Re: Reuse Maven repository more

gt; > >> wrote: > >> ... > > > >> One idea that keeps puzzling in my mind is to reuse central Maven > >> repository > >> more than we used to. If I understand correctly while the Maven central > is > >> operated by Sonatype, it is just &

Re: Reuse Maven repository more

28. 9. 2016 v 11:25, Greg Stein <gst...@gmail.com>: > On Tue, Sep 27, 2016 at 10:13 PM, Jaroslav Tulach <jaroslav.tul...@gmail.com >> wrote: >> ... > >> One idea that keeps puzzling in my mind is to reuse central Maven >> repository >> more tha

Re: Reuse Maven repository more was: Preliminary NetBeans cost findings

On Wed, Sep 28, 2016 at 5:13 AM, Jaroslav Tulach wrote: > There are also the [3rd party binaries used during NetBeans build](http:// > hg.netbeans.org/binaries/) - most of them available from Maven central. I > already [created a

Re: Reuse Maven repository more was: Preliminary NetBeans cost findings

On Wed, Sep 28, 2016 at 12:56 PM, Wade Chandler wrote: > ...more later when we get to an incubator... +1 -Bertrand - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional

Re: Reuse Maven repository more was: Preliminary NetBeans cost findings

On Sep 28, 2016 5:55 AM, "Sven Reimers" <sven.reim...@gmail.com> wrote: > > > 2. Use Maven repository as storahe backend for the plugin portal, so that > only the metadata is hosted at the portal not the module binaries.. > I think the terminology here is key. A &q

Re: Reuse Maven repository more was: Preliminary NetBeans cost findings

Hi, if I understood Jaroslav correct he is proposing two changes 1. Download 3rd party binaries needed to build NetBeans from a maven repository (maven central, jcenter or if you behinf corporate firewalls a synced self hosted repo using nexus or artifactory) 2. Use Maven repository as storahe

Re: Reuse Maven repository more was: Preliminary NetBeans cost findings

On Tue, Sep 27, 2016 at 10:13 PM, Jaroslav Tulach <jaroslav.tul...@gmail.com > wrote: >... > One idea that keeps puzzling in my mind is to reuse central Maven > repository > more than we used to. If I understand correctly while the Maven central is > operated by Sonatyp

Re: Reuse Maven repository more was: Preliminary NetBeans cost findings

he > > go-ahead for it, otherwise we'll have to find other people willing to > > host this. > > Hi. > One idea that keeps puzzling in my mind is to reuse central Maven > repository > more than we used to. If I understand correctly while the Maven central is > operated by Sonatype, it

Reuse Maven repository more was: Preliminary NetBeans cost findings

ow to produce Maven artifacts and there is a NetBeans Maven repository: http://bits.netbeans.org/nexus/content/groups/netbeans/ In addition to that we could modify the http://plugins.netbeans.org to be just a catalog over bits available in Maven central. There are also the [3rd party binaries used du

Re: Could you grant me the access to upload eagle's artifacts to maven repository?

No, Henry, I'm not blocked by it although having another issue, let's talk about it in another thread. Thanks. On Wed, Aug 17, 2016 at 2:13 AM, Henry Saputra wrote: > Michael, > > Both issues are closed. Are you still blocked with the repo for eagle > creation? > > -

Re: Could you grant me the access to upload eagle's artifacts to maven repository?

Michael, Both issues are closed. Are you still blocked with the repo for eagle creation? - Henry On Sun, Aug 14, 2016 at 8:27 PM, Michael Wu wrote: > Got it, John, i'll take notice. Thanks. Sorry for the spam. > > On Mon, Aug 15, 2016 at 10:22 AM, John D. Ament

Re: Could you grant me the access to upload eagle's artifacts to maven repository?

Got it, John, i'll take notice. Thanks. Sorry for the spam. On Mon, Aug 15, 2016 at 10:22 AM, John D. Ament wrote: > Michael, > > Your best bet is to ping infra. If email doesn't work, hopping on to > hipchat with them may work. > http://www.apache.org/dev/infra-contact

Re: Could you grant me the access to upload eagle's artifacts to maven repository?

