On 18 Apr 2016 4:47 p.m., "sebb" <seb...@gmail.com> wrote: > Using lazy votes for this was was agreed by the PMC a while back.
Ah, I thought as it had its own website, (earlier) downloads and Maven Central artifacts it was one of the releases of Apache Commons. Perhaps if it is only for internal project use it should not be mirrored to Maven Central (e.g. kept in a separate Nexus area - perpetual SNAPSHOT) - or it should be treated as a proper release (even if it happens to be a bit exotic for non-Commons users), in which case the usual checks and balances apply. > > I notice this RC is 'straight to Maven' - but this should also be released to > > https://dist.apache.org/repos/dist/release/commons/commons-build-plugin/source/ > > > > (BTW: 1.5 is missing there) > > The build plugin is entirely optional, and only intended for use by > Commons Developers. So none of the components depend on the build plugin as part of their pom.xml build? (Only on command line or in a -Prelease profile?) (Sorry, I haven't checked) > Note we haven't released Commons parent POM there either. > If anything, that is a more deserving case for a dist release. Yes, even though the parent pom is a self-contained file, I would support such a move for consistency reasons and to (if ever so slightly) reduce reliance on Maven Central. (See NPM usecase: http://www.theregister.co.uk/2016/03/23/npm_left_pad_chaos/ ) (It could be argued that everything should be source released also in the Nexus repository, and that it should be treated as official as dist.apache.org in the ASF policy. I think that is general practice in many projects, but then we still need to keep a copy of the hashes from the closed staging repo in the VOTE thread, as the staging repo disappears after publishing. We would then need more official mirrors) > It's not clear to me whether it is necessary to use for build tools. That depends if its needed for third party building or not. In theory I should be able to grab whatever I need from dist.apache.org (and archive) to verify and build anything under org.apache and commons* in Maven Central. Obviously for other Maven Central dependencies I would need to do the same from their upstream sources. This is what Linux distributions like Debian do - with their own mirroring and patching thrown into the mix. Source code can also be accessed on demand from svn/git, but it is currently ASF policy that the source code tar/zip on the dist mirrors are the Gold Standard after a VOTE - I don't know how much leeway Commons PMC have here, but I found it confusing that an older version 1.4 was on dist, but not 1.5, even though 1.5 is in Central and on the website. I think it's OK to not release something that is only needed say for updating a Commons components website (as is the main purpose of this particular plugin) or the release process, but then the internal tool should not be distributed as "released" itself, as that implies something more within ASF. (e.g. that we have checked the license headers :)) BTW, you are free to ignore my -1 - this is a just my opinion flopping in from the side corner! ;))
