Re: Step towards being able to build on Linux (Pull request #435)
От | Pavel Raiskup |
---|---|
Тема | Re: Step towards being able to build on Linux (Pull request #435) |
Дата | |
Msg-id | 3005692.uK5na4TWyJ@nb.usersys.redhat.com обсуждение исходный текст |
Ответ на | Re: Step towards being able to build on Linux (Pull request #435) (Vladimir Sitnikov <sitnikov.vladimir@gmail.com>) |
Ответы |
Re: Step towards being able to build on Linux (Pull request
#435)
(Álvaro Hernández Tortosa <aht@8kdata.com>)
|
Список | pgsql-jdbc |
On Wednesday 20 of January 2016 18:18:16 Vladimir Sitnikov wrote: > >I'm asking you - as Java hacker - how this is > >_normally_ done. > > Maven profile. See [1]. Thanks. > >That is unlucky .. who should I ask? At least adding new dependency is > >big issue every committer should take into account. I'm not sure about > >licensing too -- and thats why we can't provide jdbc with osgi support. > > Frankly speaking, I've no idea how that is usually managed. > It looks like pgjdbc does not force to sign CLAs when accepting patches. > > I'm not sure why you pay so much attention to osgi while completely > ignore the fact that pgjdbc includes lots of contributions (from > random people) itself. Contributing to project with "PostgreSQL" license is clear; using it is clear either. As a user, I can trust you (== software provider) that the code you provide is really "PostgreSQL" licensed -- on distribution level we must properly check/review that this is truth, but that is fine. (hard) dependency on randomly licenced project OTOH can make otherwise perfectly well licenced open source project unusable for me as open-source user. What would be worse: Two dependencies on two proprietary licenses might make the project (legally) unusable. At least as far as I understand. That is why the licensing is important from user's perspective, and why SW providers should be aware of that POV. > The osgi jars in question are licensed under Apache 2.0. > jcp is Apache 2.0 as well. IANAL, but Apache 2.0 is fine license if we *have* the right source code (which is not guaranteed by Apache 2.0 itself, neither osgi, afaik), but again - IANAL. Do we have source? But to other point -- if I understand it right, only some kind of API for "jar-file" propagation in osgi-capable system is used. Is this too candidate for opt-out in maven profile? That would simplify things. > >Yes, we do manual reviews. By "software binary blob" I meant code > >(which can be executed) which may, e.g., infect my machine. > > I do not want to stretch that, but I wonder if you call "sql statement > inside a java code" a "software binary blob" "which can be executed in > backend" and "infect the machine via integer overflow or whatever". It is source code; thus (if not obfuscated) nobody is blocked from looking at the code and decide whether that "is"/"is not" malicious software. Or whether it has compatible license. Pre-compiled software is not human readable usually, similarly obfuscated code -- so that I meant by "binary". > I mean: what if I convert osgi.jar into a java file into a form of some > select statements? Would it heal your case? That sounds like obfuscation. If you converted the osgi.jar file into properly licensed SQL source code, that it would be probably fine :). > > Pavel sent you an approach. Except the testsuite issue? > > Yes. Without a testcase I cannot understand what that commit is trying > to accomplish. We try to move one dependency from 'hard' => 'optional', because that is hard-to-get-into-linux (the right way). But sounds fair, as I understand it right -- in Travis is something like Ubuntu environment, right? There should be easy to remove '*.jar' (which is redundant anyway) file to make such test. Thanks Vladimir for the answer, Pavel
В списке pgsql-jdbc по дате отправления:
Следующее
От: Álvaro Hernández TortosaДата:
Сообщение: Re: Step towards being able to build on Linux (Pull request #435)