Re: Apache Wagon vs maven-shade vs embedded licenses
Am 2019-11-07 um 12:08 schrieb Enrico Olivelli: Il giorno gio 7 nov 2019 alle ore 10:38 ha scritto: sure, if you know how to fix, yes, I can drop this release and start the next one quickly particularly if it helps us later to improve Maven handling of the case This case of -shaded.jar published to Central [1] is really a completely different scenario than Maven -bin.zip/tar,gz binary distribution [2] that has the dependency added to the archive. I currently did not really get how the shaded archive case should be managed: do you have any strategy or fix available? I have thought more about this case: For the Binary Distribution of Maven we can simply add the LICENSE and NOTICE in the zip files, I will handle it. For the distribution on Maven central of shaded artifacts..really I don't know. Maybe we should ask to LEGAL as the problem is for every one that is using the shade plugin and deploying to Maven Central. I image we can't drop JSoup now, ot at least it won't be an easy task Actually, we can. If you look for what JSoup is used, it does not really make sense to do so. It assumes that the target server is Apache HTTPd which must not be the case. Along with assumptions where http://host/path and http://host/path/ are the same which must not necessarily be true. Jsoup is used to satisfy/implement org.apache.maven.wagon.Wagon.getFileList(String) on HttpWagon and LightweightHttpWagon, but that is wrong. HTTP has no means to list a directory, moreover there is no notion of directories in HTTP, only resources. Parsing some HTML file is plain wrong and makes assumptions about an unknown environment. The only HTTP target which can satisfy this is WebDAV where a directory can be logically mapped to a collection which will happily respond with HTTP 207 Multistatus. If you really cannot satisfy the license, it'd be a little risk removing JSoup with 3.4.0. Michael - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
Re: Apache Wagon vs maven-shade vs embedded licenses
I agree on all points, perfect match :) Regards, Hervé - Mail original - De: "Enrico Olivelli" À: "Maven Developers List" Envoyé: Jeudi 7 Novembre 2019 12:08:11 Objet: Re: Apache Wagon vs maven-shade vs embedded licenses Il giorno gio 7 nov 2019 alle ore 10:38 ha scritto: > sure, if you know how to fix, yes, I can drop this release and start the > next one quickly > > particularly if it helps us later to improve Maven handling of the case > > This case of -shaded.jar published to Central [1] is really a completely > different scenario than Maven -bin.zip/tar,gz binary distribution [2] that > has the dependency added to the archive. > I currently did not really get how the shaded archive case should be > managed: do you have any strategy or fix available? > I have thought more about this case: For the Binary Distribution of Maven we can simply add the LICENSE and NOTICE in the zip files, I will handle it. For the distribution on Maven central of shaded artifacts..really I don't know. Maybe we should ask to LEGAL as the problem is for every one that is using the shade plugin and deploying to Maven Central. I image we can't drop JSoup now, ot at least it won't be an easy task So my final position for Wagon HTTP 3.3.3 is: - we are releasing sources, so no problem - we have a more general problem with shaded third party libraries, there is no clear and clean way to address it, so stick to current way for this version of Wagon I will be happy to create an issue on ASF LEGAL JIRA and start the discussion, but I would like to have some Maven PMC member supporting this choice before doing this step. It will be super useful to have a reference doc on ASF website and a link to it inside the maven shade plugin website. Enrico > > Regards, > > Hervé > > [1] > http://repo.maven.apache.org/maven2/org/apache/maven/wagon/wagon-http/3.3.3/ > > [2] https://archive.apache.org/dist/maven/maven-3/3.6.2/binaries/ > > - Mail original - > De: "Enrico Olivelli" > À: "Maven Developers List" > Envoyé: Mercredi 6 Novembre 2019 11:20:47 > Objet: Re: Apache Wagon vs maven-shade vs embedded licenses > > Hervè > can we fix this issue before releasing this version of Wagon ? > this way we can update Wagon in Maven Core > > Enrico > > Il giorno mer 6 nov 2019 alle ore 11:06 ha > scritto: > > > issue created: https://issues.apache.org/jira/browse/WAGON-574 > > > > Regards, > > > > Hervé > > > > ----- Mail original - > > De: "Enrico Olivelli" > > À: "Maven Developers List" > > Cc: "Hervé BOUTEMY" > > Envoyé: Mercredi 6 Novembre 2019 09:53:29 > > Objet: Re: Apache Wagon vs maven-shade vs embedded licenses > > > > > > > > > > > > > > > > Il giorno mer 6 nov 2019 alle ore 09:03 Vladimir Sitnikov < > > sitnikov.vladi...