Michael, Your best bet is to ping infra. If email doesn't work, hopping on to hipchat with them may work. http://www.apache.org/dev/infra-contact John On Sun, Aug 14, 2016 at 10:15 PM Michael Wu wrote: > Hi Jake, > > Could you please help on this case? There are some

Re: Could you grant me the access to upload eagle's artifacts to maven repository?

Hi Jake, Could you please help on this case? There are some required dependencies blocked. Thanks. Michael On Thu, Aug 11, 2016 at 11:20 AM, Michael Wu wrote: > Hi Jake, > > Tickets created: > https://issues.apache.org/jira/browse/INFRA-12409 >

Re: Could you grant me the access to upload eagle's artifacts to maven repository?

Hi Jake, Tickets created: https://issues.apache.org/jira/browse/INFRA-12409 https://issues.apache.org/jira/browse/INFRA-12410 Thanks for helping it out. Michael On Tue, Aug 9, 2016 at 12:00 AM, Jake Farrell wrote: > Your user will have to get added to nexus, can you

Re: Could you grant me the access to upload eagle's artifacts to maven repository?

Your user will have to get added to nexus, can you please put in an infra ticket for this -Jake On Sun, Aug 7, 2016 at 11:35 PM, Michael Wu wrote: > Hi there, > > My apache account is "mw". > > I was trying to use > > $> mvn -Papache-release -DskipTests

Could you grant me the access to upload eagle's artifacts to maven repository?

Hi there, My apache account is "mw". I was trying to use $> mvn -Papache-release -DskipTests -Dgpg.passphrase=${GPG_PASSPHRASE} deploy to upload eagle's jars to https://repository.apache.org/ service/local/staging/deploy/maven2, but it always returned 400 error, as below fragment:

Re: Third party Maven Repository Usage

Thanks for the reply Brian, this is much relief. However in your initial response your wording clearly indicated the new policy already being enforced, up to: [...] your artifacts will end up blocked. A little less restrictive description could have prevented this misunderstanding... I think

Re: Third party Maven Repository Usage

Interesting. That's news to me... You have a pointer to more information? As it turns out, almost all references to external repositories in poms are junk or turn out to be junk after a bit of time. See here for some examples:

Re: Third party Maven Repository Usage

On 03/23/2010 01:01 AM, Kevan Miller wrote: On Mar 20, 2010, at 4:45 PM, Brian Fox wrote: At the Central repository we are restricting the inclusion of external repositories because this generally creates a mess. This is being enforced on new artifacts coming in so I would recommend you do

Re: Third party Maven Repository Usage

We are having the same problem in Clerezza, one of the dependencies that isn't in the central repo is sesame 2 [1]. I think we have the following options: - not include the sesame backend in the default distribution (users who need it would have to compile it their selves of download it from

Re: Third party Maven Repository Usage

At the Central repository we are restricting the inclusion of external repositories because this generally creates a mess. This is being enforced on new artifacts coming in so I would recommend you do not add them or your artifacts themselves will end up blocked. A better choice is to encourage

Third party Maven Repository Usage

Hi; Is there any rule/policy for using third-party maven repositories in our project poms? Recently, we have required to list some repositories in settings.xml (for example: jboss) to our codebase built correctly. But when Apache-Hudson runs to built daily, it throws errors because of not finding

Re: Third party Maven Repository Usage

I don't know of any apache policy regarding external repositories but i usual don't recommend placing repositories into the POM at all. Best practice is to use a repository manager and add the repositories there. So, i am not sure how Apache Hudson is configured currently, but i would suggest

Re: [RESULT] [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository

anyone wants to propose an alternative policy. See revision 704280. It is now OK for podlings to deploy approved releases (that satisfy the labeling and disclaimer requirements) to the central Maven repository through m2-ibiblio-rsync-repository. BR, Jukka Zitting

