Tapestry
  1. Tapestry
  2. TAPESTRY-1249

4.1.1 binary downloads include non-Apache modules (including OGNL and Javassist).

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Blocker Blocker
    • Resolution: Fixed
    • Affects Version/s: 4.1.1
    • Fix Version/s: 4.1.2
    • Component/s: Build
    • Labels:
      None

      Description

      I was just building the download pages for Tapestry 5.0.1 and noticed that the 4.1.1 binaries include ognl.jar, etc. This is absolutely against Apache guidelines (only Apache software may be downloaded from the Apache mirrors, directly or otherwise). Tapestry 4.0.x went to great measures to download the necessary dependencies (OGNL, Javassist) as needed, a pain for users, but part of the cost of going outside the Apache fold.

        Activity

        Howard M. Lewis Ship created issue -
        Hide
        Andreas Andreou added a comment -

        <quote>Tapestry 4.0.x went to great measures to download the necessary dependencies (OGNL, Javassist) as needed, a pain for users, but part of the cost of going outside the Apache fold.</quote>

        So did 4.1.0 - anyway, i believe this to be a misconfiguration of the maven-assembly-plugin... i've never used it myself,
        but our dep.xml has a line saying <includeDependencies>true</includeDependencies>

        Show
        Andreas Andreou added a comment - <quote>Tapestry 4.0.x went to great measures to download the necessary dependencies (OGNL, Javassist) as needed, a pain for users, but part of the cost of going outside the Apache fold.</quote> So did 4.1.0 - anyway, i believe this to be a misconfiguration of the maven-assembly-plugin... i've never used it myself, but our dep.xml has a line saying <includeDependencies>true</includeDependencies>
        Hide
        Jesse Kuhnert added a comment -

        I've fixed the maven configuration to not include dependencies now, I'm not sure what to do about the 4.1.1 binaries.

        It should work if I just modify the binaries and re-sign them again right ?

        Show
        Jesse Kuhnert added a comment - I've fixed the maven configuration to not include dependencies now, I'm not sure what to do about the 4.1.1 binaries. It should work if I just modify the binaries and re-sign them again right ?
        Hide
        Jesse Kuhnert added a comment -

        Ok, manually updated the current 4.1.1 dist binaries. Not sure how we're supposed to handle this for future releases though. Ehh....Hopefully there's some easy-ish solution.

        Show
        Jesse Kuhnert added a comment - Ok, manually updated the current 4.1.1 dist binaries. Not sure how we're supposed to handle this for future releases though. Ehh....Hopefully there's some easy-ish solution.
        Jesse Kuhnert made changes -
        Field Original Value New Value
        Resolution Fixed [ 1 ]
        Assignee Jesse Kuhnert [ jkuhnert ]
        Status Open [ 1 ] Resolved [ 5 ]
        Hide
        Howard M. Lewis Ship added a comment -

        I've been getting some more input from the board and I may have overreacted (still figuring it out). It's possible you can bundle other software, but have to annouce so in NOTICE.txt and include the library's license file. Except for LGPL which is verboten. Javassist and OGNL are both MPL.

        Show
        Howard M. Lewis Ship added a comment - I've been getting some more input from the board and I may have overreacted (still figuring it out). It's possible you can bundle other software, but have to annouce so in NOTICE.txt and include the library's license file. Except for LGPL which is verboten. Javassist and OGNL are both MPL.
        Hide
        Jesse Kuhnert added a comment -

        That is good news!

        Better to have you overreact than some users (or some users boss/bosses lawyers ) .

        Show
        Jesse Kuhnert added a comment - That is good news! Better to have you overreact than some users (or some users boss/bosses lawyers ) .
        Mark Thomas made changes -
        Workflow jira [ 12395653 ] Default workflow, editable Closed status [ 12567033 ]
        Mark Thomas made changes -
        Workflow Default workflow, editable Closed status [ 12567033 ] jira [ 12589781 ]
        Transition Time In Source Status Execution Times Last Executer Last Execution Date
        Open Open Resolved Resolved
        9d 2h 44m 1 Jesse Kuhnert 11/Feb/07 22:17

          People

          • Assignee:
            Jesse Kuhnert
            Reporter:
            Howard M. Lewis Ship
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development