Hey Jeremias,
thanks for the extremely detailed feedback, it was really appreciated :)
See below few more details:
On Jun 25, 2010, at 6:17 PM, Jeremias Maerki wrote:
Some observations (non-blockers for a first release, I guess):
- Gabriele, you may want to publish your PGP key on a key server and
see
to it that you can soon meet some fellow Apache committers so you can
get your code signing key cross-signed.
I published my key on the PGP MIT server (http://pgp.mit.edu:11371/pks/lookup?search=Columbro+code+signing&op=vindex
) and will be glad to enter the ASF web of trust at the first
gathering (maybe ACUS 2010).
- the WARs all contain no LICENSE and NOTICE files.
This is taken care of automatically for JARs by the (inherited) maven-
remote-resources-plugin. Checking if there's an option to do the same
for WARs.
- maybe problematic: I cannot find a list of dependencies including
their applicable license (a long-standing issue I have with Maven).
JAX-WS-RI is CDDL/GPLv2 and therefore Category B according to [1].
IMO,
the necessary labeling requirements are not met, yet. The same seems
to
apply to mimepull and saaj. I think the best way is to create a
README.txt which contains a manually maintained list and to include
that
README.txt in all dist ZIPs and WARs (i.e. the files that include the
third-parties), maybe even all JARs because they have these
dependencies.
That would make it very easy for people to verify the dependencies
against their own license policies.
I created an issue https://issues.apache.org/jira/browse/CMIS-224 in
order to track this task. I set 0.2.0 as fix version, but do you
believe that this should be fixed also in 0.1.0 ?
@devs: anyone who can help creating this text file per package? I can
then easily include it in the build.
Thanks again for the expert feedback!
Ciao,
Gab
--
Eng. Gabriele Columbro
Alfresco Software, Ltd.
M: +31 (0)627 565 103
P: +39 320 161 28 46
D: +44 (0)1628 876 654
Skype: gabrielecolumbro
Blog: http://www.mindthegab.com
Twitter: http://twitter.com/mindthegabz