@gmail.com > ha scritto: > > > > > > Enrico>(I apologize, I don't want to pollute the vote thread, but this is > > somehow > > related) > > > > I've altered the subject. > > > > Enrico> For binary release (that actually is not part of the official > > VOTE) > > > > I'm not a lawyer, but: > > > > > http://www.apache.org/legal/release-policy.html#what > > > WHAT IS A RELEASE? > > > Releases are, by definition, anything that is published beyond the > group > > that owns it > > > > > > > > > > http://www.apache.org/legal/release-policy.html#what-must-every-release-contain > > > Every ASF release must comply with ASF licensing policy > > > > release-policy.html does not make a distinction between "part of the > > official vote" and "not a part of the official vote". > > It just stays "whatever is released must comply with ASF licensing > > policy". > > > > > > > > > > > > Totally agree > > > > > > > > In other words, the VOTE thread looks to me like "we are about to release > > Apache Maven Wagon, please check the artifacts". > > -shaded artifact is a part of the release (because it is "anything that > is > > published beyond the group that owns it"), > > and -shaded does not comply with jsoup's license ==> I suggest that > > there's > > an "utmost importance" issue with the artifacts. > > > > >I wonder if we could enhance the pom in the future to report machiene > > >readable statements like 'the artifact will include a binary copy of > this > > >other third party pom' > > > > That
Re: Apache Wagon vs maven-shade vs embedded licenses
Il giorno gio 7 nov 2019 alle ore 10:38 ha scritto: > sure, if you know how to fix, yes, I can drop this release and start the > next one quickly > > particularly if it helps us later to improve Maven handling of the case > > This case of -shaded.jar published to Central [1] is really a completely > different scenario than Maven -bin.zip/tar,gz binary distribution [2] that > has the dependency added to the archive. > I currently did not really get how the shaded archive case should be > managed: do you have any strategy or fix available? > I have thought more about this case: For the Binary Distribution of Maven we can simply add the LICENSE and NOTICE in the zip files, I will handle it. For the distribution on Maven central of shaded artifacts..really I don't know. Maybe we should ask to LEGAL as the problem is for every one that is using the shade plugin and deploying to Maven Central. I image we can't drop JSoup now, ot at least it won't be an easy task So my final position for Wagon HTTP 3.3.3 is: - we are releasing sources, so no problem - we have a more general problem with shaded third party libraries, there is no clear and clean way to address it, so stick to current way for this version of Wagon I will be happy to create an issue on ASF LEGAL JIRA and start the discussion, but I would like to have some Maven PMC member supporting this choice before doing this step. It will be super useful to have a reference doc on ASF website and a link to it inside the maven shade plugin website. Enrico > > Regards, > > Hervé > > [1] > http://repo.maven.apache.org/maven2/org/apache/maven/wagon/wagon-http/3.3.3/ > > [2] https://archive.apache.org/dist/maven/maven-3/3.6.2/binaries/ > > - Mail original - > De: "Enrico Olivelli" > À: "Maven Developers List" > Envoyé: Mercredi 6 Novembre 2019 11:20:47 > Objet: Re: Apache Wagon vs maven-shade vs embedded licenses > > Hervè > can we fix this issue before releasing this version of Wagon ? > this way we can update Wagon in Maven Core > > Enrico > > Il giorno mer 6 nov 2019 alle ore 11:06 ha > scritto: > > > issue created: https://issues.apache.org/jira/browse/WAGON-574 > > > > Regards, > > > > Hervé > > > > - Mail original ----- > > De: "Enrico Olivelli" > > À: "Maven Developers List" > > Cc: "Hervé BOUTEMY" > > Envoyé: Mercredi 6 Novembre 2019 09:53:29 > > Objet: Re: Apache Wagon vs maven-shade vs embedded licenses > > > > > > > > > > > > > > > > Il giorno mer 6 nov 2019 alle ore 09:03 Vladimir Sitnikov < > > sitnikov.vladi...