incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Weir <robw...@apache.org>
Subject Re: Category-B tarballs in SVN (was Re: External libraries)
Date Fri, 13 Jan 2012 17:38:49 GMT
On Fri, Jan 13, 2012 at 12:31 PM, Ross Gardler
<rgardler@opendirective.com> wrote:
> On 13 January 2012 16:28, Rob Weir <robweir@apache.org> wrote:
>> On Fri, Jan 13, 2012 at 11:15 AM, Ross Gardler
>> <rgardler@opendirective.com> wrote:
>>> Sent from my mobile device, please forgive errors and brevity.
>>> On Jan 13, 2012 4:02 PM, "Andre Fischer" <af@a-w-f.de> wrote:
>>>>
>>>>
>>>> On 13.01.2012 16:25, Ross Gardler wrote:
>>>>>
>>>>> For what it is worth, I agree with Joe here. The question is whether
>>> there
>>>>> is a valid reason to keep them here.
>>>>
>>>>
>>>> I don't know if the reasons are valid.  We are trying to find a
>>> pragmatical solution that is a good compromise for the different
>>> requirements of the ASF, the OpenOffice developers/community, and the
>>> OpenOffice users:
>>>>
>>>> - For the ASF we use no code under category X license and try to use as
>>> little code under category B license.
>>>>
>>>> - For the users we want to retain as many features as possible.
>>>>
>>>> - For the developers we want to make development as accessible as
>>> possible.
>>>>
>>>
>>> Why is it necessary to include source rather than just binaries?
>>>
>>
>> With C/C++ code, binaries are built from source, and the source has to
>> come from somewhere.  If there is a need to fix a security problem, we
>> need ready access to the source.  The binaries alone would not be
>> sufficient.
>
> This is a modification of the code, which I was told earlier in this
> thread was not the case we were discussing. Is this a hypothetical or
> an actual situation? Why can't this situation be managed via the
> upstream project?
>
>> Also look at this from the perspective of a downstream consumer who is
>> porting the product to another platform.  The binaries would be of
>> zero use to them,since the binaries would not be compiled for their
>> platform.  But having the source archives for the dependencies readily
>> available, that is exactly what a porter would need.
>
> Why does the source have to come from AOO?
>

You are trying to argue the necessity point.  I'm not.  That is a red
herring.  There is no necessity that we make things easier for
downstream consumers, that we react quickly to security issues, that
we maintain the code in a way that buffers us from changing URL's,
moving and canceled projects.  None of this is required.  But I think
it is a very good idea.  I'm arguing common sense and engineering
prudence.

Remember, not every other open source project in the world practices
best practices with regards to hosting their source artifacts at
stable URL's, of maintaining prior versions indefinitely, of securing
their servers so no one hacks into them and changes source code, etc.
I'm arguing that this is a good thing, a service to downstream
consumers and is compatible with all Apache policies and the
principles behind them.  Arguing whether or not it is necessary in a
cosmic sense is not useful.  It is not necessary that this podling
even exist.

> Ross

Mime
View raw message