Jukka,
Are you intending here to just redirect poddlings distribution
management to:
http://people.apache.org/repo/m2-ibiblio-rsync-repository/
Do you want me to sync the existing repository here:
http://people.apache.org/repo/m2-incubating-repository/
to
On 18/10/2008, at 6:12 AM, Jason van Zyl wrote:
Jukka,
Are you intending here to just redirect poddlings distribution
management to:
http://people.apache.org/repo/m2-ibiblio-rsync-repository/
This alternative seems the most practical suggestion, by the reasoning:
* the separation would
Hi,
On Mon, Oct 6, 2008 at 9:45 PM, Jukka Zitting [EMAIL PROTECTED] wrote:
So, unless within a week from now we start seeing constructive efforts
at forming an alternative policy (or clarifying the current
undocumented policy) that we could vote on, I will declare this vote
as passing and
Hi,
On Mon, Oct 13, 2008 at 3:30 PM, Jukka Zitting [EMAIL PROTECTED] wrote:
Just a final heads up that, based on the majority vote, I will be
implementing this policy change tonight unless anyone wants to propose
an alternative policy.
See revision 704280.
It is now OK for podlings to deploy
Thanks, Jukka---
Very much admire your leadership on navigating us through a decision making
process on this tricky issue. Not to mention your peaceful attitude in the
midst of much passion.
cheers,
WILL
On Mon, Oct 13, 2008 at 4:00 PM, Jukka Zitting [EMAIL PROTECTED]wrote:
Hi,
On Mon, Oct
Jason van Zyl wrote:
The central repository is the Maven PMC's business. What results will be
public policy but we'd like to avoid the banter of the misinformed so we
can arrive at a decision quickly.
I'd love to avoid the banter of the misinformed too, but that's not the
way Apache projects
The central repository is not an Apache project's resource.
We've always discussed issues of the central repository in private
(except for technical details of syncing other project repositories)
and as far as policy goes it's the Maven PMC that will sets it.
Members can see the list and
Hi,
On Wed, Sep 24, 2008 at 3:40 PM, Jukka Zitting [EMAIL PROTECTED] wrote:
This is a slight majority (of binding votes) for accepting the
proposed change, but given the clear lack of consensus and the
concerns voiced about that, I unfortunately need to conclude that this
issue should be
The central repository is the Maven PMC's business. What results will
be public policy but we'd like to avoid the banter of the misinformed
so we can arrive at a decision quickly.
On 6-Oct-08, at 10:22 AM, Noel J. Bergman wrote:
Jason van Zyl wrote:
The discussions are taking place on
On Tue, Oct 7, 2008 at 11:47 AM, Jason van Zyl [EMAIL PROTECTED] wrote:
The central repository is the Maven PMC's business. What results will be
public policy but we'd like to avoid the banter of the misinformed so we can
arrive at a decision quickly.
Yes, although the PMC is expected to do
On 7-Oct-08, at 12:02 AM, Niclas Hedhman wrote:
On Tue, Oct 7, 2008 at 11:47 AM, Jason van Zyl [EMAIL PROTECTED]
wrote:
The central repository is the Maven PMC's business. What results
will be
public policy but we'd like to avoid the banter of the misinformed
so we can
arrive at a
2008/10/3 Jason van Zyl [EMAIL PROTECTED]:
On 2-Oct-08, at 9:19 PM, Noel J. Bergman wrote:
Emmanuel Lecharny wrote:
Better a bad decision than no decision, otherwise, soon, nobody will
vote anymore...
Not really. Consider that there appears to be a clear consensus that if
Maven were to
The discussions are taking place on the Maven PMC list. If you are a
member you can join the list.
On 4-Oct-08, at 8:31 AM, Gilles Scokart wrote:
2008/10/3 Jason van Zyl [EMAIL PROTECTED]:
On 2-Oct-08, at 9:19 PM, Noel J. Bergman wrote:
Emmanuel Lecharny wrote:
Better a bad decision
On Sat, Oct 4, 2008 at 12:45 AM, William A. Rowe, Jr.
[EMAIL PROTECTED] wrote:
Color me confused again, but during setup and formation of the Incubator,
a podling had to graduate before doing a release. It was rather well
established before this rule was modified, but it seems that this change
On 2-Oct-08, at 9:19 PM, Noel J. Bergman wrote:
Emmanuel Lecharny wrote:
Better a bad decision than no decision, otherwise, soon, nobody will
vote anymore...
