The source jar does just include the .java/.scala/etc. files along with anything in src/main/resources/ (and anything else configured, though this is the default). I think that a source jar is required for distribution on maven central. Besides making releases on the /dist/ svn repo, there's repository.apache.org which can also technically be used to download maven artifacts besides MC (plus I think bintray/jcenter mirrors everything on MC).
So basically, at the bare minimum, you need the source tarball/zip on dist which can be used by users to build usable artifacts from source using the relevant build tools and publicly available dependencies (which of course are licensed appropriately). All artifacts are signed along with at least an md5 hash, but I typically also see shaN hashes along with since md5 is so old and broken (maybe this policy should be updated?). And then the flow from repository.apache.org to MC and elsewhere only contains the compiled jars, source jars, poms, and sometimes accompanying xml artifacts or zips. On 3 December 2016 at 12:14, Gary Gregory <garydgreg...@gmail.com> wrote: > On Dec 3, 2016 9:34 AM, "Charles Honton" <c...@honton.org> wrote: > > > > To follow up the thread on releasing parent 42 and exactly what needs to > signed, etc. I’ve researched asf release policy. Here’s the gist: > > > > 1. Every ASF release must contain a source package, which must be > sufficient for a user to build and test the release provided they have > access to the appropriate platform and tools. < > http://www.apache.org/dev/release#what-must-every-release-contain> > > > > 2. A release isn't 'released' until the contents are in the project's > distribution directory, which is a subdirectory of www.apache.org/dist/ < > http://www.apache.org/dev/release#where-do-releases-go>. > > > > 3. Every artifact distributed to the public through Apache channels MUST > be accompanied by one file containing an OpenPGP compatible ASCII armored > detached signature and another file containing an MD5 checksum. < > https://www.apache.org/dev/release-distribution.html#sigs-and-sums> > > > > What do we consider the source package for our releases? > > Are the xxx-sources.jar, xxx-test-sources.jar, and pom sufficient to > build and test the release? > > Nope. A sources jar is a convenience for IDEs, it usually does not contain > build scripts and such. I am AFK so I am hoping someone can provide an > example. > > > Is the zip/gz just a convenience and is it still useful/required? > > That should contain almost everything that is in the repo except for things > like old files like proposal.html. > > > Or is it the reverse, the zip/gz is the release and the jars are the > convenience distributions? > > Yep. The release are the zip/gz sources. All binaries are conveniences. > Granted that without a Maven Central jar release, a component is not easy > to reuse. > > Gary > > > > > regards, > > chas > -- Matt Sicker <boa...@gmail.com>
