www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Weir <robw...@apache.org>
Subject Re: Release Policy
Date Wed, 25 Jun 2014 18:33:49 GMT
On Mon, May 26, 2014 at 9:12 PM, Marvin Humphrey <marvin@rectangular.com> wrote:
> On Sat, May 24, 2014 at 7:08 AM, Mark Struberg <struberg@yahoo.de> wrote:
>> Imo the following points are not yet clear
>>
>> * what does 'release' mean in the proposal.
>>  + are there different 'release' terms in the proposal?
>
> The release definition section in the draft is closely derived from the "What
> is a Release?" FAQ at <http://www.apache.org/dev/release.html#what>.
>
> You are welcome to propose modifications, though I think it would be dicey
> to stray much from what's on the current policy page.
>
>> * is the 72h a MUST or SHOULD.
>
> Note "should":
>
>     http://www.apache.org/foundation/voting.html
>

+1.  For example, I recall a security patch that had an urgency that
lead to its release with a less than 72-hour vote.

Since that is sometimes the real world, it is worth considering
release policy as a whole with respect to how a PMC reacts to a
zero-day vulnerability or a vulnerability facing imminent disclosure.
 It should not be the focus of policy, IMHO, but there should be a
clear ability for a PMC to do what is needed in such situations,
without abusing the underlying goals of the release policy.

-Rob

>     Votes should generally be permitted to run for at least 72 hours to
>     provide an opportunity for all concerned persons to participate regardless
>     of their geographic locations.
>
>> * are we allowed to do snapshot builds for the public?
>>  + do we need to do this via a special (even more) exclusion of liability?
>
> My fallback on this is to revert the "Publication" section of the proposed
> draft to language extracted verbatim from the current policy page:
>
>     ## Publication ## {#publication}
>
>     During the process of developing software and preparing a release, various
>     packages are made available to the developer community for testing
>     purposes. **Do not include any links on the project website that might
>     encourage non-developers to download and use nightly builds, snapshots,
>     release candidates, or any other similar package.** The only people who
>     are supposed to know about such packages are the people following the dev
>     list (or searching its archives) and thus aware of the conditions placed
>     on the package. If you find that the general public are downloading such
>     test packages, then remove them.
>
>     Under no circumstances are unapproved builds a substitute for releases. If
>     this policy seems inconvenient, then release more often. Proper release
>     management is a key aspect of Apache software development.
>
> That's a bit long for my taste, but if this section is to be contended, it may
> be the only way forward.
>
> Marvin Humphrey
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org


Mime
View raw message