geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dirk-Willem van Gulik <>
Subject Re: Dedicated maven repo
Date Wed, 30 Mar 2005 10:57:08 GMT

On Tue, 29 Mar 2005, Alan D. Cabrera wrote:

> > With the new infrastructure it may be possible to locate this at the
> > ASF in the project's zone. However, as I understand ASF policy they do
> > not allow the standalone distribution of non-ASF code (e.g. a Jetty
> > archive even though it is AL-2.0).
> Do we know this for a fact?  If it's true, this strikes me as a really,
> really, silly policy.

The ASF is accountable for anything it publishes or relases from its site.


->	we ensure that any bit or byte in a tarbal we distribute comes
	from our cvs/subversion repository. The only way to
	get something in those repo's is by having a CLA, a
	software-grant on file or a documented exception
	to import alien code - along with its license and
	then track that from thereon as such.

	please report exceptions and thiings slipping through the
	crack to the pmc :-)

->	we ensure that any release is something backed by the commiter
	community as a whole, reviewd, had oversight and was properly
	released and that this is well documented.

	It certainly is never the product of just one person.

->	we ensure that any and all releases are _always_ released from
	an ASF machine. That it is the ASF which publishes. No matter
	how often it is mirrored or copied from thereon.

That way we ensure that if any claim comes in

->	the ASF was the only publisher; so the party has to
	come to (just) the ASF; and if they go to  the
	developer we can easily make clear that they should
	come to us (first).

->	we have control; i.e. we can (temporarily) pull the tarball
	while we investigate. And thus are not worried about
	htings such as willfull infringement or the cooperation
	of sysadmins and their bosses far away.

->	the ASF was the publisher - so individual commiters who
	followed procedure and their CLA are protected against
	the complaining party (and if they did not follow procedure
	then in virtually most cases that is something
	the ASF needs to resolve with the committer)

The result of this is that

->	we want PMC's to release code following (their)
	procedure and maintain proper oversight.

->	we want ASF controlled environments from which
	the releases are released.

->	anything else is not a 'release of the ASF'
	and that should be extremely clear to the
	hapless downloader.

This does not per-see preclde the ASF from allowing non ASF code to be
distributed from ASF environments. However we do try to avoid it as it
dillute our message:. Ideally we want to say 'anything you download from
here is under the ASF license and has peer review and the full backing of
the ASF community).

While not encouraged -do- feel free to propose a structure in which this
is possible; which has URLs and webpages clearly denoting the status of
the alien code, etc.


View raw message