Not really. Consider that there appears to be a clear consensus
that if
Maven were to fix the download situation, requiring that
Noel J. Bergman wrote:
William A. Rowe, Jr. wrote:
Jukka Zitting wrote:
Does the ASF endorse these releases, and what does that endorsement mean?
yes...
You are talking about a legal licensing matter, whereas discussion during the
setup and formation of the Incubator was quite
William A. Rowe, Jr. wrote:
Jukka Zitting wrote:
This is a slight majority (of binding votes) for accepting the
proposed change, but given the clear lack of consensus and the
concerns voiced about that, I unfortunately need to conclude that this
issue should be tabled until better
Emmanuel Lecharny wrote:
Better a bad decision than no decision, otherwise, soon, nobody will
vote anymore...
Not really. Consider that there appears to be a clear consensus that if
Maven were to fix the download situation, requiring that users approve the
user of Incubator artifacts, rather
On Thu, Sep 25, 2008 at 5:15 AM, Doug Cutting [EMAIL PROTECTED] wrote:
This is the crux of the issue.
Do releases from the Incubator project differ from those of other projects?
The people who created the Incubator should be able to answer this
question. IMHO (I didn't vote), what we all
Hi,
On Thu, Sep 25, 2008 at 12:58 AM, Niall Pemberton
[EMAIL PROTECTED] wrote:
If this vote doesn't pass then we need to re-write the rules to
define how much of a majority overturns the status quo.
I'm following http://www.apache.org/foundation/voting.html and the
express wish of our PMC
On Fri, Sep 26, 2008 at 5:31 AM, Jukka Zitting [EMAIL PROTECTED]wrote:
Hi,
On Thu, Sep 25, 2008 at 12:58 AM, Niall Pemberton
[EMAIL PROTECTED] wrote:
If this vote doesn't pass then we need to re-write the rules to
define how much of a majority overturns the status quo.
I'm following
Matthieu Riou wrote:
I've also looked at the mentors votes, those who are basically running this
place. I'm a small player but Craig mentors 6 poddlings, Jim, Henning and
Jukka 4 and Doug 3. I'm not saying their votes count more than others, just
that when those people disagree, we should
On Fri, Sep 26, 2008 at 9:55 AM, William A. Rowe, Jr.
[EMAIL PROTECTED]wrote:
Matthieu Riou wrote:
I've also looked at the mentors votes, those who are basically running
this
place. I'm a small player but Craig mentors 6 poddlings, Jim, Henning and
Jukka 4 and Doug 3. I'm not saying
William A. Rowe, Jr. wrote:
David Crossley wrote:
William A. Rowe, Jr. wrote:
[snip]
I liked the way you put the question; it's not up to incubator project to
set the rules for Maven. If the maven PMC decides that these incubator
releases don't belong in the primary repository,
Hi,
On Wed, Sep 24, 2008 at 5:45 AM, William A. Rowe, Jr.
[EMAIL PROTECTED] wrote:
Jukka Zitting wrote:
Please vote on accepting or rejecting this policy change! This
majority vote is open for a week and only votes from the Incubator PMC
members are binding.
Just as a point of reference,
Jukka Zitting wrote:
I extended the vote for another week, which IMHO clearly puts the
endpoint to this morning. As such, I will be closing the vote in a few
hours.
:)
Sounds great
-
To unsubscribe, e-mail: [EMAIL
Hi,
On Wed, Sep 10, 2008 at 8:34 AM, Jukka Zitting [EMAIL PROTECTED] wrote:
Please vote on accepting or rejecting this policy change!
The vote ends with the following 15 +1, 12 -1, and one 0 binding votes.
+1 Bertrand Delacretaz
+1 Brett Porter
+1 Bruce Snyder
+1 Davanum
Jukka Zitting wrote:
The vote ends with the following 15 +1, 12 -1, and one 0 binding votes.
This is a slight majority (of binding votes) for accepting the
proposed change, but given the clear lack of consensus and the
concerns voiced about that, I unfortunately need to conclude that this
Jukka Zitting wrote:
Of which we have two; released, or not released, and that's a product
of oversight and a [VOTE]. There are no magical in-betweens.