Re: [RESULT] [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository

) to the central Maven repository through m2-ibiblio-rsync-repository. BR, Jukka Zitting - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Thanks, Jason

Re: [RESULT] [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository

Hi, On Mon, Oct 6, 2008 at 9:45 PM, Jukka Zitting [EMAIL PROTECTED] wrote: So, unless within a week from now we start seeing constructive efforts at forming an alternative policy (or clarifying the current undocumented policy) that we could vote on, I will declare this vote as passing and

[jira] Resolved: (INCUBATOR-82) Allow extra release distribution channels like the central Maven repository

-archives.apache.org/mod_mbox/incubator-general/200809.mbox/[EMAIL PROTECTED] Allow extra release distribution channels like the central Maven repository --- Key: INCUBATOR-82 URL: https

Re: [RESULT] [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository

approved releases (that satisfy the labeling and disclaimer requirements) to the central Maven repository through m2-ibiblio-rsync-repository. BR, Jukka Zitting - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands

Re: [RESULT] [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository

releases (that satisfy the labeling and disclaimer requirements) to the central Maven repository through m2-ibiblio-rsync-repository. BR, Jukka Zitting - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e

Re: [RESULT] [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository

Jason van Zyl wrote: The central repository is the Maven PMC's business. What results will be public policy but we'd like to avoid the banter of the misinformed so we can arrive at a decision quickly. I'd love to avoid the banter of the misinformed too, but that's not the way Apache projects

Re: [RESULT] [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository

The central repository is not an Apache project's resource. We've always discussed issues of the central repository in private (except for technical details of syncing other project repositories) and as far as policy goes it's the Maven PMC that will sets it. Members can see the list and

Re: [RESULT] [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository

Hi, On Wed, Sep 24, 2008 at 3:40 PM, Jukka Zitting [EMAIL PROTECTED] wrote: This is a slight majority (of binding votes) for accepting the proposed change, but given the clear lack of consensus and the concerns voiced about that, I unfortunately need to conclude that this issue should be

Re: [RESULT] [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository

The central repository is the Maven PMC's business. What results will be public policy but we'd like to avoid the banter of the misinformed so we can arrive at a decision quickly. On 6-Oct-08, at 10:22 AM, Noel J. Bergman wrote: Jason van Zyl wrote: The discussions are taking place on

Re: [RESULT] [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository

On Tue, Oct 7, 2008 at 11:47 AM, Jason van Zyl [EMAIL PROTECTED] wrote: The central repository is the Maven PMC's business. What results will be public policy but we'd like to avoid the banter of the misinformed so we can arrive at a decision quickly. Yes, although the PMC is expected to do

Re: [RESULT] [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository

CLI tool, produces a Lucene index which Nexus uses to create a federated searching and retrieval mechanism. One instance of Nexus can proxy any other Maven repository -- a repository manager or normal webserver -- and with the presence of the Nexus index allows federated searching

Re: [RESULT] [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository

2008/10/3 Jason van Zyl [EMAIL PROTECTED]: On 2-Oct-08, at 9:19 PM, Noel J. Bergman wrote: Emmanuel Lecharny wrote: Better a bad decision than no decision, otherwise, soon, nobody will vote anymore... Not really. Consider that there appears to be a clear consensus that if Maven were to

Re: [RESULT] [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository

The discussions are taking place on the Maven PMC list. If you are a member you can join the list. On 4-Oct-08, at 8:31 AM, Gilles Scokart wrote: 2008/10/3 Jason van Zyl [EMAIL PROTECTED]: On 2-Oct-08, at 9:19 PM, Noel J. Bergman wrote: Emmanuel Lecharny wrote: Better a bad decision

Re: [RESULT] [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository

On Sat, Oct 4, 2008 at 12:45 AM, William A. Rowe, Jr. [EMAIL PROTECTED] wrote: Color me confused again, but during setup and formation of the Incubator, a podling had to graduate before doing a release. It was rather well established before this rule was modified, but it seems that this change

