Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jakarta.ee-spec.committee] [External] : Re: Question from Platform TCK team about publishing TCKs to Maven

Fair enough. If there is time, I can introduce it, or we can just schedule it for a future meeting.

On 3/20/2024 8:02 AM, Paul Buck wrote:

Hi Ed,

It is too late to be adding complex topics to the agenda. In the call today, if time permits, we can have a discussion to raise everyone's understanding of these topics. 

Thanks ... Paul


On Wed, Mar 20, 2024 at 6:55 AM Ed Bratt <ed.bratt@xxxxxxxxxx> wrote:
Paul, The Platform team asked me to raise these questions for discussion
at the Spec. committee today.

In the EE Platform team meeting, Scott Marlow raised the question: is it
allowed for TCKs to be published as Maven artifacts. If so, what
licensing considerations apply?

It is my recollection that, currently, the only normative location to
obtain TCKs is the Spec. committee download. We generate and use SHA-256
hash codes as well as SIG hash that can only be generated by the Spec.
committee. If a TCK replica were to be placed somewhere else, so long as
the SHA and SIG codes are valid, we do not have any ability to verify
the lineage of the artifact that was ultimately used. Therefore, if the
identical artifact posted to the Specification Download location were
also posted to Maven, we could not, in any way practical, tell the
difference.

A simple proposal might be to simply require that the official TCKs be
published via the specification download, the specification hashes be
generated and recorded-- and then allow alternate download locations
(e.g. a Maven Artifact) -- so long as the SHA and SIG sums are valid the
TCK is allowed for CCR validation.

I am not aware of the nuances that might apply to posting Milestone
releases. May these can be posted as the team likes, but if they are
preliminary, what restrictions should be placed on them and/or is there
any other detail the teams should be concerned with.

Their second question is - what licensing is required for Milestone
releases? May non-final artifact include the EFTL or must EFTL only be
included on final artifacts. Needless to say, it would be easier for the
development teams if the TCKs can be dual-licensed in all cases (EFTL +
EPL) -- CCRs, EFTL must be the chosen license. (As background, we had
previously investigated and determined that EFTL is a valid license for
Maven. The dual license is needed to allow use by teams that need to use
the TCK on the project license terms, and not for compatibility
certification).


Back to the top