See my other mail in this thread, but also inline below. --Thilo
Marshall Schor wrote: > > Thilo Goetz wrote: >> Jukka Zitting wrote: >> >>> Hi, >>> >>> On Sun, Sep 20, 2009 at 10:19 PM, Marshall Schor <m...@schor.com> wrote: >>> >>>> After thinking about this for a while, and considering both methods, I >>>> think the most reliable way to handle 3rd party Jars is to manually put >>>> them into the lib/ directory, once, and then check the lib/ directory >>>> into SVN. This avoids build issues in the future which could occur if >>>> the Jar obtained from the maven dependency plugin is somehow corrupted, >>>> or changes level, etc. Also, having the Jars in SVN insures that >>>> whatever work we do to update the LICENSE/NOTICE files for those Jars >>>> remains valid (because the Jar doesn't (potentially) change). >>>> >>> By policy non-SNAPSHOT artifact in the Maven repository never change, >>> and each artifact is accompanied by checksums that guard against >>> corruption. It's possible for a user to mess up the files in their >>> local Maven repository, but it's probably just as likely that they'd >>> mess up any files in ./lib. >>> >>> To me the proposed solution sounds like extra effort with little or no >>> benefit. >>> >> One benefit I see is that you have only one NOTICE/LICENSE file >> for the source and binary distribution. > I had trouble understanding this, until I guessed that you're assuming > here that we will include these Jars in the "src" distribution, is this > right? >> What's more, if your >> source distribution does not include the dependencies and you >> therefore don't mention them in your NOTICE/LICENSE files, it >> might come as a surprise to users that the build pulls in all >> those files they didn't know about (or they don't even notice, >> which would be even worse). >> > > I see. The choices here: > > * case 1: having 3rd party Jars checked into SVN > 1.a) shipping these in the "src" distrib: have to match LIC/NOT pair > with bin, no "surprise" > 1.b) not shipping these in the "src" distrb: different LIC/NOT pair > for src, potential surprise when building with maven I don't think 1b is an option. If they're in svn, they need to be in the source distribution. > > * case 2: not having 3rd party Jars checked into SVN > different LIC/NOT pair for src, potential surprise when building with > maven > > Do you prefer approach 1.a? That's what I'm now thinking is best. I > had been thinking 1.b) because I didn't think through the reasons to > ship the Jars with the source distribution. > > -Marshall > >> --Thilo >> >> >>> BR, >>> >>> Jukka Zitting >>> >> >>