www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sharan F <sha...@apache.org>
Subject Re: Request for clarification of Release Policy regarding external jar files
Date Sun, 12 Jun 2016 08:05:14 GMT
Thanks Roman - I didn't know this (but do now!)


On 12/06/16 03:26, Roman Shaposhnik wrote:
> On Fri, Jun 10, 2016 at 4:04 PM, Marvin Humphrey <marvin@rectangular.com> wrote:
>> On Fri, Jun 10, 2016 at 5:33 AM, Sharan F <sharan@apache.org> wrote:
>>> We need some confirmation regarding what is included in an Apache release.
>> The canonical page for Apache Release Policy is here:
>>    http://www.apache.org/legal/release-policy
>>> Based on these statements our understanding is that:
>>> projects must publish "source releases"
>> Yes.
>>> "source releases" do not contain binaries
>> Yes.
>>> projects may also publish "binary releases"
>> This is not accurate.  Third parties (most often the release manager) may
>> provide compiled packages.  The colloquialism typically used to refer to these
>> packages is "convenience binaries".
>>      http://www.apache.org/legal/release-policy#compiled-packages
>>      The Apache Software Foundation produces open source software. All releases
>>      are in the form of the source materials needed to make changes to the
>>      software being released.
>>      As a convenience to users that might not have the appropriate tools to
>>      build a compiled version of the source, binary/bytecode packages MAY be
>>      distributed alongside official Apache releases. In all such cases, the
>>      binary/bytecode package MUST have the same version number as the source
>>      release and MUST only add binary/bytecode files that are the result of
>>      compiling that version of the source code release and its dependencies.
>> The Foundation does not endorse binary packages because such packages are
>> opaque and cannot be audited by a PMC.
>> Over the last few years (post-Snowden), the extent to which security depends
>> on audited source and certified repeatable builds has become ever more clear.
>>> "binary releases" can contain binaries compiled from source code created by
>>> the project or binaries from external projects
>> See the quote above for constraints on what may go into convenience binaries.
>> Untrusted jar files (from wherever) are allowed.  They must represent
>> compilation of open source dependencies, but no verification step is
>> required -- i.e. there is no policy requirement that anyone actually validate
>> that dependency binaries actually derive from specific source code.
>> Security-conscious consumers will naturally take such matters into account
>> when deciding how best to consume our products.
> To pile on top of Marvin's excellent answer (and at the risk of
> stating the obvious,
> at least the obvious to longtimers): remember even for binary
> convenience artifacts
> you're still on the hook to make sure your NOTICE file is correct.
> Most of the time
> your NOTICE file for binary convenience artifacts will be larger than
> your NOTICE
> for the source release.
> Thanks,
> Roman.

To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

View raw message