Just to be thorough, is using provided scope good enough? Sure it doesn't pull it into the final product and isn't in transitive dependencies, but it is still downloaded for the compile process. From your previous emails, it sounded like we can not download it whatsoever during the build. Building cloud-framework-db still downloads the jar to build that specific sub project (Just validated off of latest 4.3), which is necessary for the overall project build.
Not trying to be a pain, just trying to make sure we don't miss something, but I could be misunderstanding the situation. Thanks, -Nate On Mon, Feb 24, 2014 at 9:53 AM, Hugo Trippaers <h...@trippaers.nl> wrote: > Guys, > > I did a quick check using the scanner at > http://www.sonatype.com/application-health-check. According to that > report we need to do some additional checking of our dependencies. > > Licenses: > Copyleft: 2 > Non-standard: 9 > Weak-copyleft: 15 > Liberal: 82 > > I can't get the exact details as that requires the full report ($499 > ouch..), but at least it warrants investigation before we can release. > > Here is the printout of the report: > https://dl.dropboxusercontent.com/u/70226362/app-check.pdf > > Cheers, > > Hugo > > > On 23 feb. 2014, at 07:24, Rayees Namathponnan < > rayees.namathpon...@citrix.com> wrote: > > > Hi David, > > > > One doubt, while building cloudstack we are using "mysql-connector-java > version 5.1.29"; is it not mandatory we should supposed to use same version > of mysql-connector during run time? > > > > Regards, > > Rayees > > > > -----Original Message----- > > From: David Nalley [mailto:da...@gnsa.us] > > Sent: Saturday, February 22, 2014 7:59 PM > > To: dev@cloudstack.apache.org > > Subject: Re: [DISCUSS] Policy blocker? > > > > Hi folks: > > > > I think this issue is resolved in the 4.3 branch. The default build > system no longer seems to grab the mysql jar, and I've adjusted tomcat to > load the mysql jar from the system library. > > > > Commit 0c2ad0338e34f6117cecc24ec00c7746dd481465 should have the > necessary changes. > > > > I did some quick testing, and this seems to work, but obviously it needs > more eyes and testing. > > > > --David > > > > On Thu, Feb 20, 2014 at 8:37 AM, David Nalley <da...@gnsa.us> wrote: > >> Hi folks, > >> > >> I cringe to raise this issue. After 6 RCs I am sure we are all feeling > >> a little bit of release vote fatigue. Especially Animesh. I apologize > >> in advance; in all other respects I am ready to give a +1 to RC6. > >> > >> I've been playing with 4.3.0-rc6 for a couple of days now. I attempted > >> to build some RPMs and had problems with dependency resolution in > >> maven. This led me to looking at a number of different poms, and I > >> noticed mysql-connector-java is listed as a runtime dependency. For > >> our end users, this really isn't necessary - the debs and rpms specify > >> a requirement (effectively a system requirement in the terms of > >> policy) for mysql-connector-java. We don't need it to build the > >> software (at least not in any location I've seen) - just when running. > >> (And thus its a system dependency, much like MySQL is.) > >> > >> mysql-connector-java is GPLv2; which is Cat X. By including it as a > >> dependency in the pom it automatically gets downloaded. The 3rd Party > >> software policy has this line in it: > >> > >> "YOU MUST NOT distribute build scripts or documentation within an > >> Apache product with the purpose of causing the default/standard build > >> of an Apache product to include any part of aprohibited work." > >> > >> We've released software with this dependency previously. Is this a > >> blocker for 4.3 or do we fix going forward? (If we hadn't already > >> shipped releases with this problem I'd lean a bit more towards it > >> being a blocker - but its more murky now.) > >> > >> Thoughts, comments, flames? > >> > >> --David > >> > >> [1] https://www.apache.org/legal/3party.html > > -- *Nate Gordon*Director of Technology | Appcore - the business of cloud computing(R) Office +1.800.735.7104 | Direct +1.515.612.7787 nate.gor...@appcore.com | www.appcore.com ---------------------------------------------------------------------- The information in this message is intended for the named recipients only. It may contain information that is privileged, confidential or otherwise protected from disclosure. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or the taking of any action in reliance on the contents of this message is strictly prohibited. If you have received this e-mail in error, do not print it or disseminate it or its contents. In such event, please notify the sender by return e-mail and delete the e-mail file immediately thereafter. Thank you.
