On Tue, May 29, 2012 at 6:56 PM, Pedro Giffuni <[email protected]> wrote: > Hi Dave; > > --- Mar 29/5/12, Dave Fisher <[email protected]> ha scritto: > ... >> >> There are issues with these embedded convenience packages. >> >> (1) Some are Category B. An issue to some more than others. >> >> (2) Some are patched versions of existing open-source >> packages. We should attempt to push these upstream. The >> COINMP patch looks trivial. We may need to have special >> builds, but we should be avoiding and removing. >> >> (3) Some are specific versions of open-source packages. We >> should try to get official distributions and use a version >> at Apache Extras as a known version. >> >> (4) Some are versions of Apache open-source packages. We >> should use the appropriate release or archive from the >> project. >> >> >> ext_sources dave$ ls -1 >> 0168229624cfac409e766913506961a8-ucpp-1.3.2.tar.gz >> 067201ea8b126597670b5eff72e1f66c-mythes-1.2.0.tar.gz >> 0b49ede71c21c0599b0cc19b353a6cb3-README_apache-commons.txt >> 128cfc86ed5953e57fe0f5ae98b62c2e-libtextcat-2.2.tar.gz >> 17410483b5b5f267aa18b7e00b65e6e0-hsqldb_1_8_0.zip >> 1756c4fa6c616ae15973c104cd8cb256-Adobe-Core35_AFMs-314.tar.gz >> 18f577b374d60b3c760a3a3350407632-STLport-4.5.tar.gz >> 1f24ab1d39f4a51faf22244c94a6203f-xmlsec1-1.2.14.tar.gz >> 220035f111ea045a51e290906025e8b5-libpng-1.5.1.tar.gz >> 24be19595acad0a2cae931af77a0148a-LICENSE_source-9.0.0.7-bj.html >> 284e768eeda0e2898b0d5bf7e26a016e-raptor-1.4.18.tar.gz >> 2ae988b339daec234019a7066f96733e-commons-lang-2.3-src.tar.gz >> 2b5f1ca58d6ef30f18f1415b65bed81c-CoinMP-1.6.0.tgz >> 2c9b0f83ed5890af02c0df1c1776f39b-commons-httpclient-3.1-src.tar.gz >> 2f6ecca935948f7db92d925d88d0d078-icu4c-4_0_1-src.tgz >> 35efabc239af896dfb79be7ebdd6e6b9-gentiumbasic-fonts-1.10.zip >> 377a60170e5185eb63d3ed2fae98e621-README_silgraphite-2.3.1.txt >> 3b179ed18f65c43141528aa6d2440db4-serf-1.0.0.tar.bz2 >> 3c219630e4302863a9a83d0efde889db-commons-logging-1.1.1-src.tar.gz >> 48470d662650c3c074e1c3fabbc67bbd-README_source-9.0.0.7-bj.txt >> 48a9f787f43a09c0a9b7b00cd1fddbbf-hyphen-2.7.1.tar.gz >> 48d8169acc35f97e05d8dcdfd45be7f2-lucene-2.3.2.tar.gz >> 61f59e4110781cbe66b46449eadac231-croscorefonts-1.21.0.tar.gz >> 63ddc5116488985e820075e65fbe6aa4-openssl-0.9.8o.tar.gz >> 666a5d56098a9debf998510e304c8095-apr-util-1.4.1.tar.gz >> 68dd2e8253d9a7930e9fd50e2d7220d0-hunspell-1.2.9.tar.gz >> 7376930b0d3f3d77a685d94c4a3acda8-STLport-4.5-0119.tar.gz >> 7740a8ec23878a2f50120e1faa2730f2-libxml2-2.7.6.tar.gz >> 7e4e73c21f031d5a4c93c128baf7fd75-apache-tomcat-5.5.35-src.tar.gz >> 97262fe54dddaf583eaaee3497a426e1-apr-1.4.5.tar.gz >> 980143f96b3f6ce45d2e4947da21a5e9-stax-src-1.2.0.zip >> 99d94103662a8d0b571e247a77432ac5-rhino1_7R3.zip >> a169ab152209200a7bad29a275cb0333-seamonkey-1.1.14.source.tar.gz >> a2c10c04f396a9ce72894beb18b4e1f9-jpeg-8c.tar.gz >> a7983f859eafb2677d7ff386a023bc40-xsltml_2.1.2.zip >> ada24d37d8d638b3d8a9985e80bc2978-source-9.0.0.7-bj.zip >> af3c3acf618de6108d65fcdc92b492e1-commons-codec-1.3-src.tar.gz >> b92261a5679276c400555004937af965-nss-3.12.6-with-nspr-4.8.4.tar.gz >> bc702168a2af16869201dbe91e46ae48-LICENSE_Python-2.6.1 >> c441926f3a552ed3e5b274b62e86af16-STLport-4.0.tar.gz >> c735eab2d659a96e5a594c9e8541ad63-zlib-1.2.5.tar.gz >> ca66e26082cab8bb817185a116db809b-redland-1.0.8.tar.gz >> cf8a6967f7de535ae257fa411c98eb88-mdds_0.3.0.tar.bz2 >> d35724900f6a4105550293686688bbb3-silgraphite-2.3.1.tar.gz >> e61d0364a30146aaa3001296f853b2b9-libxslt-1.1.26.tar.gz >> e81c2f0953aa60f8062c05a4673f2be0-Python-2.6.1.tar.bz2 >> ea570af93c284aa9e5621cd563f54f4d-bsh-2.0b1-src.tar.gz >> ea91f2fb4212a21d708aced277e6e85a-vigra1.4.0.tar.gz >> ecb2e37e45c9933e2a963cabe03670ab-curl-7.19.7.tar.gz >> ee8b492592568805593f81f8cdf2a04c-expat-2.0.1.tar.gz >> f872f4ac066433d8ff92f5e316b36ff9-dejavu-fonts-ttf-2.33.zip >> fca8706f2c4619e2fa3f8f42f8fc1e9d-rasqal-0.9.16.tar.gz >> fcc6df1160753d0b8c835d17fdeeb0a7-boost_1_39_0.tar.gz >> fdb27bfe2dbe2e7b57ae194d9bf36bab-SampleICC-1.3.2.tar.gz >> >> Do we seriously need to carry our own version of Python >> 2.6.1? Aren't the Adobe Base 35 AFMs good for all. There >> must be a common location. >> > > FreeBSD and most linux distributions have been moving > towards using prepackaged versions of this stuff when > possible. I have been updating some of these packages > attempting not to break the API but I am far from over. > The main reason why we don't just use prepackaged stuff > for everything and throw stuff like python 2.6.1 away > is that it is not practical for windows (which is > the major platform). Our python is severely patched > for other palforms and those patches have taken a lot > of time to update even for a minor version update. > > The problem with Category B is that according to > Apache Policies we shouldn't be carrying the sources
The policy I know of says that for category-b, "additional action is warranted in order to minimize the chance that a user of an Apache product will create a derivative work of a reciprocally-licensed portion of an Apache product without being aware of the applicable requirements." We accomplish this goal by putting these components in MD5-hashed tarballs, that must be downloaded separately and are only downloaded when the developer overrides the default build options. The policy then says, "By including only the object/binary form, there is less exposed surface area of the third-party work from which a work might be derived; this addresses the second guiding principle of this policy. By attaching a prominent label to the distribution and requiring an explicit action by the user to get the reciprocally-licensed source, users are less likely to be unaware of restrictions significantly different from those of the Apache License." Again we satisfy this by not including the category-b components in our source distributions and requiring an explicit action (overriding default build flags) for the developer to get the category-b source code. > but instead we should carry links to the sources in > the NOTICE file. For 3.4 we didn't comply > (embarrassingly the COIN-OR guys noted this!). > To be precise they noticed that our NOTICE file did not contain a link to their download site. They did not express any concern that we had a source tarball checked into our repository. > The idea is that we should be using unmodified binaries > so carrying fonts and java bytecode would be OK, but > carrying tarballs with sources was not really intended. > > In the case of NSS and Seamonkey, our versions are > way too outdated: I think the Seamonkey version we > carry is not even available online anymore and > there are known security risks. > > Pedro. > >
