www-community mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Leo Simons <leosim...@apache.org>
Subject Re: [proposal] daedalus jar repository (was: primary distribution location)
Date Tue, 25 Feb 2003 19:44:50 GMT
Noel J. Bergman wrote:

>>all PMCs whose committers 'commit' to the repository should maintain
>>some oversight.
>>    
>>
>Infrastructure hasn't considered that a good model for the Wiki, and I don't
>know that it would work any better for the repository.  Someone needs to
>take responsibility for the oversight.
>
they _have_ accepted this as a model for distribution management. The 
wiki is a very different topic.
The www.apache.org/dist/ setup is something 'conventional', with a 
filesystem and permission
management and SSH encryption and stuff. It is tried and tested, and 
perfectly secure (to the extend
daedalus itself is secure).

>>I'm not suggesting we place non-ASF jars online, which
>>simplifies license issues rather by a large amount.
>>    
>>
>Yes, that does.  But I am expecting that people will want common things like
>JUnit,
>
AIUI, there is currently a "no" on the ASF providing a redistribution 
point for things like JUnit in the
style of a maven repository. At least not a definitive "yes".

> which I understand to be acceptable so long as the IBM license is
>there.
>
IANAL, but I understand the same thing ;)

>Once the binary distinction of ASF v non-ASF is dropped, then the
>simplicity of it being OK because it is all ASF-licensed code turns into the
>policing scenario that Maven is currently practicing, through Dion Gillard.
>
yep. So don't drop the binary until you have a) policy, b) desire and c) 
an ok to make apache into
a redistribution point of third-party software. Just b) doesn't cut it.

>But using the repository to hold third party jars for which the ASF has
>specifically ascertained appropriate license rights exist seems to be what
>gives us the most bang, because it is the third party libraries that are the
>most potentially time consuming and "risky".  Rather than each project have
>to deal with each third party jar, using the repository for that purpose
>would both share the burden of acquiring suitable license rights, and
>ensuring that they were acquired.
>
www.apache.org/dist is the authoritive place for distribution of apache 
software. It is _not_ currently
intended for redistribution, authoritive or not, of "ASF-endorsed" or 
"ASF-acceptable" software. Quite
binary, yes (ant it is not something I made up, but what I took away 
from comments from Dirk or
someone else entitled to make "official" statements).

Changing this setup is something to be done only very cautiously after 
consulting with the projects
that mirror our stuff and answering lots of other questions. I can see 
the argument as to why we would
want to do such a thing, but I think it is best to hold this off for at 
least a month or two even if we were
to decide to do it. Slow & controlled evolution :D

>So, yes, the ASF-only distinction simplifies repository policing, but using
>it as the central location for authorized third party jars simplifies
>overall policing of third party license issues for the ASF as a whole.
>
Licensing policy is quite tricky and lots of things need to be done 
before the ASF should even consider
setting up a centralized easily user-accesible distribution point of 
materials not copyrighted by the ASF
that can be called "authoritive" either by definition or default. For 
example, the docs started at
http://nagoya.apache.org/wiki/apachewiki.cgi?Licensing should be made 
into an authoritive source on
www.apache.org that unambiguously answers "yes" or "no" with regard to

"can we link to software under license X?",
"can we redistribute software under license X in source form and/or 
binary form?",
"how do we provide these licenses when we redistribute or link to 
software under license X?",
"what other steps doe we take when we redistribute or link to software 
under license X?"

and similar questions, so it is crystal clear what we can and cannot 
include and policy can be formulated
and applied. Something like
http://www.fsf.org/licenses/license-list.html#SoftwareLicenses for the 
ASL. Until these answers exist and
are well-known throughout the community and relevant PMCs, we need to be 
as conservative as possible.
Not sure if your project can distribute JUnit? Then don't, even if that 
makes life terribly inconvenient.
Want to be sure? Ask the board to pour resources into getting answers. 
But we need to be sure before
we act. I'm sure it is okay for the ASF to distribute jars from its own 
hardware based on its own
sourcecode under its own license. Yes, binary, but it is the best first 
step and it solves a real need.

cheers!

- Leo



---------------------------------------------------------------------
To unsubscribe, e-mail: community-unsubscribe@apache.org
For additional commands, e-mail: community-help@apache.org


Mime
View raw message