> -----Original Message----- > From: Martin Poeschl [mailto:[EMAIL PROTECTED]] > Sent: Thursday, February 06, 2003 9:44 PM > To: Jakarta General List > Subject: Re: [Fwd: Maven as a top-level apache project] > > > Steve Downey wrote: > > >From: <[EMAIL PROTECTED]> > >To: "Jakarta General List" <[EMAIL PROTECTED]> > >Sent: Thursday, February 06, 2003 8:07 PM > >Subject: Re: [Fwd: Maven as a top-level apache project] > > > > > > > > > >>>BTW, given the license discussions it seems unlikely a solution that > >>>includes all the jars in the same place will work. So the "repository" > >>>will be not only a storage for jars, but a set of tools to deal with > >>>downloading from different locations with different methods ( > and mirror > >>>lists, etc ). Again - I think this part can only be apache-wide. > >>> > >>> > >>Sure, but let's not lose focus of what this is for. Distribution? > >>Building? A company/individual can set up their own repository > of jars (we > >>all do) that they've accepted licenses for. The 'tools' should > be able to > >>work with that set up, similar to how Maven does today. > >> > >> > >> > > > >One thing that has annoyed me is that Maven will download jars from the > >ibiblio repository with no regard to the license of them. It's > an easy way > >for jars to come into a build without formal review and acceptance of the > >license. My company's policy is to use only BSD, ASF, or similar > licenses. > >No GPL. And based on recent discussions here, we may prohibit LGPL. We do > >also use commercially licensed software, and review carefully the > >redistribution clauses. It's particularly troubling that the jars show up > >without supporting documentation. > > > > why don't you setup your own private repository where you can control > which jars are stored there ... you don't need to use the ibiblio repo > > martin
The real problem with that is that my interest in maven only extends as far as it's required to build other projects. I've downloaded the beta in order to use it to build projects that require it. I don't intend to use it myself (at least at this point) for my projects. So learning about setting up my own repository is way too much work. I'm conscientious about reviewing the licenses for software I bring in. Not everyone in the organization is. That's an internal problem that has to be addressed by raising awareness of the issue. However, the easier it is for software to come in without review, the harder it is to manage the problem. Particularly since when jars come in via maven, there's now a bunch of detective work to be done to find out where it actually came from and what the license is. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
