On Mar 29, 2012, at 15:07 , Bertrand Delacretaz wrote: > On Thu, Mar 29, 2012 at 2:41 PM, Jukka Zitting <jukka.zitt...@gmail.com> > wrote: >> ...It seems like Roy is much more categorical about this. Assuming I >> understand his point correctly, *no* binary dependencies are >> acceptable within a source tar ball.
Let's see if I still correctly follow this discussion. So far we seem to have consensus about the fact that: a) the only official releases that Apache does are source releases, and b) source releases must not contain binaries (of any dependencies). So far so good, and the only suggestion I have in this area is that we should make a more clear distinction between what we officially release (and vote on) and anything else we might provide for convenience. Just taking a look at www.apache.org/dist/ reveals that it contains both, and a lot of the time not clearly separated, which is confusing. Furthermore, it seems that some projects have more than just their latest release there (which is another matter, not related to this discussion). I propose something like: * www.apache.org/dist/[project]/ for the latest source release that was voted on * www.apache.org/bin/[project]/ for "convenience" binaries, etc. >> What I don't quite (yet) understand is how a reference like >> "junit:junit:4.10" to a download service maintained by a third party >> is more acceptable than directly including the referenced bits... > > I think the difference is that by saying "get junit:junit:4.10 to > build this" we put the burden on our users to make sure they get the > right bits, either by building them themselves from the junit sources, > or trusting whoever provides them. > > By shipping those bits ourselves instead, we would take the > responsibility on our shoulders, which we don't want. Since we are allowed to somehow reference an artifact (as long as it has a license that is compatible with what we do) and have a build script download it, my question is, must this artifact come from a location *outside* of Apache, or are we also allowed to reference these binaries that were provided for convenience by our own projects? Related, how about binaries that are in a separate part of the SVN tree of a project (a part that is not released)? Can we reference and download (or checkout) those as part of a build script? Greetings, Marcel --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org