@gmail.com > ha scritto: > > > > > > Enrico>(I apologize, I don't want to pollute the vote thread, but this is > > somehow > > related) > > > > I've altered the subject. > > > > Enrico> For binary release (that actually is not part of the official > > VOTE) > > > > I'm not a lawyer, but: > > > > > http://www.apache.org/legal/release-policy.html#what > > > WHAT IS A RELEASE? > > > Releases are, by definition, anything that is published beyond the > group > > that owns it > > > > > > > > > > http://www.apache.org/legal/release-policy.html#what-must-every-release-contain > > > Every ASF release must comply with ASF licensing policy > > > > release-policy.html does not make a distinction between "part of the > > official vote" and "not a part of the official vote". > > It just stays "whatever is released must comply with ASF licensing > > policy". > > > > > > > > > > > > Totally agree > > > > > > > > In other words, the VOTE thread looks to me like "we are about to release > > Apache Maven Wagon, please check the artifacts". > > -shaded artifact is a part of the release (because it is "anything that > is > > published beyond the group that owns it"), > > and -shaded does not comply with jsoup's license ==> I suggest that > > there's > > an "utmost importance" issue with the artifacts. > > > > >I wonder if we could enhance the pom in the future to report machiene > > >readable statements like 'the artifact will include a binary copy of > this > > >other third party pom' > > > > That would be nice. I'm not sure everything comes from a pom though. > > For instance, -shaded, -sources, -javadoc and other "classifier-based > > artifacts" miss their respective poms. > > However, they all might re-distribute dif
Re: Apache Wagon vs maven-shade vs embedded licenses
sure, if you know how to fix, yes, I can drop this release and start the next one quickly particularly if it helps us later to improve Maven handling of the case This case of -shaded.jar published to Central [1] is really a completely different scenario than Maven -bin.zip/tar,gz binary distribution [2] that has the dependency added to the archive. I currently did not really get how the shaded archive case should be managed: do you have any strategy or fix available? Regards, Hervé [1] http://repo.maven.apache.org/maven2/org/apache/maven/wagon/wagon-http/3.3.3/ [2] https://archive.apache.org/dist/maven/maven-3/3.6.2/binaries/ - Mail original - De: "Enrico Olivelli" À: "Maven Developers List" Envoyé: Mercredi 6 Novembre 2019 11:20:47 Objet: Re: Apache Wagon vs maven-shade vs embedded licenses Hervè can we fix this issue before releasing this version of Wagon ? this way we can update Wagon in Maven Core Enrico Il giorno mer 6 nov 2019 alle ore 11:06 ha scritto: > issue created: https://issues.apache.org/jira/browse/WAGON-574 > > Regards, > > Hervé > > - Mail original - > De: "Enrico Olivelli" > À: "Maven Developers List" > Cc: "Hervé BOUTEMY" > Envoyé: Mercredi 6 Novembre 2019 09:53:29 > Objet: Re: Apache Wagon vs maven-shade vs embedded licenses > > > > > > > > Il giorno mer 6 nov 2019 alle ore 09:03 Vladimir Sitnikov < > sitnikov.vladi...@gmail.com > ha scritto: > > > Enrico>(I apologize, I don't want to pollute the vote thread, but this is > somehow > related) > > I've altered the subject. > > Enrico> For binary release (that actually is not part of the official > VOTE) > > I'm not a lawyer, but: > > > http://www.apache.org/legal/release-policy.html#what > > WHAT IS A RELEASE? > > Releases are, by definition, anything that is published beyond the group > that owns it > > > > > http://www.apache.org/legal/release-policy.html#what-must-every-release-contain > > Every ASF release must comply with ASF licensing policy > > release-policy.html does not make a distinction between "part of the > official vote" and "not a part of the official vote". > It just stays "whatever is released must comply with ASF licensing > policy". > > > > > > Totally agree > > > > In other words, the VOTE thread looks to me like "we are about to release > Apache Maven Wagon, please check the artifacts". > -shaded artifact is a part of the release (because it is "anything that is > published beyond the group that owns it"), > and -shaded does not comply with jsoup's license ==> I suggest that > there's > an "utmost importance" issue with the artifacts. > > >I wonder if we could enhance the pom in the future to report machiene > >readable statements like 'the artifact will include a binary copy of this > >other third party pom' > > That would be nice. I'm not sure everything comes from a pom though. > For instance, -shaded, -sources, -javadoc and other "classifier-based > artifacts" miss their respective poms. > However, they all might re-distribute different third-party dependencies. > > > > Yes, it is not so simply as I said. > > > > Then people do not always consume artifacts as jar/pom files. > For instance, apache-maven-3.6.2-bin.zip does not have a pom file. > > In my opinion, the licensing conditions should be embedded into each > archive if that is possible. > > > > I think this is the only viable option nowadays > > > > There's spdx.org effort, however, I don't think it is ready for use. > > Vladimir > > > > > > Thanks > > > Enrico > > - > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > For additional commands, e-mail: dev-h...@maven.apache.org > > - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
