On Thu, Feb 20, 2014 at 08:37:46AM -0500, David Nalley wrote: > Hi folks, > > I cringe to raise this issue. After 6 RCs I am sure we are all feeling > a little bit of release vote fatigue. Especially Animesh. I apologize > in advance; in all other respects I am ready to give a +1 to RC6. > > I've been playing with 4.3.0-rc6 for a couple of days now. I attempted > to build some RPMs and had problems with dependency resolution in > maven. This led me to looking at a number of different poms, and I > noticed mysql-connector-java is listed as a runtime dependency. For > our end users, this really isn't necessary - the debs and rpms specify > a requirement (effectively a system requirement in the terms of > policy) for mysql-connector-java. We don't need it to build the > software (at least not in any location I've seen) - just when running. > (And thus its a system dependency, much like MySQL is.) > > mysql-connector-java is GPLv2; which is Cat X. By including it as a > dependency in the pom it automatically gets downloaded. The 3rd Party > software policy has this line in it: > > "YOU MUST NOT distribute build scripts or documentation within an > Apache product with the purpose of causing the default/standard build > of an Apache product to include any part of aprohibited work." > > We've released software with this dependency previously. Is this a > blocker for 4.3 or do we fix going forward? (If we hadn't already > shipped releases with this problem I'd lean a bit more towards it > being a blocker - but its more murky now.) > > Thoughts, comments, flames? > > --David > > [1] https://www.apache.org/legal/3party.html
During incubation, this dependency was raised as an issue. Generally, there are 2 ways to deal with Category X dependencies within an ASF project: 1) Make it an optional part of the software. This is what we do with the nonoss build target, but won't work for the mysql-connector. 2) Make it a "system dependency" that is expected to be installed on the system prior to our software. mysql-connector-java (and the python equiv) were supposed to be handled using option 2 (system dependency). Currently, our RPM packaging depends on the relevant RPM to pull this in as a system dependency. I can't tell with the DEBs, but that would need to be reviewed. The problem is that our maven poms pull down the jar automatically right now. This is the blocker for us. I'm certainly not a lawyer, but my understanding of ASF policy is that we need to make some changes before making another release. So, there appear to be three things that have to happen: 1) Confirm that the mysql-connector-java is a system dependency in the DEB packaging. 2) Ensure that a "normal build" of the project using mvn does not automatically download the mysql-connector-java jar files. 3) Retest the project to ensure that the above changes work. Then we can re-spin an RC. -chip
