www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marvin Humphrey <mar...@rectangular.com>
Subject Re: Request for clarification of Release Policy regarding external jar files
Date Fri, 10 Jun 2016 14:04:02 GMT
On Fri, Jun 10, 2016 at 5:33 AM, Sharan F <sharan@apache.org> wrote:

> We need some confirmation regarding what is included in an Apache release.

The canonical page for Apache Release Policy is here:


> Based on these statements our understanding is that:
> projects must publish "source releases"


> "source releases" do not contain binaries


> projects may also publish "binary releases"

This is not accurate.  Third parties (most often the release manager) may
provide compiled packages.  The colloquialism typically used to refer to these
packages is "convenience binaries".


    The Apache Software Foundation produces open source software. All releases
    are in the form of the source materials needed to make changes to the
    software being released.

    As a convenience to users that might not have the appropriate tools to
    build a compiled version of the source, binary/bytecode packages MAY be
    distributed alongside official Apache releases. In all such cases, the
    binary/bytecode package MUST have the same version number as the source
    release and MUST only add binary/bytecode files that are the result of
    compiling that version of the source code release and its dependencies.

The Foundation does not endorse binary packages because such packages are
opaque and cannot be audited by a PMC.

Over the last few years (post-Snowden), the extent to which security depends
on audited source and certified repeatable builds has become ever more clear.

> "binary releases" can contain binaries compiled from source code created by
> the project or binaries from external projects

See the quote above for constraints on what may go into convenience binaries.
Untrusted jar files (from wherever) are allowed.  They must represent
compilation of open source dependencies, but no verification step is
required -- i.e. there is no policy requirement that anyone actually validate
that dependency binaries actually derive from specific source code.

Security-conscious consumers will naturally take such matters into account
when deciding how best to consume our products.

Marvin Humphrey

To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

View raw message