Mentors: Ok, I've changed the build script and am almost ready to post another sanity check archive set. However, I have some questions before I do so:
1) I tried but couldn't find definitive info on whether we can redistribute binary dependencies (System Requirements). I had originally assumed that we could NOT, so I removed all such jar files from the released source, and thus, as you saw, the build fails unless you download those jars yourself and put them on your classpath. I would love to include them, as it would make the user who's trying to build from source much happier. As you say, "some people (like myself) prefer to have them part of the source dist". What's the official word from legal on this? I know that the jfree stuff is LGPL, which from what I found sounds like we cannot redistribute, even in unmodified binary form. 2) Our NOTICE file is currently blank. Is there anything that needs to go in there? I think this relates to question 1, in that we might have to put legal notices of the binaries that we're redistributing in there. 3) With the changes I've made today, if a user were to download the release archive and follow the instructions in http://svn.apache.org/repos/asf/incubator/pivot/branches/1.1/BUILD to rebuild the JAR files, they'd end up with JAR files that are bit-for-bit identical to the ones that came with the distribution, *except* that the *built* file names would not contain "incubating". Is this a problem? 4) I've uploaded my pgp code signing public key to the MIT key server. Are there any other servers to which I should upload manually? I was originally under the assumption that the key would disseminate automatically, but that appears to have been a bad assumption. 5) Niclas, you said that "The binary output is NOT included in the primary release artifact, but is "generated" by it." However, I see many projects that include binaries in their main release artifact (again, Wicket is an example). What's the final word on this? It seems silly to me to not include the binaries, since pivot users don't particularly want to build Pivot - just build applications that use it. 6) You speak of the primary release being source and the supplementary release being binary, but I see some projects (again, Wicket, among others) that only release one artifact, which contains both source and binaries. This is what I was going for here, as I think it simplifies things. Is that not kosher? Thanks! -T On Tue, Mar 31, 2009 at 11:42 AM, Todd Volkert <[email protected]> wrote: > Replying on the dev list; I pinged you privately 'cause I was just > hoping to catch you before I went to bed :) > > Your steps below explain very well what you saw and where you're > coming from. I will address these issues today and post another > candidate for a sanity check. Comments inline: > >> I really want you to get this right, and willing to assist as much as >> I can. I know that the first round is really, really painful, but it >> will get smoother if you manage to automate most stuff. >> >> Ok, here is what I did this morning; >> >> 1. I downloaded >> http://people.apache.org/~tvolkert/pivot/apache-pivot-1.1-incubating.tar.gz >> >> 2. I downloaded >> http://people.apache.org/~tvolkert/pivot/apache-pivot-1.1-incubating.zip >> because I was curious why the size was so different, and assumed that >> they were different (have not checked that yet). > > Yeah, this confused me as well. I set the compression level to 9 in > the zip to try to get the size down, but it's still significantly > larger than the tar.gz, which baffles me. Is ZIP really that much > less efficient? > >> 3. I opened build.xml and saw the following; >> <?xml version="1.0" encoding="UTF-8"?> >> <project default="build"> >> <target name="build"> >> <mkdir dir="bin"/> >> <javac srcdir="src" destDir="bin" debug="true"/> >> </target> >> </project> >> And I went "Oh oh", since I know the build.xml in SVN is a mile long. > > Yeah, this relates to the discussion we had on list a few days back > about whether the built binaries need to be packaged in jars the same > way as our release archive or whether .class files are sufficient. > I'll re-organize this today so that the release archive build.xml is > the same as the SVN one, eliminating this issue. > >> 4. I looked in lib/ and I saw; >> pivot-charts-incubating.jar pivot-tools-incubating.jar >> pivot-web-incubating.server.jar pivot-wtk-incubating.terra.jar >> pivot-core-incubating.jar pivot-web-incubating.jar >> pivot-wtk-incubating.jar >> >> 5. I removed the everything in the lib folder, since that is obvious >> binary outputs. > > I may be slow sometimes, but I finally understand that the goal is for > the user to be able to produce an *exact match* with our binary > distribution by building from source. :) > >> 6. I ran Ant. I got build problems and looked in the BUILD. It >> explained why, and since I didn't have the system requirements >> available, I stopped on that track. > > So you made reference yesterday to the fact that you prefer to include > library dependencies in your distributions. I would love to as well, > but I was under the impression that we couldn't legally include such > JAR files. I'll look again on apache.org for guidelines, but I take > it that this is an option for us? > >> 7. I went to pgp.mit.edu and looked up "Todd Volkert" and low and >> below there was an entry. "Excellent I thought.", but the email wasn't >> one I was used to, and it dated back to 2000, so I assumed that was >> not the key that you have used to sign with. The re-iteration in the >> list, is just to emphasize the importance and not criticism that >> something is not right. > > No worries - I was not offended, just confused. :) I did upload my > public key using 'gpg --send-key DB0924F6' on Friday (March 27). > http://apache.org/dev/release-signing.html#keyserver states that "The > major public key servers synchronize their records regularly so a key > uploaded to one should be disseminated to the rest.", so I assumed > that my work was done with respect to uploading my public key. How do > I make sure that the MIT key server gets it? > > With respect to the key you found, that's from a previous life :) The > one at http://people.apache.org/~tvolkert/pivot/KEYS is the one that I > created for the purpose of release signing and the one I want to get > propagated to the public key servers. > > Also, with respect to the web of trust, I won't get a chance to attend > ApacheCon until November (ApacheCon US) -- can we release if my key is > not in the web of trust? > >> We will get this right... It just will take a while. > > Thanks for your help and patience. >