Re: [RESULT] [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository

On 2-Oct-08, at 9:19 PM, Noel J. Bergman wrote: Emmanuel Lecharny wrote: Better a bad decision than no decision, otherwise, soon, nobody will vote anymore... Not really. Consider that there appears to be a clear consensus that if Maven were to fix the download situation, requiring that

Re: [RESULT] [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository

Noel J. Bergman wrote: William A. Rowe, Jr. wrote: Jukka Zitting wrote: Does the ASF endorse these releases, and what does that endorsement mean? yes... You are talking about a legal licensing matter, whereas discussion during the setup and formation of the Incubator was quite

RE: [RESULT] [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository

William A. Rowe, Jr. wrote: Jukka Zitting wrote: This is a slight majority (of binding votes) for accepting the proposed change, but given the clear lack of consensus and the concerns voiced about that, I unfortunately need to conclude that this issue should be tabled until better

RE: [RESULT] [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository

Emmanuel Lecharny wrote: Better a bad decision than no decision, otherwise, soon, nobody will vote anymore... Not really. Consider that there appears to be a clear consensus that if Maven were to fix the download situation, requiring that users approve the user of Incubator artifacts, rather

Re: [RESULT] [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository

On Thu, Sep 25, 2008 at 5:15 AM, Doug Cutting [EMAIL PROTECTED] wrote: This is the crux of the issue. Do releases from the Incubator project differ from those of other projects? The people who created the Incubator should be able to answer this question. IMHO (I didn't vote), what we all

Re: [RESULT] [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository

Hi, On Thu, Sep 25, 2008 at 12:58 AM, Niall Pemberton [EMAIL PROTECTED] wrote: If this vote doesn't pass then we need to re-write the rules to define how much of a majority overturns the status quo. I'm following http://www.apache.org/foundation/voting.html and the express wish of our PMC

Re: [RESULT] [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository

On Fri, Sep 26, 2008 at 5:31 AM, Jukka Zitting [EMAIL PROTECTED]wrote: Hi, On Thu, Sep 25, 2008 at 12:58 AM, Niall Pemberton [EMAIL PROTECTED] wrote: If this vote doesn't pass then we need to re-write the rules to define how much of a majority overturns the status quo. I'm following

Re: [RESULT] [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository

Matthieu Riou wrote: I've also looked at the mentors votes, those who are basically running this place. I'm a small player but Craig mentors 6 poddlings, Jim, Henning and Jukka 4 and Doug 3. I'm not saying their votes count more than others, just that when those people disagree, we should

Re: [RESULT] [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository

On Fri, Sep 26, 2008 at 9:55 AM, William A. Rowe, Jr. [EMAIL PROTECTED]wrote: Matthieu Riou wrote: I've also looked at the mentors votes, those who are basically running this place. I'm a small player but Craig mentors 6 poddlings, Jim, Henning and Jukka 4 and Doug 3. I'm not saying

Re: [RESULT] [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository

William A. Rowe, Jr. wrote: David Crossley wrote: William A. Rowe, Jr. wrote: [snip] I liked the way you put the question; it's not up to incubator project to set the rules for Maven. If the maven PMC decides that these incubator releases don't belong in the primary repository,

Re: [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository

Hi, On Wed, Sep 24, 2008 at 5:45 AM, William A. Rowe, Jr. [EMAIL PROTECTED] wrote: Jukka Zitting wrote: Please vote on accepting or rejecting this policy change! This majority vote is open for a week and only votes from the Incubator PMC members are binding. Just as a point of reference,

Re: [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository

Jukka Zitting wrote: I extended the vote for another week, which IMHO clearly puts the endpoint to this morning. As such, I will be closing the vote in a few hours. :) Sounds great - To unsubscribe, e-mail: [EMAIL

