Mailing-List: contact general-help@incubator.apache.org; run by ezmlm
Precedence: bulk
Reply-To: general@incubator.apache.org
Received-SPF: pass (nike.apache.org: domain of jukka.zitting@gmail.com
 designates 209.85.212.47 as permitted sender)
MIME-Version: 1.0
In-Reply-To: <006d01cd83be$a3689f20$ea39dd60$@apache.org>
References: 
 <CAP-ksogNw3hy0RrUOBELkShLrdABb5Vhz6Uw6cp-8KFsFTJMNg@mail.gmail.com>
 <CAP-ksohHWp4YuCmo32=k0MhnDUON-Dhf2ZBrQaUDq42a9asuCw@mail.gmail.com>
 <CAAS6=7jtBppzByUm8+TsVRDocoGMtKU3X854P-HdxrUHLC-JkQ@mail.gmail.com>
 <1345500234.7229.10.camel@sybil-gnome>
 <CAAS6=7jMkQyJrHbkPRON9HBmg8bYH56jJkQYrmNnm6ViRTs5kA@mail.gmail.com>
 <1345510775.7229.29.camel@sybil-gnome>
 <00dc01cd7f3f$55498080$ffdc8180$@apache.org>
 <006d01cd83be$a3689f20$ea39dd60$@apache.org>
From: Jukka Zitting <jukka.zitting@gmail.com>
Date: Mon, 27 Aug 2012 12:15:03 +0200
Message-ID: 
 <CAOFYJNYGpK12jK9BBU7NG3i0RtcXTY7ypYPBD7kbB0TG8JwKag@mail.gmail.com>
Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
To: general <general@incubator.apache.org>
Content-Type: text/plain; charset=ISO-8859-1

Hi,

I'm jumping in late to this discussion after returning from vacation.
To summarize my understanding:

* As Joe says, there's no problem with current OpenOffice releases.
* The project is looking for ways to produce "blessed binaries" as a
part of future releases, and has been working with the relevant
parties (infra, legal, etc.) on the implications.
* I trust that the project is capable of continuing that work and
abiding with whatever conclusion also as after graduation.

Thus I don't see this as a blocker for graduation.

Also below my answer's to some of Dennis' questions:

On Sun, Aug 26, 2012 at 9:11 PM, Dennis E. Hamilton <orcmid@apache.org> wrote:
> 3. AVAILABILITY OF SOURCE FOR INSPECTION, AUDIT, AND PROVENANCE
>
> On this thread, the importance of having source code available has been stated
> as a strong requirement.  As far as I can tell, this is a requirement for IP provenance
> more than anything else.

It goes way deeper than IP provenance. If you don't release the
source, you're not doing open source [1].

> Of course, the good-faith reliance on upstream sources always comes to bear, even for
> source-code contributions.  But having access to all source is reported by some as being
> essential for ASF releases and that is tied to the notion that the source code is the
> release. (This is despite specific provision in the treatment of licenses for distributing
> certain binary artifacts in order to avoid license confusion.)

That confusion is nicely resolved by the recent clarification that
such binary dependencies are to be separately downloaded and not
included in our source releases.

> I don't have any clarity on this.  I know that it would be a serious burden to some projects
> if there were restriction to authenticated builds for open-source platforms only and/or
> restriction to exclusively open-source libraries for other dependencies not satisfied by
> the platform itself.

The software we (i.e. the ASF) release must be in source form ("source
materials needed to make changes to the software" [2]), but building
and using a release may well require differently licensed and possibly
binary-only dependencies or a platform [3]. Distributing the result of
building a source release is also fine as long as the licenses of all
the included bits allow redistribution.

> To the extent that the requirement is for more than IP provenance and license
> reconciliation, I am not clear who is being held to account for any deeper scrutiny
> than that.  Are the PMC votes for a release expected to establish some sort of
> serious attestation concerning the nature of the source?

Yes.

> Instead, is the requirement of specific source-code availability instead a requirement
> for potential forensic requirements later in the lifecycle of a release?

No, without source code there by definition can be no release.

> Can this be satisfied without the source be in the release, by whatever arrangement
> and assurance that could be made to ensure its availability whenever needed?

No. Note that this does not mean that a binary artifact produced from
the sources would need to include the source code, just that all the
source code needed to produce the intended binary artifacts must be
included in a release.

[1] http://opensource.org/docs/OSD#include-source-code
[2] http://www.apache.org/dev/release.html#what
[3] http://www.apache.org/legal/

BR,

Jukka Zitting

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org