hit send too early...

On 30 May 2014 14:52, Stephen Connolly <stephen.alan.connolly@gmail.com> wrote:

Well I have not seen anyone address my sp= ecific point with regard to separating the concerns w.r.t. voting.

We vote on releases for legal and social reasons.
=
The legal reasons mandate that we need to download the archi= ve and verify that it is something we can legally ship. There are a set of = criteria with regards to shipping. Some of these criteria are things like:<= /div>

* Does it include the LICENSE an NOTICE files
*=C2=A0All the source code of the project must be covered by the Apache Li= cense, version 2.0.
* The license must be included in each source= file.=C2=A0

* Has the code been contributed by an individual covered by an appropr= iate contributor license agreement, or have otherwise been licensed to the = Foundation and passed through IP clearance.
* Are bundled 3rd par= ty dependencies compatible with the Apache License, version 2.0.

The social reasons pressure us to download the archive = and check that it builds and check that any included tests pass and check s= ome relevant smoke tests.

From my PoV - as a PMC c= hair [1] - the legal requirements are what matter to most to me, as I am re= sponsible for compliance with the legal requirements...=C2=A0

The social requirements are something that can and shou= ld be easily replaced by a CI system.

=C2=A0

The final question is then how thorough do we have to b= e in checking the legal stuff.

So let's take the bits that we know

=C2= =A0

* Does it include the LICENSE an NOTICE files

RAT will check this... so simple and quick (if there is a RA= T configuration in the project)

*=C2=A0All the source code of the project must be cover= ed by the Apache License, version 2.0.

RAT will ch= eck this... so simple and quick (if there is a RAT configuration in the pro= ject)

* The license must be included in each source file.=C2= =A0

RAT will check this... so simple and quick (if= there is a RAT configuration in the project)

* Ha= s the code been contributed by an individual covered by an appropriate cont= ributor license agreement, or have otherwise been licensed to the Foundatio= n and passed through IP clearance.

Here things get wooly. If all the files came via source= control and the commited-by info is ASF committers then I can safely assum= e that the code has been "contributed by an individual covered by an a= ppropriate contributor license agreement" *but* for big commits I don&= #39;t know if those committers were sticking to the rules or just committin= g a big pull request / patch submitted without the required IP clearance.

If I have been watching the commits list, I should have= a handle on these things... but can everyone honestly say they have never = just wiped their inbox clean when they got back from a 2 week vacation?

Also if we are being strict in the legal sense, it'= s not just the commits since the last release... its the code since the sta= rt of time.

It is this check that I likened to the= QA of a batch of toys...

* Are bundled 3rd party dependencies compatible with th= e Apache License, version 2.0.

Should be eas= y to check in those cases where you cannot automate... the 3rd party depend= encies should be small in number and not subject to major deltas from the l= ast release

=C2=A0

=
[1]:=C2=A0http://www.apache.org/dev/release-publishing.html says
=C2=A0 =C2=A0 The PMC in general, and the PMC chair in particular = (as an officer of the Foundation) is responsible for compliance with requir= ements.

=
On 30 May 2014 14:25, Jim Jagielski <jim@jagunet.= com> wrote:

Who says that we can't... in fact, we should. We should
use technology as much as we can. But CI does not
remove the need for reviewing/vetting/verifying
the release as we do (and should).

It appears to me that many people are arguing that
the existance of CI obliviates the need to perform
the release process (eg: 3 +1s, 72 hour wait, etc)...
That is the issue we are trying to clear up.

On Fri, May 30, 2014 at 03:04:17PM +0200, Jacques Le Roux wrote:
> I'm curious, why not having both?
>
> 1) A CI tool to ease things
> 2) To continue to review releases as it's done now
>
> Jacques
>
> Le 30/05/2014 14:22, Jim Jagielski a ?crit :
> >The Board expects the PMC to do its job, and the
> >Board expects the PMC Chair to do his/her job.
> >
> >If they don't, the board acts; and, as has been said
> >many times, the board is not a surgical scalpel; it
> >is a hammer.
> >

> >On May 30, 2014, at 8:09 AM, Emmanuel L?charny <elecharny@gmail.com> wrote:
> >
> >>Le 29/05/2014 17:47, Jim Jagielski a ?crit :

> >>>On May 29, 2014, at 11:28 AM, Emmanuel L?charny <= elecharny@gmail.co= m>

> >>>wrote:
> >>>
> >>>>Le 29/05/2014 15:56, Jim Jagielski a ?crit :
> >>>>>I disagree. And until the policy is changed, PMCs = and
> >>>>>RMs are expected and *required* to comply.
> >>>>Yes, but actually, most f the PMCs and RMs *aren't= * Like it or not.
> >>>>
> >>>>...
> >>>>And, yes, it's probably a good idea to fix the pol= icy if it can't be
> >>>>enforced.
> >>>>
> >>>To be clear: If it is found out that there are "relea= ses" out
> >>>there that really aren't releases, the board will tell= the
> >>>PMC to:
> >>>
> >>> =C2=A01: Remove those releases immediately.
> >>> =C2=A02: Re-release those "releases" as real re= leases
> >>> =C2=A0 =C2=A0 by complying w/ the release policy (basical= ly,
> >>> =C2=A0 =C2=A0 taking those "releases" and doing= the required
> >>> =C2=A0 =C2=A0 vetting and voting).
> >>>
> >>>The board can, and will, also remove a PMCs ability
> >>>to "release" stuff if it refuses to comply with = the
> >>>release policy. So it can be enforced. It is being
> >>>enforced. It will be enforced.
> >>This is not an enforcement. This is a punishment. And it's= totally vain.
> >>
> >>Unless the board is ready to check all the releases for all th= e 151
> >>projects, and verify that *every* PMC member is eventually goi= ng through
> >>the whole process, this is just a void statement.
> >>
> >>Btw, just tell me how you are going to control that ? I'm = curious...
> >>OTOH, we van make it easier for the PMC members to cast a vote= , by
> >>verifying the output of a documented/replayable process, which= will take
> >>a few minutes instead of hours in some cases. How possibly can= someone
> >>object that it would be a progress ?
> >>
> >>
> >>
> >>--------------------------------------------------------------= -------
> >>To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> >>For additional commands, e-mail: legal-discuss-help@apache.org
> >
> >------------------------------------------------------------------= ---
> >To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org > >For additional commands, e-mail: legal-discuss-help@apache.org
> >
> >
> >
>
> --
>
> ---------------------------------------------------------------------<= br> > To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org

--
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=C2=A0 =C2=A0Jim Jagielski =C2=A0 [|] =C2=A0 jim@jaguNET.com =C2=A0 [|] =C2= =A0 http://www.jaguNE= T.com/
=C2=A0 =C2=A0 =C2=A0 =C2=A0 "Great is the guilt of an unnecessary war&= quot; =C2=A0~ John Adams

--f46d04428802a046cb04fa9e7bed--