(My apologies if this has already been discussed)

Looking around in the build infrastructure I found what seemed like a
strange dependency, namely xapi 5.6.100-1-SNAPSHOT. Since dependencies with
-SNAPSHOT semantics is something I would very much like to get rid of from
cloudstack I looked and the setup seems a bit surprising.

My understanding of the setup is the following:

When building cloudstack there is a dependency on an artifact with
artifactId xapi and groupId org.apache.cloudstack. It is not built as part
of the build, as are the other dependencies sharing that groupId but
instead it is pulled from the apache snapshots repository that gets pulled
into the repository resolution chain as a side effect of the parent
declaration in the top level pom.xml

Looking around some for the source i eventually found deps/XenServerJava/
which contains what seems to be the source code used to build said
artifact. There is no README or similar in that directory, and the pom.xml
file holds an ASF copyright but the *java code holds a Citrix copyright and
what seems to be a 2 clause BSD license.

I think this setup breaks the principle of least surprise in a few ways,
and I would like to see it changed:

- Let's not depend on -SNAPSHOT releases, since it effectively means that
reproducibility of builds is uncertain.

- I think the code should either be merged with the cloudstack projects,
which I assume means at least a donation and license updates, or split out
into a separate project with some presence on the web and a maven groupId
distinct from the cloudstack project.

(Splitting it out need not be an advanced operation. Just put the code
somewhere public, spend an hour writing a readme and follow the guide on
http://maven.apache.org/guides/mini/guide-central-repository-upload.html to
get a release in the maven repo)

/noa



-- 
Engineering Experience, Infrastructure tribe, Spotify

Reply via email to