www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: Bundling and LICENSE
Date Thu, 07 Apr 2016 07:58:18 GMT
On 07/04/2016 05:31, Alex Harui wrote:
> When you say "you can't turn a blind eye" does that mean we must vote to
> cancel the release?

No. I mean if someone raises an issue you can't pretend it doesn't exist.

> If so, then there is an effective veto in the
> release process.

No.

> Or do you mean that we must take that information into
> consideration?

Yes.

> I guess I'm still trying to understand if PMC members
> can use their judgement and still vote to release if someone else spots
> something that looks odd at the last minute before the vote closes,
> especially in third-party content.

PMC members are always expected to use their judgement.

> If the expected consequence is to
> fix it in the next release, then it seems it would better suit the
> "release early and often" philosophy to not bog down the release by
> using policy to force cancellation and instead, ship the release and fix
> it in a future release if necessary.

The expected consequence depends on the issue. There is no one rule that
fits all circumstances.

> Because if there is no allowance for judgement, then a person who does
> not trust the L&N can effectively force those who want to trust the L&N
> to not be able to trust the L&N by exposing them to potential issues.

Once an issue has been raised it has to be considered but whether it
blocks a release is something the PMC members will need to make a
judgement call on.

>  And if you then say as you did up-thread that problems found are the
> responsibility of the entire PMC, then that person who found the issue
> can essentially force those who would rather trust the L&N to be the
> messenger of bad news to the third-party by not bringing the message to
> the third-party themselves.  That doesn't feel very "Apache" to me.
>  Using policy to force others to do work they don't want to do to
> scratch your itch doesn't seem right.  Forcing people to take a "no
> trust" position doesn't seem right either.

Finding a bug does not make you responsible for fixing it.

While, generally, committers are free to scratch their own itch, being a
PMC member comes with additional responsibilities. There are a wide
variety of things that the PMC is expected to do. Off the top of my head
and far from an exhaustive list:
- moderate mailing lists
- deal with any code of conduct related issues
- respond to security vulnerability reports in a timely manner
- adhere to ASF polices (source headers, branding, dependency licenses,
  etc.)

A PMC that consistently ignores any of these is going to attract the
attention of the board - and not in a good way.

> My interpretation of the Apache way would be that PMC members could have
> the option say to someone who does not trust the L&N and finds an issue:
>  "Hmm, well, I choose to trust their top-level documents.  Maybe it is a
> clerical error on the part of the third-party.  Please work with the
> third-party to see if they want to make any adjustments to their
> top-level documents so we will know how to respond in our top-level
> documents.  Anyone else who is interested in also working with that
> third-party, please help"

No. PMC members do not have the option to effectively say "You found it,
you fix it."

> Yes, that puts the onus on the person
> reporting the issue to do the work or recruit someone to do the work,
> but isn't that how the scratch-your-own-itch philosophy is supposed to
> work?

No. See comments above on the additional responsibilities that come with
being a PMC member.

> IMO, if we could operate this way, we would release more often
> and I think we might attract more RMs, and the release process would
> feel more like a "potluck" than a grind.

The projects I'm involved in don't work they way you propose and they
have no difficulty releasing early and often. Neither do the occasional
L&N issues that are raised cause any particular problems.

Mark



> 
> Thanks,
> -Alex
> 
> From: Mark Thomas <markt@apache.org <mailto:markt@apache.org>>
> Reply-To: "legal-discuss@apache.org <mailto:legal-discuss@apache.org>"
> <legal-discuss@apache.org <mailto:legal-discuss@apache.org>>
> Date: Wednesday, April 6, 2016 at 8:16 AM
> To: "legal-discuss@apache.org <mailto:legal-discuss@apache.org>"
> <legal-discuss@apache.org <mailto:legal-discuss@apache.org>>
> Subject: Re: Bundling and LICENSE
> 
> 
> I think it is perfectly reasonable to trust the L&N you find but that
> doesn't mean you can turn a blind eye if you spot something that looks
> odd. Some folks will want to check in more detail than others and that
> is fine.
> 
> Mark
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org


Mime
View raw message