-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Les,
please remember, not all incubator projects make it! i've personally been a mentor on a few projects that were shutdown for various reasons. - -- dims James Carman wrote: | The bottom line is that incubator projects haven't (yet) gone through | all the hoops necessary to become official ASF projects. So, if they | are published to the main repository, that is in a way saying that the | ASF endorses the software. Since it has not graduated from the | incubator, the ASF doesn't yet endorse it. This is the way I see it | at least. | | On Fri, May 30, 2008 at 11:06 AM, Les Hazlewood <[EMAIL PROTECTED]> wrote: |> Noel, |> |> Could you please help me understand the fundamental reasons why this |> is important to the IPMC? |> |> I mean, I as an end-user could care less about if the dependency |> artifact is in incubation or not - as long as it solves the problems |> in the way the development team deems necessary, all I want to do is |> just have be accessible to me immediately. I don't care where it |> comes from. If it requires intervention on my part, I view that as a |> major pain, especially if it can knowingly be avoided. I would want |> things to be as automatic and hands-off as possible. |> |> I'm just genuinely trying to understand why the distinction is necessary. |> |> Thanks for clarifying my naivety, |> |> Les |> |> On Fri, May 30, 2008 at 10:54 AM, Noel J. Bergman <[EMAIL PROTECTED]> wrote: |>> Robert Burrell Donkin wrote: |>> |>>> it has now been clearly established that we need to move the |>>> repository. we're now just asking: where? |>> As I said, Brett Porter's proposal, made early on in the thread, seemed |>> satisfactory. |>> |>>> asking podlings to publish through a secondary repository is both |>>> annoying and ineffective at making it explicit to people that |>>> they are using artifacts under incubation. this measure cuts |>>> against the grain of maven. |>> I really don't care what cuts across the grain of Maven. I do care about |>> the established principle that people must make a deliberate decision to use |>> Incubator artifacts. If Maven would finally support enforcing signing of |>> artifacts, as they have been asked to do for years, we could use an |>> Incubator-specific signing key, forcing people to approve the use of |>> Incubator artifacts, regardless of download location. |>> |>> Rather than relax the principle to accomodate a defective tool, if Maven |>> cannot solve this problem, I'd be more inclined to ban the use of maven |>> repositories for Incubator artifacts. That is how strongly I feel about the |>> principle. |>> |>> By the way, there has been some talk in Infrastructure about shutting down |>> the ASF's repository entirely if Maven does not provide enforcement of |>> signed artifacts, due to security concerns. |>> |>> Look back over the years of debate on this issue, and I believe that you |>> will find I've been very consistent. I want Incubator projects to be able |>> to perform releases in order to grow their (developer) community, but we |>> also require that people be aware of the fact that they are not using |>> official ASF code, as noted by the disclaimer. |>> |>>> an easy and effective way to ensure that users know that they are using |>>> an artifact from the incubator would be to ensure that the group or |>>> artifact ID includes this information. |>> End users don't read the POM. They just use it. So that is no solution at |>> all. The signing approach would be, IMO, a reasonable solution. It would |>> solve Les' issue -- users would simply have to agree to install the |>> Incubator-signed artifact(s), and thereafter they'd be fine. |>> |>> --- Noel |>> |>> |>> |>> --------------------------------------------------------------------- |>> To unsubscribe, e-mail: [EMAIL PROTECTED] |>> For additional commands, e-mail: [EMAIL PROTECTED] |>> |>> |> --------------------------------------------------------------------- |> To unsubscribe, e-mail: [EMAIL PROTECTED] |> For additional commands, e-mail: [EMAIL PROTECTED] |> |> | | --------------------------------------------------------------------- | To unsubscribe, e-mail: [EMAIL PROTECTED] | For additional commands, e-mail: [EMAIL PROTECTED] | -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Cygwin) iD8DBQFIQB1FgNg6eWEDv1kRAnIyAJ4sCgbdRQbPLyRXWwJFqxZEyEg0bgCfZDqV gFZAWAtMuhR2Tl7AnLXxkYI= =HcOZ -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
