3.1.2 NuGet package

Discussion:

3.1.2 NuGet package

Jorge, Tiago

2016-08-15 17:22:02 UTC

Hi,

Within DNV GL (the company I work for) we have used Xerces C++ in more than one of our software products.

Recently, members of our Software Tools and Products team have put together a NuGet package of Xerces-C++ 3.1.2 which works under MSVC 14 (Visual Studio 2015), as we found that one was not already available on www.nuget.org.

We are now wondering if Xerces-C++ devs are happy for us to upload this package to www.nuget.org and, if so, whether there are any specific guidelines we should follow or clauses to be aware of in order to do this (aside from clearly indicating the obvious bits, regarding who is the true author of the code and the license). The package is a simple build of the 3.1.2 sources, with no custom modifications to the source code, and as such we wish not to take any responsibility over maintenance of the NuGet package.

Please advise, and thank you in advance!

Kind regards,
Tiago

**************************************************************************************
This e-mail and any attachments thereto may contain confidential information and/or information protected by intellectual property rights for the exclusive attention of the intended addressees named above. If you have received this transmission in error, please immediately notify the sender by return e-mail and delete this message and its attachments. Unauthorized use, copying or further full or partial distribution of this e-mail or its contents is prohibited.
**************************************************************************************

---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-***@xerces.apache.org
For additional commands, e-mail: c-dev-***@xerces.apache.org

Cantor, Scott

2016-08-15 18:46:20 UTC

Permalink

Post by Jorge, Tiago
We are now wondering if Xerces-C++ devs are happy for us to upload this
package to www.nuget.org and, if so, whether there are any specific
guidelines we should follow or clauses to be aware of in order to do this
(aside from clearly indicating the obvious bits, regarding who is the true
author of the code and the license). The package is a simple build of the 3.1.2
sources, with no custom modifications to the source code, and as such we
wish not to take any responsibility over maintenance of the NuGet package.

Jorge, Tiago

2016-08-16 11:31:19 UTC

Permalink

Hi Scott,

I understand your point.

Our intention is to specifically use this platform to deliver the Xerces-C++ 3.1.2 NuGet package that we have put together so that users of DNV GL - Energy software products can have access to it in a public and easily accessible repository. We would clearly indicate that the package has been put together with this specific goal in mind, and it is for this target audience that we would, indeed, be maintaining it.

We would naturally (as befits the open source spirit) be more than happy for other users to download and use the package in their own projects if they find that it works for them (and this should be the case, given that it has been built directly from unmodified sources).

This would all be clearly explained in the package's description to make users well aware of the use case for the package, and letting them know that they are completely welcome to use it if it works for them.

Please let me know your thoughts.

Thank you,
Tiago

-----Original Message-----
From: Cantor, Scott [mailto:***@osu.edu]
Sent: 15 August 2016 19:46
To: c-***@xerces.apache.org
Subject: RE: 3.1.2 NuGet package

Post by Jorge, Tiago
We are now wondering if Xerces-C++ devs are happy for us to upload
this package to www.nuget.org and, if so, whether there are any
specific guidelines we should follow or clauses to be aware of in
order to do this (aside from clearly indicating the obvious bits,
regarding who is the true author of the code and the license). The
package is a simple build of the 3.1.2 sources, with no custom
modifications to the source code, and as such we wish not to take any responsibility over maintenance of the NuGet package.

Speaking as the person who has done the last few releases, and not as a PMC member, can you clarify the last sentence?

If you're going to upload something like that, you would most certainly be taking responsibility for maintenance of such a package.

Basically, the licensing certainly permits you to do this, but you are the one supporting it, not the project. If somebody else on the project or in the community would like to support it, that's of course fine with me.

I'm not familair with this site, but if I thought I could get all my project's dependencies to use it for Windows, I might be more open to the idea of maintaining this one there, but that's not likely to be the case, at least not soon.

-- Scott

---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-***@xerces.apache.org
For additional commands, e-mail: c-dev-***@xerces.apache.org

**************************************************************************************
This e-mail and any attachments thereto may contain confidential information and/or information protected by intellectual property rights for the exclusive attention of the intended addressees named above. If you have received this transmission in error, please immediately notify the sender by return e-mail and delete this message and its attachments. Unauthorized use, copying or further full or partial distribution of this e-mail or its contents is prohibited.
**************************************************************************************

---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-***@xerces.apache.org
For additional commands, e-mail: c-dev-***@xerces.apache.org

Cantor, Scott

2016-08-16 14:17:46 UTC

Permalink

Post by Jorge, Tiago
Our intention is to specifically use this platform to deliver the Xerces-C++
3.1.2 NuGet package that we have put together so that users of DNV GL -
Energy software products can have access to it in a public and easily
accessible repository. We would clearly indicate that the package has been
put together with this specific goal in mind, and it is for this target audience
that we would, indeed, be maintaining it.

Then I don't think anybody would have any objections (and even if they did, the license permits you to, so apart from courtesy (thanks), there's really nothing stopping you.

What I would caution you about is simply the security model around this. If somebody were to ask me to obtain a package like this from a source that I had no reason to trust, I would tell them they were crazy. To draw an analogy, people using Maven Central as a source for artifacts but don't constrain the signers of the software they get from it are, well, let's say "ignorant of basic security practice".

Without authentication of the source of an artifact (not just authentication of an artifact, and that assumes you are in fact signing and people are in fact verifying that), you have no way to know what somebody might have done to the source.

But none of that really pertains to whether you *may* do this: you certainly may.

-- Scott

---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-***@xerces.apache.org
For additional commands, e-mail: c-dev-***@xerces.apache.org