[RESULT] [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository

we have a clearer policy on what we actually require of incubating releases and their distribution, it seems premature to debate whether the Maven repository meets those requirements. So, before reopening this release distribution issue, I would expect us to clarify the policy on incubating

Re: [RESULT] [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository

and other methodologies helped us validate the legal aspects of the ASF releases to the point that this is not uncomfortable anymore. The main impression I got from the related discussion is that the main concern is not that much the security or transparency of the Maven repository but rather

Re: [RESULT] [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository

Jukka Zitting wrote: Of which we have two; released, or not released, and that's a product of oversight and a [VOTE]. There are no magical in-betweens. As evidenced by this vote this is hardly the consensus. See comments like incubating releases to be treated as full Apache releases or

Re: [RESULT] [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository

a definition of how short we fell of passing this vote and what the bar is. Niall The main impression I got from the related discussion is that the main concern is not that much the security or transparency of the Maven repository but rather the status of incubating releases in general

Re: [RESULT] [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository

Niall Pemberton wrote: This is a slight majority (of binding votes) for accepting the proposed change, but given the clear lack of consensus and the concerns voiced about that, I unfortunately need to conclude that this issue should be tabled until better consensus is reached. If this was

Re: [RESULT] [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository

William A. Rowe, Jr. wrote: Jukka Zitting wrote: [snip] Are incubating releases official releases of the ASF? Yes. Otherwise they must be removed from ASF servers. There's no middle ground. [snip] How strong disclaimers are needed and what level of explicit acknowledgement

Re: [RESULT] [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository

David Crossley wrote: William A. Rowe, Jr. wrote: [snip] I liked the way you put the question; it's not up to incubator project to set the rules for Maven. If the maven PMC decides that these incubator releases don't belong in the primary repository, that's their call. But this vote

Re: [RESULT] [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository

On Wed, Sep 24, 2008 at 2:21 PM, William A. Rowe, Jr. [EMAIL PROTECTED]wrote: Jukka Zitting wrote: Of which we have two; released, or not released, and that's a product of oversight and a [VOTE]. There are no magical in-betweens. As evidenced by this vote this is hardly the consensus.

Re: [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository

the incubating release subsequently is abandoned, blame will be cast widely, including Apache itself. Considering that dependencies on incubating releases can be resolved by explicitly adding an incubating Maven repository into your settings, I don't think that wide, mirrored, distribution

Re: [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository

Jukka Zitting wrote: [ ] +1 Yes, allow extra release distribution channels like the central Maven repository [ ] -1 No, keep the current policy +1 All releases by ASF PMC's should be equal. If the Incubator PMC isn't confident of a release then it shouldn't release it. The release process

Re: [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository

On Tue, Sep 23, 2008 at 3:15 PM, Doug Cutting [EMAIL PROTECTED] wrote: Jukka Zitting wrote: [ ] +1 Yes, allow extra release distribution channels like the central Maven repository [ ] -1 No, keep the current policy +1 All releases by ASF PMC's should be equal. If the Incubator PMC isn't

Re: [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository

the central Maven repository [ ] -1 No, keep the current policy +1 All releases by ASF PMC's should be equal. If the Incubator PMC isn't confident of a release then it shouldn't release it. The release process should not just check legal concerns, but also the quality of the code and its

Re: [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository

Jukka Zitting wrote: Please vote on accepting or rejecting this policy change! This majority vote is open for a week and only votes from the Incubator PMC members are binding. Just as a point of reference, extending a vote for a given period of time is a good thing to accommodate all input.

