incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Weir <robw...@apache.org>
Subject Re: Category-B tarballs in SVN (was Re: External libraries)
Date Thu, 12 Jan 2012 18:36:05 GMT
On Thu, Jan 12, 2012 at 1:12 PM, Pedro Giffuni <pfg@apache.org> wrote:
>
> --- Gio 12/1/12, Rob Weir <robweir@apache.org> ha scritto:
> ...
>> >
>> > I hate to make developer's life difficult but, from
>> > what is known, no Apache Project seems to be carrying
>> > Category B software in their repositories (feel free
>> > to prove me wrong). Not that it's a new problem, just
>> > something we will have to think about.
>> >
>>
>> It is a service to downstream consumers.  Just as we
>> aggregate licenses and notices to make it easier for
>> them, we also aggregate the optional category-b code
>> tarballs.
>>
>
> It is actually a disservice. Some of those tarballs are
> obsolete and carry known security risks.
>

Whether we have such tarballs in SVN or whether we have our build
scripts point to an externally hosted tarball of the same version, the
security issue is the same, and orthogonal.   However we access the
files we are responsible for ensuring the end product is secure.


>> Also, the MPL license requires that we make our modified
>> files available electronically for 12 months.
>
> Thank you for pointing this out.
> This sounds pretty much unacceptable for Apache policies
> and a good reason to avoid carrying such code in our
> repository.
>

I don't see the issue here.  Can you point me to what Apache policy is
violated here?  Or argue how downstream consumer of our releases will
be harmed or confused by this?

>>
>> So I don't see a problem here, so long as we:
>>
>
> I do see a problem and unless some higher power from
> legal@ OKs it, my vote for a release or project
> graduation will be -1 (binding), on the basis that
> if we do this once we will likely be perpetuating
> such practice in all releases.
>

We already had this discussion before.  My impression was it was
resolved. See:  http://markmail.org/message/2o42tzsw24z5znst

In any case, there are no vetos on release votes.

> Pedro.
>

Mime
View raw message