As evidenced by this vote this is hardly the consensus. See comments
like incubating releases to be treated as full Apache releases or
On Wed, Sep 24, 2008 at 2:40 PM, Jukka Zitting [EMAIL PROTECTED] wrote:
Hi,
On Wed, Sep 10, 2008 at 8:34 AM, Jukka Zitting [EMAIL PROTECTED] wrote:
Please vote on accepting or rejecting this policy change!
The vote ends with the following 15 +1, 12 -1, and one 0 binding votes.
+1
Niall Pemberton wrote:
This is a slight majority (of binding votes) for accepting the
proposed change, but given the clear lack of consensus and the
concerns voiced about that, I unfortunately need to conclude that this
issue should be tabled until better consensus is reached.
If this was
William A. Rowe, Jr. wrote:
Jukka Zitting wrote:
[snip]
Are incubating releases official releases of the ASF?
Yes. Otherwise they must be removed from ASF servers.
There's no middle ground.
[snip]
How strong disclaimers are needed and what level of explicit
acknowledgement
David Crossley wrote:
William A. Rowe, Jr. wrote:
[snip]
I liked the way you put the question; it's not up to incubator project to
set the rules for Maven. If the maven PMC decides that these incubator
releases don't belong in the primary repository, that's their call. But
this vote
On Wed, Sep 24, 2008 at 2:21 PM, William A. Rowe, Jr.
[EMAIL PROTECTED]wrote:
Jukka Zitting wrote:
Of which we have two; released, or not released, and that's a product
of oversight and a [VOTE]. There are no magical in-betweens.
As evidenced by this vote this is hardly the consensus.
+1.
A release is a release is a release. If we are concerned about projects
staying in the incubator, then let's ban them from releasing anymore.
Or, say, only max five releases during incubation. But once a release is
done under the ASL, there's not really much we can do to stop its onward
Jukka Zitting wrote:
[ ] +1 Yes, allow extra release distribution channels like the central
Maven repository
[ ] -1 No, keep the current policy
+1 All releases by ASF PMC's should be equal. If the Incubator PMC
isn't confident of a release then it shouldn't release it. The release
process
On Tue, Sep 23, 2008 at 3:15 PM, Doug Cutting [EMAIL PROTECTED] wrote:
Jukka Zitting wrote:
[ ] +1 Yes, allow extra release distribution channels like the central
Maven repository
[ ] -1 No, keep the current policy
+1 All releases by ASF PMC's should be equal. If the Incubator PMC isn't
I think incubating projects should go through phases. The first
phase is to make sure all IP concerns are cleared up. The second
phase is where the project exhibits that it gets the Apache way of
doing business by doing some internal-only releases (this is where
package names would change and
Jukka Zitting wrote:
Please vote on accepting or rejecting this policy change! This
majority vote is open for a week and only votes from the Incubator PMC
members are binding.
Just as a point of reference, extending a vote for a given period of time
is a good thing to accommodate all input.
-1, (Binding).
(For the reasons explained by Craig and Justin in this Thread)
Thanks,
Paul
Craig L Russell wrote:
-1
I believe that allowing incubating releases to be treated as full Apache
releases diminishes the Apache brand and makes incubation disclaimers moot.
With Maven, it is too
+1 (binding)
They are releases, they are meant to go out to users, so
let them get out. If podlings feel too comfortable in the
Incubator, then take the direct approach: go to those
podlings and make them feel uncomfortable. Block them
from making any more incubating releases at all if you
want
On Sun, Sep 21, 2008 at 6:13 PM, Roland Weber [EMAIL PROTECTED] wrote:
Users who would care about incubating disclaimers will
find those via Maven too. Users who don't care will ignore
them no matter what you do. You can't force users to care.
Although I agree with your standpoint, your
On Thu, Sep 18, 2008 at 4:57 AM, Noel J. Bergman [EMAIL PROTECTED] wrote:
William A. Rowe, Jr. wrote:
Noel J. Bergman wrote:
The current tally is extremely close (9 +1 vs. 8 -1 binding)
I don't want to close an issue with such a small margin.
I suggest that we should not change policy
I think the vote (and discussions) about the use of extra distribution
channel is going in a bad direction.
I would like to try to summarize the two positions, see if we could
not reconcile the two positions and found a better consensus.