Re: [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository

adding an incubating Maven repository into your settings, I don't think that wide, mirrored, distribution is warranted. Craig On Sep 9, 2008, at 11:34 PM, Jukka Zitting wrote: Hi, We've had a number of long discussions about the incubating projects using the central Maven repository

Re: [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository

Zitting wrote: I would like to finally resolve the issue one way or another Until somebody on the other way reopens it in a few months ;-( [ ] +1 Yes, allow extra release distribution channels like the central Maven repository [ ] -1 No, keep the current policy

Re: [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository

On Sun, Sep 21, 2008 at 6:13 PM, Roland Weber [EMAIL PROTECTED] wrote: Users who would care about incubating disclaimers will find those via Maven too. Users who don't care will ignore them no matter what you do. You can't force users to care. Although I agree with your standpoint, your

Re: [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository

On Thu, Sep 18, 2008 at 4:57 AM, Noel J. Bergman [EMAIL PROTECTED] wrote: William A. Rowe, Jr. wrote: Noel J. Bergman wrote: The current tally is extremely close (9 +1 vs. 8 -1 binding) I don't want to close an issue with such a small margin. I suggest that we should not change policy

[DISCUSS] Alternative proposition [Was: [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository]

not forbid the incubator artefact to be published in the maven repository. Once an incubating release is done, anyone is free to redistribute it. - It bring benefits for the incubating project (more users, more visibility) -1 say: - It allow the user to ignore the disclaimer

Re: [DISCUSS] Alternative proposition [Was: [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository]

to summarize the two positions, see if we could not reconcile the two positions and found a better consensus. Here is what the 2 camps say: +1 : say: - We can not forbid the incubator artefact to be published in the maven repository. Once an incubating release is done, anyone is free

Re: [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository

the central Maven repository [ ] -1 No, keep the current policy My vote is +1 BR, Jukka Zitting +1. While I understand the concern with the need for it to be clear to users (developers using Maven) that they are using an incubator release, and not an endorsed-by-Apache release, I believe

Re: Incubator Maven repo [WAS Re: [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository]

On Wed, Sep 17, 2008 at 9:42 PM, William A. Rowe, Jr. [EMAIL PROTECTED] wrote: Similarly, the issue of signature validation is a significant flaw which I also hope maven addresses even more promptly, and which they are aware of. The alternatives are to take down maven until it is secure, or to

Re: [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository

+1 (non-binding) The current policy is silly. On Wed, Sep 10, 2008 at 8:34 AM, Jukka Zitting [EMAIL PROTECTED]wrote: Hi, We've had a number of long discussions about the incubating projects using the central Maven repository to distribute their releases. The current policy

Re: Incubator Maven repo [WAS Re: [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository]

On 18/09/2008, Hiram Chirino [EMAIL PROTECTED] wrote: On Wed, Sep 17, 2008 at 9:42 PM, William A. Rowe, Jr. [EMAIL PROTECTED] wrote: Similarly, the issue of signature validation is a significant flaw which I also hope maven addresses even more promptly, and which they are aware of.

Re: Incubator Maven repo [WAS Re: [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository]

On Wednesday 17 September 2008 8:05:40 pm Henning Schmiedehausen wrote: Thus: If the central maven repository maintainers (Maven PMC) decide to put incubator artifacts into their repository without a click through this is incubator code disclaimer, we'd have no legal reason to say

Re: [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository

On Thu, Sep 10, 2008 at 9:34 AM, Jukka Zitting [EMAIL PROTECTED] wrote: Hi, We've had a number of long discussions about the incubating projects using the central Maven repository to distribute their releases. The current policy is that incubating releases should not go

Re: [DISCUSS] Alternative proposition [Was: [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository]

a better consensus. Here is what the 2 camps say: +1 : say: - We can not forbid the incubator artefact to be published in the maven repository. Once an incubating release is done, anyone is free to redistribute it. - It bring benefits for the incubating project (more users, more

Re: Incubator Maven repo [WAS Re: [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository]

PROTECTED] wrote: On Wednesday 17 September 2008 8:05:40 pm Henning Schmiedehausen wrote: Thus: If the central maven repository maintainers (Maven PMC) decide to put incubator artifacts into their repository without a click through this is incubator code disclaimer, we'd have no legal

