On 26.08.2012 21:20, Dave Fisher wrote:
Hi,
We need to do more work to have proper compliance with Apache Infrastructure
policy in managing external dependencies.
I may not be precisely correct and am looking for confirmation, but In general
i think we need to
(1) Completely avoid using svn.apache.org. I don't think we are allowed to do
this even as a backup URL.
Removing svn.apache.org was planned for after the release 3.4.1. I would
have done it this week. Thanks that you took care of it.
(2) Use mirrors or maven for ASF dependencies where we use the current release.
If we use mirrors then archive.apache.org should be the backup for the mirror
so that we aren't in trouble if the project has a release. If a maven
repository were used then there would be no issue.
Using ASF mirrors is difficult to do automatically. Doing the same for
projects hosted on SourceForge is easy. That is the reason why some ASF
dependencies are fetched from apache-extras.
Apache extras *is* the backup for all external dependencies that are not
extensions.
(3) If we use mirrors then we should allow the user to choose which mirror.
That would break every automatic build.
But before we start making changes we should finally figure out the
policies that constrain our technical choices. I agree that the current
download mechanism is not perfect. One reason for that is that the
policies regarding licenses of the tarballs and possible download
locations for them are a moving target.
In the past months I was always trying to find a technical solution that
a) would work reliably
b) could be implemented in the short time until the next release and
c) would fit the newest requirements of where we were allowed to store
the tarballs.
If using the original servers is not the policy de jour anymore, fine.
If SHA1 is better than MD5, good. If maven is "better" than
apache-extras, excellent.
We should just make up our minds.
-Andre
If we decide to take the time to go the maven route. I can use the example of
ant and maven repos from the Apache POI build.xml.
Notes about maven repos. Infra [1], maven central [2] and example of an
externally hosted repo [3]
This area needs careful attention.
The current script is here: main/solenv/bin/download_external_dependencies.pl
Regards,
Dave
[1] http://apache.org/dev/repository-faq.html and
[2] http://maven.apache.org/guides/mini/guide-central-repository-upload.html
[3]
http://repo.maven.apache.org/maven2/javax/activation/activation/1.0.2/activation-1.0.2.pom
On Aug 26, 2012, at 11:58 AM, w...@apache.org wrote:
Author: wave
Date: Sun Aug 26 18:58:08 2012
New Revision: 1377482
URL: http://svn.apache.org/viewvc?rev=1377482&view=rev
Log:
one more small step to infra compliance. still to do removing use of svn as a
backup and for current releases of ASF software the archive is not proper -
either a mirror or the maven repository is required.
Modified:
incubator/ooo/trunk/main/external_deps.lst
Modified: incubator/ooo/trunk/main/external_deps.lst
URL:
http://svn.apache.org/viewvc/incubator/ooo/trunk/main/external_deps.lst?rev=1377482&r1=1377481&r2=1377482&view=diff
==============================================================================
--- incubator/ooo/trunk/main/external_deps.lst (original)
+++ incubator/ooo/trunk/main/external_deps.lst Sun Aug 26 18:58:08 2012
@@ -72,7 +72,7 @@ if ( true )
if (SOLAR_JAVA == TRUE)
MD5 = 17960f35b2239654ba608cf1f3e256b3
name = lucene-2.9.4-src.tar.gz
- URL1 =
http://www.us.apache.org/dist/lucene/java/2.9.4/lucene-2.9.4-src.tar.gz
+ URL1 =
http://archive.apache.org/dist/lucene/java/2.9.4/lucene-2.9.4-src.tar.gz
URL2 = $(OOO_EXTRAS)$(MD5)-$(name)
# Fall back to a version in SVN from a previous revsion.
URL3 =
http://svn.apache.org/repos/asf/!svn/bc/1337615/incubator/ooo/trunk/ext_sources/$(MD5)-$(name)