Here is what the 2 camps say:
+1 : say:
- We can
Gilles,
Sorry. they don't use the apache name. is a non-starter for me :(
-- dims
On Thu, Sep 18, 2008 at 4:48 AM, Gilles Scokart [EMAIL PROTECTED] wrote:
I think the vote (and discussions) about the use of extra distribution
channel is going in a bad direction.
I would like to try to
On Wed, Sep 10, 2008 at 2:34 AM, Jukka Zitting [EMAIL PROTECTED]wrote:
Hi,
Please vote on accepting or rejecting this policy change! This
majority vote is open for a week and only votes from the Incubator PMC
members are binding.
[ ] +1 Yes, allow extra release distribution channels like
On Wed, Sep 17, 2008 at 9:42 PM, William A. Rowe, Jr.
[EMAIL PROTECTED] wrote:
Similarly, the issue of signature validation is a significant flaw which
I also hope maven addresses even more promptly, and which they are aware
of. The alternatives are to take down maven until it is secure, or to
+1 (non-binding)
The current policy is silly.
On Wed, Sep 10, 2008 at 8:34 AM, Jukka Zitting [EMAIL PROTECTED]wrote:
Hi,
We've had a number of long discussions about the incubating projects
using the central Maven repository to distribute their releases. The
current policy is that
On 18/09/2008, Hiram Chirino [EMAIL PROTECTED] wrote:
On Wed, Sep 17, 2008 at 9:42 PM, William A. Rowe, Jr.
[EMAIL PROTECTED] wrote:
Similarly, the issue of signature validation is a significant flaw which
I also hope maven addresses even more promptly, and which they are aware
of.
On Wednesday 17 September 2008 8:05:40 pm Henning Schmiedehausen wrote:
Thus:
If the central maven repository maintainers (Maven PMC) decide to put
incubator artifacts into their repository without a click through this
is incubator code disclaimer, we'd have no legal reason to say no.
On Thu, Sep 10, 2008 at 9:34 AM, Jukka Zitting
[EMAIL PROTECTED] wrote:
Hi,
We've had a number of long discussions about the incubating projects
using the central Maven repository to distribute their releases. The
current policy is that incubating releases should not go to there. The
On Thu, Sep 18, 2008 at 1:48 AM, Gilles Scokart [EMAIL PROTECTED] wrote:
I think the vote (and discussions) about the use of extra distribution
channel is going in a bad direction.
I would like to try to summarize the two positions, see if we could
not reconcile the two positions and found a
but they cannot require third parties to not sync it into their
repos. -- Is this something Maven PMC is
thinking-about/voted-on/discussing? basically overriding the current
un-written policy of the incubator? Please let us know.
thanks,
dims
On Thu, Sep 18, 2008 at 11:17 AM, Daniel Kulp [EMAIL
On Thursday 18 September 2008 1:14:53 pm Davanum Srinivas wrote:
but they cannot require third parties to not sync it into their
repos. -- Is this something Maven PMC is
thinking-about/voted-on/discussing? basically overriding the current
un-written policy of the incubator? Please let us know.
point taken.
-- dims
On Thu, Sep 18, 2008 at 1:26 PM, Daniel Kulp [EMAIL PROTECTED] wrote:
On Thursday 18 September 2008 1:14:53 pm Davanum Srinivas wrote:
but they cannot require third parties to not sync it into their
repos. -- Is this something Maven PMC is
On Thu, Sep 18, 2008 at 10:59 AM, sebb [EMAIL PROTECTED] wrote:
On 18/09/2008, Hiram Chirino [EMAIL PROTECTED] wrote:
On Wed, Sep 17, 2008 at 9:42 PM, William A. Rowe, Jr.
[EMAIL PROTECTED] wrote:
Similarly, the issue of signature validation is a significant flaw which
I also hope maven
Hiram Chirino wrote:
So the responsibility is still on us, the upstream distributor, to
verify the the checksums we list in our source distro are correct.
But at least by doing this, down stream users of our source distros
can rest assured that the dependencies that they are using are the
On Thu, Sep 18, 2008 at 10:26 AM, Daniel Kulp [EMAIL PROTECTED] wrote:
On Thursday 18 September 2008 1:14:53 pm Davanum Srinivas wrote:
but they cannot require third parties to not sync it into their
repos. -- Is this something Maven PMC is
thinking-about/voted-on/discussing? basically
Hi,
On Thu, Sep 18, 2008 at 8:26 PM, William A. Rowe, Jr.
