Why not include the wrapper? Isn't the whole point that it bootstraps itself via the wrapper? It isn't particularly large.
KEYS & Rat --> Excellent. // Niclas On Tue, Apr 28, 2015 at 2:56 PM, Paul Merlin <[email protected]> wrote: > Niclas, > > Thanks for your thorough answer. > > Our actual distributions needs refinements. For example the Gradle > wrapper should not be included so we need to provide some 'bootstrap' > for this, see https://github.com/apache/samza/blob/master/bootstrap.gradle > > If you're ok with that, I can handle that work while you put some effort > elsewhere. I'm sure there's plenty of things to do. > > Moreover, I started hacking some gradle task that should enable us to > generate the NOTICE files. It won't be as simple as it should be but it > should work. I'll push it in a branch once I get something convincing. > > BTW I just pushed some commits to develop with two notable things: > - add a KEYS file at the project's root with our GPG keys > - add a `rat` build task that runs Apache Rat on the codebase > > Cheers > > /Paul > > > Niclas Hedhman a écrit : > > Paul, > > Yes, the NOTICE requirement is actually not stipulated by ASF, but by > most > > licenses requiring that you "pay respect" to any upstream work you use. > > > > ASF requires that a "RELEASE" is in source code form and can be built > from > > the distributed tar ball. That is the intention of our > > qi4j-sdk-<ver>-source.tar.gz as well, so we fulfill this requirement. > This > > is of course not a coincidence, after all I have been very influence by > the > > ASF way of doing things. And thing about it; Open SOURCE ;-) > > > > ASF's view on binary "releases" is that of "an optional convenience > > provided to users", and it is up to each community to define this. Again, > > we provide the binary Qi4j SDK, ready to use, complete with the > > dependencies. > > > > The Maven artifacts is another way to distribute "convenience" and we > might > > have an issue there (I haven't checked recently), since upload to Maven > > Central requires all dependencies to be present on Maven Central, 3rd > party > > repositories are not allowed to be referenced. And we have had a couple > of > > those in the past, most notably for org.restlet. We should check how that > > is now (both in terms of Maven Central requirements, as well as if our > > dependency(ies) is/are now on it), and if we can't there is a backup plan > > called BinTray by JFrog, which is larger (encompasses all Maven Central + > > other repositories) and probably can fill the role if Maven Central > can't. > > In ASF, there is also a convention on putting LICENSE and NOTICE inside > the > > JAR file, under the META-INF/maven/ directory, and I think the pom.xml > goes > > in there as well. > > > > Now, I don't think we should bother to change the SDK content very much. > > Our current release artifacts fit the ASF expectations, and the "only" > > thing we need to do is to ensure that each dependency is mentioned in > > respective NOTICE file. > > > > I suggest; Please start with extensions/, and I will take care of > > libraries/. The rest whoever has more time available. > > > > For the build system, we might need to add META-INF/maven/ additions, and > > we should generate a top-level NOTICE file "somehow", for instance a > header > > with the Qi4j component name + its NOTICE + a divider. And make it part > of > > the final Source and Binary SDKs > > > > All in all, not that much work, since I have spent time on NOTICE in the > > past, but missing here and there, as well as the accuracy should be > checked. > > > > Cheers > > Niclas > > > > On Mon, Apr 27, 2015 at 5:47 PM, Paul Merlin <[email protected]> wrote: > > > >> Gang, > >> > >> I started to dig into ZEST-15. > >> > >> I'm first looking into NOTICE files. > >> There are lots of other issues (headers, gradle wrapper, crypto etc...) > >> but I'm handling them one at a time. > >> > >> > >> >From what I understand at > http://www.apache.org/dev/licensing-howto.html > >> : > >> > >> - Only one NOTICE file per released distribution is mandatory > >> - Only *bundled* dependencies needs to be scrutined > >> > >> So, if we don't bundle any dependencies in our release distributions, > >> NOTICE file should remain pretty simple. > >> > >> I looked at releases of other Apache TLPs like Samza, DeltaSpike and a > >> few others at http://dist.apache.org/ and most of the JVM based > projects > >> only release a source distribution there. > >> Then they publish JARs to maven repositories without LICENSE/NOTICE > files. > >> > >> I'd lean towards doing the very same. That is releasing a sources-only > >> distribution (with proper LICENSE/NOTICE files) and pushing artifacts to > >> repositories once the release is voted. > >> > >> WDYT? > >> > >> Cheers > >> > >> /Paul > >> > >> > > > > > -- Niclas Hedhman, Software Developer http://zest.apache.org/qi4j <http://www.qi4j.org> - New Energy for Java
