www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Roman Shaposhnik <ro...@shaposhnik.org>
Subject Re: Request for clarification of Release Policy regarding external jar files
Date Sun, 12 Jun 2016 01:26:08 GMT
On Fri, Jun 10, 2016 at 4:04 PM, Marvin Humphrey <marvin@rectangular.com> wrote:
> On Fri, Jun 10, 2016 at 5:33 AM, Sharan F <sharan@apache.org> wrote:
>
>> We need some confirmation regarding what is included in an Apache release.
>
> The canonical page for Apache Release Policy is here:
>
>   http://www.apache.org/legal/release-policy
>
>> Based on these statements our understanding is that:
>>
>> projects must publish "source releases"
>
> Yes.
>
>> "source releases" do not contain binaries
>
> Yes.
>
>> projects may also publish "binary releases"
>
> This is not accurate.  Third parties (most often the release manager) may
> provide compiled packages.  The colloquialism typically used to refer to these
> packages is "convenience binaries".
>
>     http://www.apache.org/legal/release-policy#compiled-packages
>
>     The Apache Software Foundation produces open source software. All releases
>     are in the form of the source materials needed to make changes to the
>     software being released.
>
>     As a convenience to users that might not have the appropriate tools to
>     build a compiled version of the source, binary/bytecode packages MAY be
>     distributed alongside official Apache releases. In all such cases, the
>     binary/bytecode package MUST have the same version number as the source
>     release and MUST only add binary/bytecode files that are the result of
>     compiling that version of the source code release and its dependencies.
>
> The Foundation does not endorse binary packages because such packages are
> opaque and cannot be audited by a PMC.
>
> Over the last few years (post-Snowden), the extent to which security depends
> on audited source and certified repeatable builds has become ever more clear.
>
>> "binary releases" can contain binaries compiled from source code created by
>> the project or binaries from external projects
>
> See the quote above for constraints on what may go into convenience binaries.
> Untrusted jar files (from wherever) are allowed.  They must represent
> compilation of open source dependencies, but no verification step is
> required -- i.e. there is no policy requirement that anyone actually validate
> that dependency binaries actually derive from specific source code.
>
> Security-conscious consumers will naturally take such matters into account
> when deciding how best to consume our products.

To pile on top of Marvin's excellent answer (and at the risk of
stating the obvious,
at least the obvious to longtimers): remember even for binary
convenience artifacts
you're still on the hook to make sure your NOTICE file is correct.
Most of the time
your NOTICE file for binary convenience artifacts will be larger than
your NOTICE
for the source release.

Thanks,
Roman.

---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org


Mime
View raw message