Tapestry
  1. Tapestry
  2. TAPESTRY-1249

4.1.1 binary downloads include non-Apache modules (including OGNL and Javassist).

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Blocker Blocker
    • Resolution: Fixed
    • Affects Version/s: 4.1.1
    • Fix Version/s: 4.1.2
    • Component/s: Build
    • Labels:
      None

      Description

      I was just building the download pages for Tapestry 5.0.1 and noticed that the 4.1.1 binaries include ognl.jar, etc. This is absolutely against Apache guidelines (only Apache software may be downloaded from the Apache mirrors, directly or otherwise). Tapestry 4.0.x went to great measures to download the necessary dependencies (OGNL, Javassist) as needed, a pain for users, but part of the cost of going outside the Apache fold.

        Activity

        Hide
        Andreas Andreou added a comment -

        <quote>Tapestry 4.0.x went to great measures to download the necessary dependencies (OGNL, Javassist) as needed, a pain for users, but part of the cost of going outside the Apache fold.</quote>

        So did 4.1.0 - anyway, i believe this to be a misconfiguration of the maven-assembly-plugin... i've never used it myself,
        but our dep.xml has a line saying <includeDependencies>true</includeDependencies>

        Show
        Andreas Andreou added a comment - <quote>Tapestry 4.0.x went to great measures to download the necessary dependencies (OGNL, Javassist) as needed, a pain for users, but part of the cost of going outside the Apache fold.</quote> So did 4.1.0 - anyway, i believe this to be a misconfiguration of the maven-assembly-plugin... i've never used it myself, but our dep.xml has a line saying <includeDependencies>true</includeDependencies>
        Hide
        Jesse Kuhnert added a comment -

        I've fixed the maven configuration to not include dependencies now, I'm not sure what to do about the 4.1.1 binaries.

        It should work if I just modify the binaries and re-sign them again right ?

        Show
        Jesse Kuhnert added a comment - I've fixed the maven configuration to not include dependencies now, I'm not sure what to do about the 4.1.1 binaries. It should work if I just modify the binaries and re-sign them again right ?
        Hide
        Jesse Kuhnert added a comment -

        Ok, manually updated the current 4.1.1 dist binaries. Not sure how we're supposed to handle this for future releases though. Ehh....Hopefully there's some easy-ish solution.

        Show
        Jesse Kuhnert added a comment - Ok, manually updated the current 4.1.1 dist binaries. Not sure how we're supposed to handle this for future releases though. Ehh....Hopefully there's some easy-ish solution.
        Hide
        Howard M. Lewis Ship added a comment -

        I've been getting some more input from the board and I may have overreacted (still figuring it out). It's possible you can bundle other software, but have to annouce so in NOTICE.txt and include the library's license file. Except for LGPL which is verboten. Javassist and OGNL are both MPL.

        Show
        Howard M. Lewis Ship added a comment - I've been getting some more input from the board and I may have overreacted (still figuring it out). It's possible you can bundle other software, but have to annouce so in NOTICE.txt and include the library's license file. Except for LGPL which is verboten. Javassist and OGNL are both MPL.
        Hide
        Jesse Kuhnert added a comment -

        That is good news!

        Better to have you overreact than some users (or some users boss/bosses lawyers ) .

        Show
        Jesse Kuhnert added a comment - That is good news! Better to have you overreact than some users (or some users boss/bosses lawyers ) .

          People

          • Assignee:
            Jesse Kuhnert
            Reporter:
            Howard M. Lewis Ship
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development