Re: Apache Wagon vs maven-shade vs embedded licenses
Hervè can we fix this issue before releasing this version of Wagon ? this way we can update Wagon in Maven Core Enrico Il giorno mer 6 nov 2019 alle ore 11:06 ha scritto: > issue created: https://issues.apache.org/jira/browse/WAGON-574 > > Regards, > > Hervé > > - Mail original - > De: "Enrico Olivelli" > À: "Maven Developers List" > Cc: "Hervé BOUTEMY" > Envoyé: Mercredi 6 Novembre 2019 09:53:29 > Objet: Re: Apache Wagon vs maven-shade vs embedded licenses > > > > > > > > Il giorno mer 6 nov 2019 alle ore 09:03 Vladimir Sitnikov < > sitnikov.vladi...@gmail.com > ha scritto: > > > Enrico>(I apologize, I don't want to pollute the vote thread, but this is > somehow > related) > > I've altered the subject. > > Enrico> For binary release (that actually is not part of the official > VOTE) > > I'm not a lawyer, but: > > > http://www.apache.org/legal/release-policy.html#what > > WHAT IS A RELEASE? > > Releases are, by definition, anything that is published beyond the group > that owns it > > > > > http://www.apache.org/legal/release-policy.html#what-must-every-release-contain > > Every ASF release must comply with ASF licensing policy > > release-policy.html does not make a distinction between "part of the > official vote" and "not a part of the official vote". > It just stays "whatever is released must comply with ASF licensing > policy". > > > > > > Totally agree > > > > In other words, the VOTE thread looks to me like "we are about to release > Apache Maven Wagon, please check the artifacts". > -shaded artifact is a part of the release (because it is "anything that is > published beyond the group that owns it"), > and -shaded does not comply with jsoup's license ==> I suggest that > there's > an "utmost importance" issue with the artifacts. > > >I wonder if we could enhance the pom in the future to report machiene > >readable statements like 'the artifact will include a binary copy of this > >other third party pom' > > That would be nice. I'm not sure everything comes from a pom though. > For instance, -shaded, -sources, -javadoc and other "classifier-based > artifacts" miss their respective poms. > However, they all might re-distribute different third-party dependencies. > > > > Yes, it is not so simply as I said. > > > > Then people do not always consume artifacts as jar/pom files. > For instance, apache-maven-3.6.2-bin.zip does not have a pom file. > > In my opinion, the licensing conditions should be embedded into each > archive if that is possible. > > > > I think this is the only viable option nowadays > > > > There's spdx.org effort, however, I don't think it is ready for use. > > Vladimir > > > > > > Thanks > > > Enrico > > - > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > For additional commands, e-mail: dev-h...@maven.apache.org > >
Re: Apache Wagon vs maven-shade vs embedded licenses
issue created: https://issues.apache.org/jira/browse/WAGON-574 Regards, Hervé - Mail original - De: "Enrico Olivelli" À: "Maven Developers List" Cc: "Hervé BOUTEMY" Envoyé: Mercredi 6 Novembre 2019 09:53:29 Objet: Re: Apache Wagon vs maven-shade vs embedded licenses Il giorno mer 6 nov 2019 alle ore 09:03 Vladimir Sitnikov < sitnikov.vladi...@gmail.com > ha scritto: Enrico>(I apologize, I don't want to pollute the vote thread, but this is somehow related) I've altered the subject. Enrico> For binary release (that actually is not part of the official VOTE) I'm not a lawyer, but: > http://www.apache.org/legal/release-policy.html#what > WHAT IS A RELEASE? > Releases are, by definition, anything that is published beyond the group that owns it > http://www.apache.org/legal/release-policy.html#what-must-every-release-contain > Every ASF release must comply with ASF licensing policy release-policy.html does not make a distinction between "part of the official vote" and "not a part of the official vote". It just stays "whatever is released must comply with ASF licensing policy". Totally agree In other words, the VOTE thread looks to me like "we are about to release Apache Maven Wagon, please check the artifacts". -shaded artifact is a part of the release (because it is "anything that is published beyond the group that owns it"), and -shaded does not comply with jsoup's license ==> I suggest that there's an "utmost importance" issue with the artifacts. >I wonder if we could enhance the pom in the future to report machiene >readable statements like 'the artifact will include a binary copy of this >other third party pom' That would be nice. I'm not sure everything comes from a pom though. For instance, -shaded, -sources, -javadoc and other "classifier-based artifacts" miss their respective poms. However, they all might re-distribute different third-party dependencies. Yes, it is not so simply as I said. Then people do not always consume artifacts as jar/pom files. For instance, apache-maven-3.6.2-bin.zip does not have a pom file. In my opinion, the licensing conditions should be embedded into each archive if that is possible. I think this is the only viable option nowadays There's spdx.org effort, however, I don't think it is ready for use. Vladimir Thanks Enrico - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
