incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Weir <>
Subject Treatment of category-b source tarballs (was Re: [PROPOSAL] Starting the graduation process)
Date Tue, 29 May 2012 23:10:29 GMT
On Tue, May 29, 2012 at 6:56 PM, Pedro Giffuni <> wrote:
> Hi Dave;
> --- Mar 29/5/12, Dave Fisher <> ha scritto:
> ...
>> There are issues with these embedded convenience packages.
>> (1) Some are Category B. An issue to some more than others.
>> (2) Some are patched versions of existing open-source
>> packages. We should attempt to push these upstream. The
>> COINMP patch looks trivial. We may need to have special
>> builds, but we should be avoiding and removing.
>> (3) Some are specific versions of open-source packages. We
>> should try to get official distributions and use a version
>> at Apache Extras as a known version.
>> (4) Some are versions of Apache open-source packages. We
>> should use the appropriate release or archive from the
>> project.
>> ext_sources dave$ ls -1
>> 0168229624cfac409e766913506961a8-ucpp-1.3.2.tar.gz
>> 067201ea8b126597670b5eff72e1f66c-mythes-1.2.0.tar.gz
>> 0b49ede71c21c0599b0cc19b353a6cb3-README_apache-commons.txt
>> 128cfc86ed5953e57fe0f5ae98b62c2e-libtextcat-2.2.tar.gz
>> 1756c4fa6c616ae15973c104cd8cb256-Adobe-Core35_AFMs-314.tar.gz
>> 18f577b374d60b3c760a3a3350407632-STLport-4.5.tar.gz
>> 1f24ab1d39f4a51faf22244c94a6203f-xmlsec1-1.2.14.tar.gz
>> 220035f111ea045a51e290906025e8b5-libpng-1.5.1.tar.gz
>> 24be19595acad0a2cae931af77a0148a-LICENSE_source-
>> 284e768eeda0e2898b0d5bf7e26a016e-raptor-1.4.18.tar.gz
>> 2ae988b339daec234019a7066f96733e-commons-lang-2.3-src.tar.gz
>> 2b5f1ca58d6ef30f18f1415b65bed81c-CoinMP-1.6.0.tgz
>> 2c9b0f83ed5890af02c0df1c1776f39b-commons-httpclient-3.1-src.tar.gz
>> 2f6ecca935948f7db92d925d88d0d078-icu4c-4_0_1-src.tgz
>> 377a60170e5185eb63d3ed2fae98e621-README_silgraphite-2.3.1.txt
>> 3b179ed18f65c43141528aa6d2440db4-serf-1.0.0.tar.bz2
>> 3c219630e4302863a9a83d0efde889db-commons-logging-1.1.1-src.tar.gz
>> 48470d662650c3c074e1c3fabbc67bbd-README_source-
>> 48a9f787f43a09c0a9b7b00cd1fddbbf-hyphen-2.7.1.tar.gz
>> 48d8169acc35f97e05d8dcdfd45be7f2-lucene-2.3.2.tar.gz
>> 61f59e4110781cbe66b46449eadac231-croscorefonts-1.21.0.tar.gz
>> 63ddc5116488985e820075e65fbe6aa4-openssl-0.9.8o.tar.gz
>> 666a5d56098a9debf998510e304c8095-apr-util-1.4.1.tar.gz
>> 68dd2e8253d9a7930e9fd50e2d7220d0-hunspell-1.2.9.tar.gz
>> 7376930b0d3f3d77a685d94c4a3acda8-STLport-4.5-0119.tar.gz
>> 7740a8ec23878a2f50120e1faa2730f2-libxml2-2.7.6.tar.gz
>> 7e4e73c21f031d5a4c93c128baf7fd75-apache-tomcat-5.5.35-src.tar.gz
>> 97262fe54dddaf583eaaee3497a426e1-apr-1.4.5.tar.gz
>> a169ab152209200a7bad29a275cb0333-seamonkey-1.1.14.source.tar.gz
>> a2c10c04f396a9ce72894beb18b4e1f9-jpeg-8c.tar.gz
>> af3c3acf618de6108d65fcdc92b492e1-commons-codec-1.3-src.tar.gz
>> b92261a5679276c400555004937af965-nss-3.12.6-with-nspr-4.8.4.tar.gz
>> bc702168a2af16869201dbe91e46ae48-LICENSE_Python-2.6.1
>> c441926f3a552ed3e5b274b62e86af16-STLport-4.0.tar.gz
>> c735eab2d659a96e5a594c9e8541ad63-zlib-1.2.5.tar.gz
>> ca66e26082cab8bb817185a116db809b-redland-1.0.8.tar.gz
>> cf8a6967f7de535ae257fa411c98eb88-mdds_0.3.0.tar.bz2
>> d35724900f6a4105550293686688bbb3-silgraphite-2.3.1.tar.gz
>> e61d0364a30146aaa3001296f853b2b9-libxslt-1.1.26.tar.gz
>> e81c2f0953aa60f8062c05a4673f2be0-Python-2.6.1.tar.bz2
>> ea570af93c284aa9e5621cd563f54f4d-bsh-2.0b1-src.tar.gz
>> ea91f2fb4212a21d708aced277e6e85a-vigra1.4.0.tar.gz
>> ecb2e37e45c9933e2a963cabe03670ab-curl-7.19.7.tar.gz
>> ee8b492592568805593f81f8cdf2a04c-expat-2.0.1.tar.gz
>> fca8706f2c4619e2fa3f8f42f8fc1e9d-rasqal-0.9.16.tar.gz
>> fcc6df1160753d0b8c835d17fdeeb0a7-boost_1_39_0.tar.gz
>> fdb27bfe2dbe2e7b57ae194d9bf36bab-SampleICC-1.3.2.tar.gz
>> Do we seriously need to carry our own version of Python
>> 2.6.1? Aren't the Adobe Base 35 AFMs good for all. There
>> must be a common location.
> FreeBSD and most linux distributions have been moving
> towards using prepackaged versions of this stuff when
> possible. I have been updating some of these packages
> attempting not to break the API but I am far from over.
> The main reason why we don't just use prepackaged stuff
> for everything and throw stuff like python 2.6.1 away
> is that it is not practical for windows (which is
> the major platform). Our python is severely patched
> for other palforms and those patches have taken a lot
> of time to update even for a minor version update.
> The problem with Category B is that according to
> Apache Policies we shouldn't be carrying the sources