[EMAIL PROTECTED] wrote:
Not if there is a man in the middle attack. If you didn't notice the
recent noise w.r.t. DNS pollution, that's the very point of that vector.
Had it been exploited, tens of thousands of download users could
On 18/09/2008, Hiram Chirino [EMAIL PROTECTED] wrote:
On Thu, Sep 18, 2008 at 10:59 AM, sebb [EMAIL PROTECTED] wrote:
On 18/09/2008, Hiram Chirino [EMAIL PROTECTED] wrote:
On Wed, Sep 17, 2008 at 9:42 PM, William A. Rowe, Jr.
[EMAIL PROTECTED] wrote:
Similarly, the issue of
On 18/09/2008, Jukka Zitting [EMAIL PROTECTED] wrote:
Hi,
On Thu, Sep 18, 2008 at 8:26 PM, William A. Rowe, Jr.
[EMAIL PROTECTED] wrote:
Not if there is a man in the middle attack. If you didn't notice the
recent noise w.r.t. DNS pollution, that's the very point of that vector.
Had
Hi,
On Thu, Sep 18, 2008 at 9:08 PM, sebb [EMAIL PROTECTED] wrote:
The checksums are _not_ downloaded from the Maven repository.
So where are they stored?
For example in our svn or signed source release packages. Along with
the source code.
BR,
Jukka Zitting
On Thu, Sep 18, 2008 at 2:26 PM, William A. Rowe, Jr.
[EMAIL PROTECTED] wrote:
Hiram Chirino wrote:
So the responsibility is still on us, the upstream distributor, to
verify the the checksums we list in our source distro are correct.
But at least by doing this, down stream users of our source
Right.. It's part of the source distro or SVN.
On Thu, Sep 18, 2008 at 3:10 PM, Jukka Zitting [EMAIL PROTECTED] wrote:
Hi,
On Thu, Sep 18, 2008 at 9:08 PM, sebb [EMAIL PROTECTED] wrote:
The checksums are _not_ downloaded from the Maven repository.
So where are they stored?
For example in
On Thu, Sep 18, 2008 at 3:07 PM, sebb [EMAIL PROTECTED] wrote:
On 18/09/2008, Hiram Chirino [EMAIL PROTECTED] wrote:
On Thu, Sep 18, 2008 at 10:59 AM, sebb [EMAIL PROTECTED] wrote:
On 18/09/2008, Hiram Chirino [EMAIL PROTECTED] wrote:
On Wed, Sep 17, 2008 at 9:42 PM, William A. Rowe, Jr.
that uses them.
-Original Message-
From: Davanum Srinivas [mailto:[EMAIL PROTECTED]
Sent: Thursday, September 18, 2008 1:31 PM
To: general@incubator.apache.org
Subject: Re: Incubator Maven repo [WAS Re: [VOTE] [POLICY] Allow extra
release distribution channels like the central Maven
Hiram, I wish you would desist already from debating positions that you
can't defend...
Hiram Chirino wrote:
On Thu, Sep 18, 2008 at 3:07 PM, sebb [EMAIL PROTECTED] wrote:
On 18/09/2008, Hiram Chirino [EMAIL PROTECTED] wrote:
So the responsibility is still on us, the upstream distributor, to
0. There were good reasons for both sides.
Regards,
Thomas
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
On 18/09/2008, Hiram Chirino [EMAIL PROTECTED] wrote:
On Thu, Sep 18, 2008 at 2:26 PM, William A. Rowe, Jr.
[EMAIL PROTECTED] wrote:
Hiram Chirino wrote:
So the responsibility is still on us, the upstream distributor, to
verify the the checksums we list in our source distro are
Trust me I'm not trying to be difficult..
On Thu, Sep 18, 2008 at 4:53 PM, William A. Rowe, Jr.
[EMAIL PROTECTED] wrote:
Hiram, I wish you would desist already from debating positions that you
can't defend...
Hiram Chirino wrote:
On Thu, Sep 18, 2008 at 3:07 PM, sebb [EMAIL PROTECTED]
On Thu, Sep 18, 2008 at 4:57 PM, sebb [EMAIL PROTECTED] wrote:
On 18/09/2008, Hiram Chirino [EMAIL PROTECTED] wrote:
On Thu, Sep 18, 2008 at 2:26 PM, William A. Rowe, Jr.
