Hi, On Mon, Sep 21, 2009 at 3:58 PM, Marshall Schor <m...@schor.com> wrote: > Interesting. Is there any *enforcement* of the policy of not updating > non-SNAPSHOT artifacts (with their checksums)?
Yes, the rsync process that pulls stuff from upstream repositories to Maven central only ever adds files. See [1] where they say: "Important: nothing is deleted or changed in the Central Repository after it is synced (except maven-metadata.xml files)." It is possible to explicitly ask for changes to be made to already uploaded artifacts, for example to fix some major mistakes (I've seen it happen for example when an artifact was uploaded without a proper license to do so), but most of the time such requests are simply answered by asking the upstream project to deploy a new release with an updated version number. The repository administrators are well aware of the potential problems caused by modified artifacts, so this is only done in exceptional circumstances for very good reasons (including an explanation why downstream projects won't be adversely affected). The LICENSE/NOTICE point that Thilo brought up is a valid one, though especially when the default build embeds external dependencies to the build target, it's quite OK to include also their licenses in the licensing metadata even if those dependencies strictly speaking aren't being shipped as a part of the source distribution. [1] http://maven.apache.org/guides/mini/guide-central-repository-upload.html BR, Jukka Zitting
