Robert Burrell Donkin ha scritto:
On Mon, Mar 31, 2008 at 12:43 AM, Stefano Bagnara <[EMAIL PROTECTED]> wrote:
I'm sorry for the long messages, my poor english bring me to write the
same thing multiple time with the hope the message is transmitted.
the english used in this area is particularly tough since it contains
a lot of nuance but i'm not sure i can simplify without losing
accuracy
It was a critic to *my* english. Your verbosity was ok ;-)
I clearly understand that downloading an artifact from a website as part
of an automated process is DIFFERENT (for the US law, for many other
jurisdictions, for the ASF policies, and for everything else) from
redistributing the same artifact as part of another product.
My point is that if you don't know what the license is I don't see why
downloading automatically is *THE* right choice. I understand that the
legal complications of redistributing are bigger than the one of
automatically download, but the fact is that we don't know the license,
so there are even minimal possibilities that also the automatic download
is not allowed by the license we don't know.
ok
i'm going to assume that we're talking about the automatic download
which happen when maven builds the project.
i am not concerned by the automatic download because i trust the maven
team to act responsibly enough to allow me to use their application in
good faith. though the public audit trail is not clear and so i cannot
independently verify this faith, i am in a similar position with most
of the software i use.
maven is not tied to a single repository. if the people running the
central repository end up having a problem with the IP of the
documents they distribute then this is a problem for them and not me.
apache does not run the repository and so i don't believe that this is
an issue that need concern the members. i trust that the people who do
run the central repository understand enough US law to ensure that
they are not taking too many risky. IMHO this is not an unreasonable
assumption.
This is clear.
If I understand it correctly you say that we didn't add central in our
redistributable because central is something "hardcoded" in maven, so
what it automatically download is a concern of maven project and the
maven users and not a problem for us. In fact we simply declare a
dependency in our pom.xml and do not declare a way to retrieve that
dependency.
Would you think the same if we had to declare the central repository url
in our pom?
If I understand your statement you also say that "*they* are not taking
too many risky" (by redistributing that pom via central) but you
wouldn't take the same risks by redistributing the pom as part of our
release, right?
The funny thing is that all of this thread is about a "stupid" pom that
even my father could write as is if I explain him the pom
semantic+syntax and I tell him to describe junit-3.8.1.jar. This is what
scare me: the fact that we don't have a clear way to rewrite this
f***ing xml from scratch and release jSPF-0.9.7.
For the record the other funny thing is that I don't need a jSPF release
and I don't use jSPF in any of my projects. My involvement in jSPF
started mainly because I had problems releasing JAMES Server and need a
way to work together Norman to better understand his skills and try to
help him joining the JAMES project.
note that i didn't -1 the release: if i thought that it posed a
significant danger then i would have done so
i audit a lot of releases and have my own policies. i will not +1 a
release unless i am convinced that the IP is know and fully audited.
this is different from -1ing a release that i consider to be actively
dangerous. other people judge things differently.
You may have noticed that we only get 2 +1 ;-)
So I'd like to know what exactly we have to do to get the 3rd +1, either
by you or by someone of the other PMC members!
Stefano
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
