On Apr 30, 2013, at 11:39 PM, Henri Yandell wrote:

Taking a stab at the clear policy, I'd propose adding this to resolved.html:

"Source distributions must not contain binaries <quiet>(but let's not discuss binaries that are not enforced like http://svn.apache.org/repos/asf/httpd/httpd/trunk/docs/icons/)</quiet>. It's fine to have the user run a script to download binaries after they have downloaded the source <quiet>(such as download-binaries-from-svn-tag.sh, or perhaps when first running the application)</quiet>. "

Either it's not clear to me, or the current policy is really just a vision towards a policy.

Hen

FWIW, I meant the binary object forms of compiled source code.
That is what "binaries" means to me.

If you think binaries means "anything other than text formats",
then we are mis-communicating.  I don't know why you would think
that, given character encodings for text are just another
form of binary encoding, but it might be an age thing.

Apache releases also contain generated scripts (where
the source for those generated scripts is also included) and
assorted other things that don't pose a security risk to
recipients.  The policies are: (1) we only release open source
that can be distributed under the terms of the Apache License,
and the PMC release votes are based on individually (2) inspecting
the source package to ensure that it can be used to build the
Apache product and corresponds to some version of the source
that the PMC is maintaining in our version control system(s)
and (3) verifying that the contents are believed to be safe/legal
for us to distribute.

....Roy