Re: Apache Wagon vs maven-shade vs embedded licenses
Il giorno mer 6 nov 2019 alle ore 09:03 Vladimir Sitnikov < sitnikov.vladi...@gmail.com> ha scritto: > Enrico>(I apologize, I don't want to pollute the vote thread, but this is > somehow > related) > > I've altered the subject. > > Enrico> For binary release (that actually is not part of the official VOTE) > > I'm not a lawyer, but: > > > http://www.apache.org/legal/release-policy.html#what > > WHAT IS A RELEASE? > > Releases are, by definition, anything that is published beyond the group > that owns it > > > > > http://www.apache.org/legal/release-policy.html#what-must-every-release-contain > > Every ASF release must comply with ASF licensing policy > > release-policy.html does not make a distinction between "part of the > official vote" and "not a part of the official vote". > It just stays "whatever is released must comply with ASF licensing policy". > Totally agree > > In other words, the VOTE thread looks to me like "we are about to release > Apache Maven Wagon, please check the artifacts". > -shaded artifact is a part of the release (because it is "anything that is > published beyond the group that owns it"), > and -shaded does not comply with jsoup's license ==> I suggest that there's > an "utmost importance" issue with the artifacts. > > >I wonder if we could enhance the pom in the future to report machiene > >readable statements like 'the artifact will include a binary copy of this > >other third party pom' > > That would be nice. I'm not sure everything comes from a pom though. > For instance, -shaded, -sources, -javadoc and other "classifier-based > artifacts" miss their respective poms. > However, they all might re-distribute different third-party dependencies. > Yes, it is not so simply as I said. > > Then people do not always consume artifacts as jar/pom files. > For instance, apache-maven-3.6.2-bin.zip does not have a pom file. > > In my opinion, the licensing conditions should be embedded into each > archive if that is possible. > I think this is the only viable option nowadays > > There's spdx.org effort, however, I don't think it is ready for use. > > Vladimir > Thanks Enrico
Apache Wagon vs maven-shade vs embedded licenses
Enrico>(I apologize, I don't want to pollute the vote thread, but this is somehow related) I've altered the subject. Enrico> For binary release (that actually is not part of the official VOTE) I'm not a lawyer, but: > http://www.apache.org/legal/release-policy.html#what > WHAT IS A RELEASE? > Releases are, by definition, anything that is published beyond the group that owns it > http://www.apache.org/legal/release-policy.html#what-must-every-release-contain > Every ASF release must comply with ASF licensing policy release-policy.html does not make a distinction between "part of the official vote" and "not a part of the official vote". It just stays "whatever is released must comply with ASF licensing policy". In other words, the VOTE thread looks to me like "we are about to release Apache Maven Wagon, please check the artifacts". -shaded artifact is a part of the release (because it is "anything that is published beyond the group that owns it"), and -shaded does not comply with jsoup's license ==> I suggest that there's an "utmost importance" issue with the artifacts. >I wonder if we could enhance the pom in the future to report machiene >readable statements like 'the artifact will include a binary copy of this >other third party pom' That would be nice. I'm not sure everything comes from a pom though. For instance, -shaded, -sources, -javadoc and other "classifier-based artifacts" miss their respective poms. However, they all might re-distribute different third-party dependencies. Then people do not always consume artifacts as jar/pom files. For instance, apache-maven-3.6.2-bin.zip does not have a pom file. In my opinion, the licensing conditions should be embedded into each archive if that is possible. There's spdx.org effort, however, I don't think it is ready for use. Vladimir