if the inclusion is appropriately labeled (see >>> below):>> >>> >>> So I don't think we can say "In other words we *cannot* include the >>> dependencies in the binary releases anyway. So people *must* use Gradle >>> to >>> download the dependencies" >>> >>> Jacques >>> >>> >>> Le 24/08/2016 à 17:12, Taher Alkhateeb a écrit : >>> >>> Hi Jacques, >>>> >>>> The discussion we had in OFBIZ-7783 was basically around whether or not >>>> we >>>> should have a task to copy the gradle dependencies into a certain >>>> directory. We went through many discussions, the last one being that >>>> this >>>> task might be needed for binary releases. >>>> >>>> However, if you look at the reference that _you_ provided you will >>>> notice >>>> that is says that you "may only add binary/bytecode files that are the >>>> result of compiling that version of the source code release" >>>> >>>> We are _NOT_ compiling any of the dependencies, instead, the build >>>> system >>>> downloads them from jcenter in a precompiled form. In other words we >>>> cannot >>>> include the dependencies in the binary releases anyway. So people must >>>> use >>>> Gradle to download the dependencies, and so the whole purpose of the >>>> binary >>>> release becomes unnecessary as you must have gradle and java installed >>>> on >>>> your computer. >>>> >>>> Taher Alkhateeb >>>> >>>> On Wed, Aug 24, 2016 at 5:36 PM, Jacques Le Roux < >>>> jacques.le.r...@les7arts.com> wrote: >>>> >>>> Hi, >>>> >>>>> At https://issues.apache.org/jira/browse/OFBIZ-7783 we recently had a >>>>> discussion with Taher about doing or not binary releases. >>>>> >>>>> This is how the ASF defines a binary release ( >>>>> http://www.apache.org/dev/release.html#what) >>>>> >>>>> <<All releases are in the form of the source materials needed to make >>>>> changes to the software being released. In some cases, binary/bytecode >>>>> packages are also produced as a convenience to users that might not >>>>> have >>>>> the appropriate tools to build a compiled version of the source. In all >>>>> such cases, the binary/bytecode package must have the same version >>>>> number >>>>> as the source release and may only add binary/bytecode files that are >>>>> the >>>>> result of compiling that version of the source code release.>> >>>>> >>>>> So the question is simple (not the answer, you need to think ahead): do >>>>> we >>>>> want to do binary releases? It comes with some burden, does it worth >>>>> it? >>>>> No >>>>> needs to rush an answer :) >>>>> >>>>> If you want more information you can already look at the conversation >>>>> we >>>>> had Pierre, Taher and I at OFBIZ-7783 >>>>> >>>>> Thanks >>>>> >>>>> Jacques >>>>> >>>>> >>>>> >>>>> >>>>> >