The policy I know of says that for category-b, "additional action is
warranted in order to minimize the chance that a user of an Apache
product will create a derivative work of a reciprocally-licensed
portion of an Apache product without being aware of the applicable

We accomplish this goal by putting these components in MD5-hashed
tarballs, that must be downloaded separately and are only downloaded
when the developer overrides the default build options.

The policy then says, "By including only the object/binary form, there
is less exposed surface area of the third-party work from which a work
might be derived; this addresses the second guiding principle of this
policy. By attaching a prominent label to the distribution and
requiring an explicit action by the user to get the
reciprocally-licensed source, users are less likely to be unaware of
restrictions significantly different from those of the Apache

Again we satisfy this by not including the category-b components in
our source distributions and requiring an explicit action (overriding
default build flags) for the developer to get the category-b source

> but instead we should carry links to the sources in
> the NOTICE file. For 3.4 we didn't comply
> (embarrassingly the COIN-OR guys noted this!).

To be precise they noticed that our NOTICE file did not contain a link
to their download site.   They did not express any concern that we had
a source tarball checked into our repository.

> The idea is that we should be using unmodified binaries
> so carrying fonts and java bytecode would be OK, but
> carrying tarballs with sources was not really intended.
> In the case of NSS and Seamonkey, our versions are
> way too outdated: I think the Seamonkey version we
> carry is not even available online anymore and
> there are known security risks.
> Pedro.

View raw message