Re: Incubator Maven repo [WAS Re: [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository]

it. :-) Dan thanks, dims On Thu, Sep 18, 2008 at 11:17 AM, Daniel Kulp [EMAIL PROTECTED] wrote: On Wednesday 17 September 2008 8:05:40 pm Henning Schmiedehausen wrote: Thus: If the central maven repository maintainers (Maven PMC) decide to put incubator artifacts

Re: Incubator Maven repo [WAS Re: [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository]

of crap and overwrite releases and add snapshots and stuff. Then they wouldn't want it. :-) Dan thanks, dims On Thu, Sep 18, 2008 at 11:17 AM, Daniel Kulp [EMAIL PROTECTED] wrote: On Wednesday 17 September 2008 8:05:40 pm Henning Schmiedehausen wrote: Thus: If the central maven

Re: Incubator Maven repo [WAS Re: [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository]

On Thu, Sep 18, 2008 at 10:59 AM, sebb [EMAIL PROTECTED] wrote: On 18/09/2008, Hiram Chirino [EMAIL PROTECTED] wrote: On Wed, Sep 17, 2008 at 9:42 PM, William A. Rowe, Jr. [EMAIL PROTECTED] wrote: Similarly, the issue of signature validation is a significant flaw which I also hope maven

Re: Incubator Maven repo [WAS Re: [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository]

Hiram Chirino wrote: So the responsibility is still on us, the upstream distributor, to verify the the checksums we list in our source distro are correct. But at least by doing this, down stream users of our source distros can rest assured that the dependencies that they are using are the

Re: Incubator Maven repo [WAS Re: [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository]

releases and add snapshots and stuff. Then they wouldn't want it. :-) Dan thanks, dims On Thu, Sep 18, 2008 at 11:17 AM, Daniel Kulp [EMAIL PROTECTED] wrote: On Wednesday 17 September 2008 8:05:40 pm Henning Schmiedehausen wrote: Thus: If the central maven repository

Re: Incubator Maven repo [WAS Re: [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository]

or by downloading a source release, both of which are separate from the Maven repository. Once you've confident that the sources you have are not compromised, the included checksums will verify that the dependencies that were downloaded by Maven are also valid (i.e. the same binaries that the original developer

Re: Incubator Maven repo [WAS Re: [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository]

On 18/09/2008, Hiram Chirino [EMAIL PROTECTED] wrote: On Thu, Sep 18, 2008 at 10:59 AM, sebb [EMAIL PROTECTED] wrote: On 18/09/2008, Hiram Chirino [EMAIL PROTECTED] wrote: On Wed, Sep 17, 2008 at 9:42 PM, William A. Rowe, Jr. [EMAIL PROTECTED] wrote: Similarly, the issue of

Re: Incubator Maven repo [WAS Re: [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository]

and which you typically got either by checking it out of svn or by downloading a source release, both of which are separate from the Maven repository. Once you've confident that the sources you have are not compromised, the included checksums will verify that the dependencies that were

Re: Incubator Maven repo [WAS Re: [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository]

Hi, On Thu, Sep 18, 2008 at 9:08 PM, sebb [EMAIL PROTECTED] wrote: The checksums are _not_ downloaded from the Maven repository. So where are they stored? For example in our svn or signed source release packages. Along with the source code. BR, Jukka Zitting

Re: Incubator Maven repo [WAS Re: [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository]

On Thu, Sep 18, 2008 at 2:26 PM, William A. Rowe, Jr. [EMAIL PROTECTED] wrote: Hiram Chirino wrote: So the responsibility is still on us, the upstream distributor, to verify the the checksums we list in our source distro are correct. But at least by doing this, down stream users of our source

Re: Incubator Maven repo [WAS Re: [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository]

Right.. It's part of the source distro or SVN. On Thu, Sep 18, 2008 at 3:10 PM, Jukka Zitting [EMAIL PROTECTED] wrote: Hi, On Thu, Sep 18, 2008 at 9:08 PM, sebb [EMAIL PROTECTED] wrote: The checksums are _not_ downloaded from the Maven repository. So where are they stored? For example

Re: Incubator Maven repo [WAS Re: [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository]

On Thu, Sep 18, 2008 at 3:07 PM, sebb [EMAIL PROTECTED] wrote: On 18/09/2008, Hiram Chirino [EMAIL PROTECTED] wrote: On Thu, Sep 18, 2008 at 10:59 AM, sebb [EMAIL PROTECTED] wrote: On 18/09/2008, Hiram Chirino [EMAIL PROTECTED] wrote: On Wed, Sep 17, 2008 at 9:42 PM, William A. Rowe, Jr.

