[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [jakarta.ee-spec.committee] [External] : Re: Question from Platform TCK team about publishing TCKs to Maven
|
Fair enough. If there is time, I can introduce it, or we can just
schedule it for a future meeting.
On 3/20/2024 8:02 AM, Paul Buck wrote:
Hi Ed,
It is too late to be adding complex topics to the agenda.
In the call today, if time permits, we can have a discussion
to raise everyone's understanding of these topics.
Paul,
The Platform team asked me to raise these questions for
discussion
at the Spec. committee today.
In the EE Platform team meeting, Scott Marlow raised the
question: is it
allowed for TCKs to be published as Maven artifacts. If so,
what
licensing considerations apply?
It is my recollection that, currently, the only normative
location to
obtain TCKs is the Spec. committee download. We generate and
use SHA-256
hash codes as well as SIG hash that can only be generated by
the Spec.
committee. If a TCK replica were to be placed somewhere else,
so long as
the SHA and SIG codes are valid, we do not have any ability to
verify
the lineage of the artifact that was ultimately used.
Therefore, if the
identical artifact posted to the Specification Download
location were
also posted to Maven, we could not, in any way practical, tell
the
difference.
A simple proposal might be to simply require that the official
TCKs be
published via the specification download, the specification
hashes be
generated and recorded-- and then allow alternate download
locations
(e.g. a Maven Artifact) -- so long as the SHA and SIG sums are
valid the
TCK is allowed for CCR validation.
I am not aware of the nuances that might apply to posting
Milestone
releases. May these can be posted as the team likes, but if
they are
preliminary, what restrictions should be placed on them and/or
is there
any other detail the teams should be concerned with.
Their second question is - what licensing is required for
Milestone
releases? May non-final artifact include the EFTL or must EFTL
only be
included on final artifacts. Needless to say, it would be
easier for the
development teams if the TCKs can be dual-licensed in all
cases (EFTL +
EPL) -- CCRs, EFTL must be the chosen license. (As background,
we had
previously investigated and determined that EFTL is a valid
license for
Maven. The dual license is needed to allow use by teams that
need to use
the TCK on the project license terms, and not for
compatibility
certification).