incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Weir <>
Subject Re: logo source files
Date Tue, 03 Apr 2012 20:04:24 GMT
On Tue, Apr 3, 2012 at 3:23 PM, Dennis E. Hamilton

> There's something that nags at me about logos and similar materials being
> part of the source-code release (that, I am told, is *the* release in terms
> of Apache principles).
> It is natural to have such artifacts in the SVN tree because it is
> convenient and it probably feels essential to have the released source-code
> be the precise source for the project-created binary distributions.
> On the other hand, while it is desirable for folks to be able to reproduce
> our build, and have access to the source that was used, that they would end
> up having something that can be claimed to be the authentic project-created
> binary distribution.  Yet it will appear indistinguishable from it.
If the MD5's match, who cares where it was built?  If the MD5's do not
match then they are distinguishable.  (For MD5's you could substitute code
signing for a more end-user friendly form of the same thing.)

> There is this odd hitch when binaries are built by someone else, even
> without modification, but without preservation of provenance and
> authenticity.  Yet they are not distinguished from "the real thing."
Ditto.  If the hashes match, then it is the "real thing", for all intents
and purposes.

> There is also the problem that, when someone modifies the source and the
> build, that the default is for the resulting binary to be
> indistinguishable, in terms of surface features and the presence of
> identifying information, from the project-created binary distribution.
Ditto.  In that case the hashes don't match so it would be distinguishable.

> I'm also not clear that logos and related artifacts qualify as open-source
> concerning the trademark issues.
> I don't know how to crack that strange entanglement.
Look at what Mozilla does, for example.  The default build options do not
include the project logos.

> I can see it working if it were considered that even our binary releases
> are downstream from the Apache release and have some essential
> customizations including being digitally signed and authenticated in other
> ways.  Then placeholders could appear in the released source for
> binary-distribution items (some other content being provided instead) that
> are to be provided/customized by any downstream producer, even ourselves.
> And then I can't figure out how the binary can be tied to the exact source
> it was produced from.
That is not really the issue, is it?  The issue is how a user can
distinguish an Apache release from something that is not an Apache
release.  The PMC is responsible for ensuring that the binary package was
derived from the source.

> Arghh.
> I keep thinking this must have been dealt with in the production of other
> user-facing binary distributions from open-source code releases.  Anyone
> have any pointers?
Mozilla is a good example.

Also, "Passport without a Visa" is a good article that describes some of
the considerations:


>  - Dennis
> -----Original Message-----
> From: Rob Weir []
> Sent: Tuesday, April 03, 2012 10:10
> To:
> Subject: Re: logo source files
> On Tue, Apr 3, 2012 at 4:00 AM, J├╝rgen Schmidt
> <>wrote:
> > On 4/3/12 9:41 AM, Kevin Grignon wrote:
> >
> >> @Drew
> >>
> >> Where do we keep the source files for the logos?
> >>
> >>
> > I would like to suggest that we should create a new place for this kind
> of
> > stuff besides trunk
> >
> >
> +1.  Getting it into SVN makes it easy to get to from the build and the
> website.
> > Juergen
> >

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message