potiuk commented on issue #173: URL: https://github.com/apache/tooling-trusted-release/issues/173#issuecomment-2976735169
Sure thing. That makes sense. I thought that in source files, what we can do is to just have a symbolic link to the NOTICE file at the top-level and it will solve the problem. But there is another, spin-off question - how about convenience packages? We **still** want to submit and release several convenience packages via ATR even if technically we are not required to (we have reproducible builds for those, so recording them in ATR / SVN with checksums and signatures is actually a good idea, because users might also verify their provenience even if they are released in PyPI. But in those packages, NOTICE and LICENCE files are usually placed elsewhere: * for .whl packages, it is placed in METADATA in package-info - after marking it as part of LICENCES * for java .jars - similarly - NOTICE files are placed in META-INF Two questions: * Should ATR be checking in different places (at least for those known file types) * Or maybe we should be able to specify that (say) NOTICE and LICENCE requirements should be relaxed ? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tooling.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tooling.apache.org For additional commands, e-mail: dev-h...@tooling.apache.org