[EMAIL PROTECTED] wrote:
Hiram Chirino wrote:
So the responsibility is still on us, the upstream distributor, to
Hiram Chirino wrote:
Agreed. I never argued against this. But I fail to see the point?
Are you saying initial trust is hard to secure? I totally agree on
that point. You have any solutions?
Yes. You sign your package locally, never on the remote system. The ASF
hardware must never have
Hi,
On Thu, Sep 18, 2008 at 11:41 PM, William A. Rowe, Jr.
[EMAIL PROTECTED] wrote:
Since the hash is not security, it's not terribly important, eh?
Hashes are a perfect tool for verifying message integrity. They won't
prove origin like signatures do, but verifiable integrity is hardly
*not*
2008/9/16 Emmanuel Lecharny [EMAIL PROTECTED]:
The problem with a release injected in maven is that it will be there
forever. If a release has some problems (IP issues, etc), you can't remove
it from maven, as some projects might depend on it, and the users will
immediately carpet bomb the
Hi,
On Wed, Sep 10, 2008 at 8:34 AM, Jukka Zitting [EMAIL PROTECTED] wrote:
Please vote on accepting or rejecting this policy change! This
majority vote is open for a week and only votes from the Incubator PMC
members are binding.
I am extending the vote period for another week as there is
On Wed, Sep 17, 2008 at 6:14 AM, Noel J. Bergman [EMAIL PROTECTED] wrote:
I don't know of anybody who goes to actual users and tell
them here you go, unzip that stuff there, set your
JAVA_HOME and your MAVEN_HOME properly, execute 'mvn install'
and once all test cases pass you're golden.
LOL
On 10-Sep-08, at 8:34 AM, Jukka Zitting wrote:
Hi,
We've had a number of long discussions about the incubating projects
using the central Maven repository to distribute their releases. The
current policy is that incubating releases should not go to there. The
related discussion threads have
+1
On 10-Sep-08, at 8:34 AM, Jukka Zitting wrote:
Hi,
We've had a number of long discussions about the incubating projects
using the central Maven repository to distribute their releases. The
current policy is that incubating releases should not go to there. The
related discussion threads
I voted +1, but I personally think the vote is kind of irrelevant.
FACT: The stuff in the incubator repo are Apache releases. They had the 3
binding +1 votes from the incubator IPMC members. They are releases.
FACT: The stuff in the incubator repo is all Apache Licensed artifacts.
On Wed, Sep 17, 2008 at 2:17 AM, Bertrand Delacretaz [EMAIL PROTECTED]
wrote:
On Wed, Sep 17, 2008 at 6:14 AM, Noel J. Bergman [EMAIL PROTECTED] wrote:
I don't know of anybody who goes to actual users and tell
them here you go, unzip that stuff there, set your
JAVA_HOME and your
Matthieu Riou wrote:
Exactly - that's when actual users are software developers, which is
the case for many of our projects.
Precisely. And those should be aware of disclaimers if those serve any
purpose.
Maven is *too* transparent in what it does: it hides the disclaimer,
preventing the
Dan,
It is a policy matter, not a legal one. And enforcing artifact signing
would address this and other crucial, fatal, flaws in Maven's repository
management.
I still maintain that unless Maven makes swift strides to enforce signing,
the ASF should ban the use of the Maven repository for all
The current tally is extremely close (9 +1 vs. 8 -1 binding)
I don't want to close an issue with such a small margin.
I suggest that we should not change policy on anything like this lack of
concensus. I do, however, suggest that pressure be put on Maven to enforce
signing.
--- Noel
Noel J. Bergman wrote:
The current tally is extremely close (9 +1 vs. 8 -1 binding)
I don't want to close an issue with such a small margin.
I suggest that we should not change policy on anything like this lack of
concensus. I do, however, suggest that pressure be put on Maven to enforce
Hi Noel,
If the problem your trying to solve with artifact signing is detect
and reject malicious artifacts that have been deployed to hacked
repository, then there is a simpler fix that is available today. Just
use the checksum plugin that I described here:
Maven is *too* transparent in what it does: it hides the disclaimer,
preventing the POLICY of ensuring that users are explicitly aware of
and
agree to use of Incubator artifacts.
