www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Justin Mclean <jus...@classsoftware.com>
Subject Re: Bundling and LICENSE
Date Sun, 03 Apr 2016 21:52:33 GMT
Hi,

> Makes sense, but I've been wondering whether the "have to" part is
> responsible for low and slow voter turnout and an inability to recruit new
> release managers in our community.

In this case (and IMO) is more likely related to the complexity of setting up the build environment
and getting the source package to compile. I would of spent 5x as much time on that than the
LICENSE / NOTICE checks I did. Several other PMC members were unable to get the source to
compile and thus have not voted.

> that person can void every other PMC member's vote because as soon as an
> irregularity is found

A -1 is not a veto / does not void a release. In the last RC it was suggested that the LICENSE/NOTICE
issue be fixed for the next release and no one voted -1. Even if there was a -1 all that means
that that individual PMC member doesn’t think the RC is release quality (for a good reason)
and is not a veto. Also people can change their vote once it is decided how to resolve the
issue in question.

> We also rarely get non-binding votes on our releases.  The 'feel' of the
> release process isn't so much "hey, try this out and see if the code
> works", it is a call for volunteers to grind through each file looking for
> policy violations.

It sometimes take times to get LICENSE and NOTICE right. This is only the 3rd release of FlexJS
and new things are being bundled in each release. I’d except it to settle down in future
releases. Reviewing 3rd party code when they are added rather than at release time may be
the way to make the process easier.

> Or is the ASF liable and/or would our
> reputation suffer if issues in upstream bundles are found in binary
> packages on our dist server?

It depends on the seriousness of the licensing / policy  bug and risk, for a missing BSD or
MIT license then it’s probably fine to fix it in the next release. For the crypto code that
snuck in IMO that was serious. While unlikely, fines can be handed out for that  e.g. [1].

Thanks,
Justin

1. http://www.theregister.co.uk/2014/10/17/intel_subsidiary_crypto_export_fine/


---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org


Mime
View raw message