RE: Incubator Maven repo [WAS Re: [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository]

maven repository maintainers (Maven PMC) decide to put incubator artifacts into their repository without a click through this is incubator code disclaimer, we'd have no legal reason to say no. The Apache License allows them to do so. The Incubator PMC controls the policy on how

Re: Incubator Maven repo [WAS Re: [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository]

Hiram, I wish you would desist already from debating positions that you can't defend... Hiram Chirino wrote: On Thu, Sep 18, 2008 at 3:07 PM, sebb [EMAIL PROTECTED] wrote: On 18/09/2008, Hiram Chirino [EMAIL PROTECTED] wrote: So the responsibility is still on us, the upstream distributor, to

Re: [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository

0. There were good reasons for both sides. Regards, Thomas - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]

Re: Incubator Maven repo [WAS Re: [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository]

On 18/09/2008, Hiram Chirino [EMAIL PROTECTED] wrote: On Thu, Sep 18, 2008 at 2:26 PM, William A. Rowe, Jr. [EMAIL PROTECTED] wrote: Hiram Chirino wrote: So the responsibility is still on us, the upstream distributor, to verify the the checksums we list in our source distro are

Re: Incubator Maven repo [WAS Re: [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository]

Trust me I'm not trying to be difficult.. On Thu, Sep 18, 2008 at 4:53 PM, William A. Rowe, Jr. [EMAIL PROTECTED] wrote: Hiram, I wish you would desist already from debating positions that you can't defend... Hiram Chirino wrote: On Thu, Sep 18, 2008 at 3:07 PM, sebb [EMAIL PROTECTED]

Re: Incubator Maven repo [WAS Re: [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository]

On Thu, Sep 18, 2008 at 4:57 PM, sebb [EMAIL PROTECTED] wrote: On 18/09/2008, Hiram Chirino [EMAIL PROTECTED] wrote: On Thu, Sep 18, 2008 at 2:26 PM, William A. Rowe, Jr. [EMAIL PROTECTED] wrote: Hiram Chirino wrote: So the responsibility is still on us, the upstream distributor, to

Re: Incubator Maven repo [WAS Re: [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository]

Hiram Chirino wrote: Agreed. I never argued against this. But I fail to see the point? Are you saying initial trust is hard to secure? I totally agree on that point. You have any solutions? Yes. You sign your package locally, never on the remote system. The ASF hardware must never have

Re: Incubator Maven repo [WAS Re: [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository]

Hi, On Thu, Sep 18, 2008 at 11:41 PM, William A. Rowe, Jr. [EMAIL PROTECTED] wrote: Since the hash is not security, it's not terribly important, eh? Hashes are a perfect tool for verifying message integrity. They won't prove origin like signatures do, but verifiable integrity is hardly *not*

Re: [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository

2008/9/16 Emmanuel Lecharny [EMAIL PROTECTED]: The problem with a release injected in maven is that it will be there forever. If a release has some problems (IP issues, etc), you can't remove it from maven, as some projects might depend on it, and the users will immediately carpet bomb the

Re: [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository

Hi, On Wed, Sep 10, 2008 at 8:34 AM, Jukka Zitting [EMAIL PROTECTED] wrote: Please vote on accepting or rejecting this policy change! This majority vote is open for a week and only votes from the Incubator PMC members are binding. I am extending the vote period for another week as there is

  1   2   3   4   >