Maven doesn't *hide* anything, it simply makes requests via http. You
can use your browser to pull stuff from
Ah! i was just waiting for this response :)
I don't see any patches yet to help out
-- dims
On Wed, Sep 17, 2008 at 2:36 PM, Brian E. Fox [EMAIL PROTECTED] wrote:
Maven is *too* transparent in what it does: it hides the disclaimer,
preventing the POLICY of ensuring that users are explicitly
On Wed, Sep 17, 2008 at 1:19 PM, Noel J. Bergman [EMAIL PROTECTED] wrote:
Maven is *too* transparent in what it does: it hides the disclaimer,
preventing the POLICY of ensuring that users are explicitly aware of and
agree to use of Incubator artifacts.
We I think this could easily be fixed
Just to clarify things, the artefact published on the apache maven
repository are signed (well, to be exact, most are signed. See [1]
for the current status)
However, maven doesn't [yet] validate the signature when downloading
the artefacts (ivy neither). See [2]
[1]
On Wed, Sep 17, 2008 at 11:36 AM, Brian E. Fox [EMAIL PROTECTED]wrote:
Maven is *too* transparent in what it does: it hides the disclaimer,
preventing the POLICY of ensuring that users are explicitly aware of
and
agree to use of Incubator artifacts.
Maven doesn't *hide* anything, it simply
Hi,
On Wed, Sep 17, 2008 at 7:34 PM, Noel J. Bergman [EMAIL PROTECTED] wrote:
The current tally is extremely close (9 +1 vs. 8 -1 binding)
I don't want to close an issue with such a small margin.
I suggest that we should not change policy on anything like this lack of
concensus.
IMHO this
On Wed, 2008-09-17 at 06:57 -0400, Daniel Kulp wrote:
I voted +1, but I personally think the vote is kind of irrelevant.
[...]
Thus:
If the central maven repository maintainers (Maven PMC) decide to put
incubator artifacts into their repository without a click through this is
On Wed, 2008-09-17 at 13:19 -0400, Noel J. Bergman wrote:
I still maintain that unless Maven makes swift strides to enforce signing,
the ASF should ban the use of the Maven repository for all ASF projects, and
go so far as to remove all of our artifacts.
sorry, but that is ridiculous. That
On Wed, Sep 17, 2008 at 6:34 PM, Noel J. Bergman [EMAIL PROTECTED] wrote:
The current tally is extremely close (9 +1 vs. 8 -1 binding)
I don't want to close an issue with such a small margin.
I suggest that we should not change policy on anything like this lack of
concensus. I do, however,
Henning Schmiedehausen wrote:
On Wed, 2008-09-17 at 06:57 -0400, Daniel Kulp wrote:
I voted +1, but I personally think the vote is kind of irrelevant.
Thus:
If the central maven repository maintainers (Maven PMC) decide to put
incubator artifacts into their repository without a click
Bill,
Since you are stating facts. Let's make it clear that when someone
download the artifacts, there's a good chance that you will see the
disclaimers. With maven, we don't. That's the hiccup that caused the
policy in place right now and the bruising battle now being fought is
caused by the
true. these are the reasons i voted the way i did. basically throwing
up my hands saying nothing much we can do other than just continue
pissing off our users...I am sure the numerous maven pmc members here
are taking note, but are probably waiting for patches :)
-- dims
On Wed, Sep 17, 2008 at
William A. Rowe, Jr. wrote:
Noel J. Bergman wrote:
The current tally is extremely close (9 +1 vs. 8 -1 binding)
I don't want to close an issue with such a small margin.
I suggest that we should not change policy on anything like this lack of
concensus. I do, however, suggest that pressure
On Wed, 2008-09-17 at 20:14 -0500, William A. Rowe, Jr. wrote:
Henning Schmiedehausen wrote:
On Wed, 2008-09-17 at 06:57 -0400, Daniel Kulp wrote:
I voted +1, but I personally think the vote is kind of irrelevant.
Thus:
If the central maven repository maintainers (Maven PMC) decide
-1
same as Craig, et al
On Sep 15, 2008, at 10:19 PM, Kevan Miller wrote:
My vote is -1.
On Sep 10, 2008, at 12:45 PM, Craig L Russell wrote:
Considering that dependencies on incubating releases can be
resolved by explicitly adding an incubating Maven repository into
your settings, I
1 - 100 of 121 matches
Mail list logo
