Enrico>(I apologize, I don't want to pollute the vote thread, but this is somehow related)
I've altered the subject. Enrico> For binary release (that actually is not part of the official VOTE) I'm not a lawyer, but: > http://www.apache.org/legal/release-policy.html#what > WHAT IS A RELEASE? > Releases are, by definition, anything that is published beyond the group that owns it > http://www.apache.org/legal/release-policy.html#what-must-every-release-contain > Every ASF release must comply with ASF licensing policy release-policy.html does not make a distinction between "part of the official vote" and "not a part of the official vote". It just stays "whatever is released must comply with ASF licensing policy". In other words, the VOTE thread looks to me like "we are about to release Apache Maven Wagon, please check the artifacts". -shaded artifact is a part of the release (because it is "anything that is published beyond the group that owns it"), and -shaded does not comply with jsoup's license ==> I suggest that there's an "utmost importance" issue with the artifacts. >I wonder if we could enhance the pom in the future to report machiene >readable statements like 'the artifact will include a binary copy of this >other third party pom' That would be nice. I'm not sure everything comes from a pom though. For instance, -shaded, -sources, -javadoc and other "classifier-based artifacts" miss their respective poms. However, they all might re-distribute different third-party dependencies. Then people do not always consume artifacts as jar/pom files. For instance, apache-maven-3.6.2-bin.zip does not have a pom file. In my opinion, the licensing conditions should be embedded into each archive if that is possible. There's spdx.org effort, however, I don't think it is ready for use. Vladimir
