On May 21, 2009, at 1:03 PM, Upayavira wrote:
I am a mentor for Shindig, but I am aware of a weaknesses of mine as a mentor is that I'm not that knowledgeable or experienced with the release process at Apache, and therefore have not followed this thread in detail, which I really should have.It seems that this release is stalled, but I am not entirely sure how, and want to understand this better.
Sebb has raised some valid concerns; some were addressed, some are left; shindig has to address those concerns, but up new artifacts, and then ask for another vote.
The thing that confuses me is that, as I understand it, Shindig is justusing Maven to produce its artefacts (binary jars as a convenience to users). If that is the case, surely those artefacts are structured in the same way as other Maven based releases from other projects?
The apache-hosted maven-based projects I've checked (including maven itself!) only officially release source archives. As Jason pointed out, this is now pretty easy to do in accordance with policy, thanks to some plugin work David did quite a while ago.
To release binary archives that embed third-party dependencies is more work. The LICENSE and NOTICE file have to have details about dependencies, if those dependencies are in the binary distributions. With maven, automatic resolution of transitive dependencies is possible, which shindig relies on. However, there is not automatic resolution of licensing details, which makes crossing the legal t's and dotting the legal i's quite a chore.
Is it that we have identified a new issue that actually affects _all_ Maven based releases, not just Shindig?
No not necessarily. You can use maven to produce binary releases that have all the required legal details inside of them; it just isn't automatically taken care of.
If so, how can we both unblock the Shindig release
Shindig can choose to either do the work to get the legal bits and pieces related to their dependencies sorted out and produce binary releases that follow the rules, or they can opt to do a source-only release.
and also get this issue resolved in such a way as it covers all Maven based projects?
To solve this issue in a way that covers all maven-based projects requires making sure that all required legal details and notices are put inside the maven repositories in a machine-processable manner, for all artifacts, and then modifying a maven plugin or two to aggregate those details automagically, and then to make use of that plugin everywhere. In other words, that's a few months of work at the least :-)
cheers, - Leo
smime.p7s
Description: S/MIME cryptographic signature
