Re: [iam-dev] Re: [technology-pmc] Eclipse IAM: Possible need for 3rd pa

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [iam-dev] Re: [technology-pmc] Eclipse IAM: Possible need for 3rd party dependency approval

From: Abel Muiño Vizcaino <amuino@xxxxxxxxx>
Date: Thu, 18 Dec 2008 22:04:17 +0100
Delivered-to: iam-dev@xxxxxxxxxxx
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=cc:message-id:from:to:in-reply-to:content-type :content-transfer-encoding:mime-version:subject:date:references :x-mailer; b=fg8W3IZmH79nQ+MY+D1IAYeH8dzCs5wmcLF73pjeeRMCgafbKOkwjm9Q34HHOGC8Xs Hk5AkYZ5NyqSxLMrSBGNI0Vm1z0a/COlJmvkI3AHKQloitVJqXGx1QPVTEk5VS9CSfCQ WYX5CWF+60VCjVioewL1aZ67H8VKmBGB1TkWg=
List-archive: <https://dev.eclipse.org/mailman/private/iam-dev>
List-help: <mailto:iam-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/iam-dev>, <mailto:iam-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/listinfo/iam-dev>, <mailto:iam-dev-request@eclipse.org?subject=unsubscribe>

Hello Wayne,

El 18/12/2008, a las 17:09, Wayne Beaton wrote:

Hi Abel.
It sounds to me like the "central Maven repository" is a potential"exempt pre-requisite". Which means that IAM should be able toinclude some knowledge of how to find and access that respository.Ultimately, we'll need to get EMO approval on that.


That would be a manageable solution if approved by the EMO.

Further, my sense is that by adding a link to another repository (orhowever it is that you do this sort of thing), the user is givingIAM explicit permission to access the archetypes available from thatrepository.


I agree with that.

Other artifacts downloaded by maven would fall in the same category(the user enters the information to locate them or otherwise requeststheir use, so he is allowing IAM to work on his behalf).

FWIW, it's true that p2 can be used to install arbitrary thingswithout the user's consent. However, that's not how it *is* beingused (or rather how it should be used by an Eclipse project). Acompany could take p2 and use it as part of their project to installwhatever they want; this would be an issue between that company andtheir end users.

Of course do not support or encourage installing anything without theuser consent. It was my perception that by providing the informationto identify the archetype/artifact the user was already allowingaccess. You summarized it perfectly above.

Does this make sense/help?

Sure. I think these can solve all the IP concerns being addressed andcan be managed by the IAM team. Thank you very much!

We only need EMO approval regarding the maven central repository. Howshall we proceed with this task?

Wayne

Abel Muiño Vizcaino wrote:
Hello Wayne,

El 12/12/2008, a las 19:58, Wayne Beaton escribió:
Does the user enter the URL for the Archetype, or is the URLsomehow embedded in the software?
If the URLs are provided by the user, then there should be noproblem.
It is a bit complicated... there is not such thing as "the URL".The user only declares the archetype to use. That declaration isthen looked up in an artifact repository (by default maven centralrepository, but it is considered good practice to use a corporate"mirror"). The actual repository used depends on a set of rules setby the end user.
I've been thinking that writing an overview of how IAM/mavenoperates and relate that to the policy for 3rd party dependencies (http://www.eclipse.org/org/documents/Eclipse_Policy_and_Procedure_for_3rd_Party_Dependencies_Final.pdf) could help us moving forward. What do you think?
If the IAM project contains built-in URLs to existingrepositories, then we'll need a works-with CQ (probably one foreach URL, but this may require additional thought). We'll have toget EMO agreement.
It should not be a problem from our side if it is limited to theurl or the maven central repository. However, as noted above, thatrepository might not be used at all (and as stated previously, itis impossible to review every possible artifact in a mavenrepository).
In either case, the download needs to be obvious. We need IAM toshow a dialog saying something to the effect of "you're about todownload some code not vetted by the Eclipse IP process" orsomething to that effect (it might be enough to say that the codeis "external"). If the thing being downloaded has a licenseattached to it, the user needs to be given an explicit opportunityto view and accept that license.
Technically, that can be done, although I'm very worried about theresulting user experience. What would you consider "obvious"?Showing the download progress? A note on the user interface?
FWIW, Buckminster and P2 both do this.
No attack intended on any of these projects.
But we use the P2 director (headless) application to assemble outtarget platform (installing EPL'ed and non EPL'ed bundles) and itdoes not show any license agreement.
And I strongly believe that this is the right thing to do (from anend-user point of view, I've explicitly declared what I want touse, so I know what I'm getting into).
_______________________________________________
iam-dev mailing list
iam-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/iam-dev

References:
- [iam-dev] Re: [technology-pmc] Eclipse IAM: Possible need for 3rd party dependency approval
  - From: Wayne Beaton
- [iam-dev] Re: [technology-pmc] Eclipse IAM: Possible need for 3rd party dependency approval
  - From: Abel Muiño Vizcaino
- Re: [iam-dev] Re: [technology-pmc] Eclipse IAM: Possible need for 3rd party dependency approval
  - From: Wayne Beaton

Prev by Date: Re: [iam-dev] Re: [technology-pmc] Eclipse IAM: Possible need for 3rd party dependency approval
Next by Date: Re: [iam-dev] Re: [technology-pmc] Eclipse IAM: Possible need for 3rd party dependency approval
Previous by thread: Re: [iam-dev] Re: [technology-pmc] Eclipse IAM: Possible need for 3rd party dependency approval
Next by thread: [iam-dev] Next release?
Index(es):
- Date
- Thread

Breadcrumbs