Davanum Srinivas wrote:
Since you are stating facts. Let's make it clear that when someone
download the artifacts, there's a good chance that you will see the
disclaimers. With maven, we don't. That's the hiccup that caused the
policy in place right now and the bruising battle now being fought is
caused by the fact that there is no other
maven-pmc-blessed-and-approved-way to inform the folks who
auto-magically pull dependencies as of this moment and there is not
likely to be one in the future AFAICT.
We don't disagree. For that matter, there are licenses, notices and
other critical information present in maven artifacts which are unlikely
to be noticed. That's a failure of maven and not germane to this
discussion, although I certainly hope that maven addresses it! But in
most cases, the disclaimer was only relevant to the individual developer
who incited the dependency and triggered a maven build to fetch that
particular artifact. Our disclaimer is really meaningless to the end
user of that developer's combined work.
Similarly, the issue of signature validation is a significant flaw which
I also hope maven addresses even more promptly, and which they are aware
of. The alternatives are to take down maven until it is secure, or to
continue to populate maven with various released artifacts. And this too
isn't germane to the question above, which is;
"Allow extra release distribution channels like the central Maven
repository?"
If an incubating release is a release, with a specific DISCLAIMER (no
different than incorporating other NOTICEs or LICENSE), and a specific
release name format (apache-incubating-{podling}-{rev}), then the Maven
specific side of this argument should happen on the Maven list, and this
discussion should finally come to an end.
Bill
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
