www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From William A Rowe Jr <wr...@rowe-clan.net>
Subject Re: Request for clarification of Release Policy regarding external jar files
Date Tue, 14 Jun 2016 15:32:55 GMT
On Tue, Jun 14, 2016 at 9:57 AM, Alex Harui <aharui@adobe.com> wrote:

> Hi Sharan,
> Maybe I'm misinterpreting your last sentence, but while I guess it is true
> that the convenience binary doesn't have to go through the same process in
> that the VOTE doesn't have to occur, but because of statements in the
> release policy like: "In all such cases, the binary/bytecode package must
> have the same version number as the source release and may only add
> binary/bytecode files that are the result of compiling that version of the
> source code release", it means to me that the convenience binary is a
> follow-on action (by individuals) from a source release.  So, whatever
> sources an individual uses to generate the binary release must have first
> been approved as a source release via the usual process.

As a practical matter, it isn't always possible to build the package
without some minor correction or adjustment. In those cases, any
adjustments required should be in appropriate docs pages, or patches should
be available for download. Nothing in an ASF-branded binary may be
'concealed' from the user who wishes to replicate that binary build, and
these instructions must be as clear as the PMC can provide.

  I don't know that a PMC can enforce those rules on a third-party or the
> RM, but I think the PMC is supposed to try to make sure that approved
> source releases are available for binary release providers.

Of course it can. That's the value of the Trademarks that Apache hold for
the foundation and specific PMCs.

In general, third parties are receptive to polite requests, but there is an
escalation path. We try not to use it. Perhaps that third party wants to
retitle their package "Packager Superpackage, based on Apache Foo", or
perhaps they want to call their distribution "Apache Foo", and remove what
doesn't correspond to our release. It's best to be flexible and bring the
issue to the trademarks@ group in the event things can't be resolved

IOW, a vote and vetting of a source package had to occur at some point
> before the binary release is produced from it, and in the vetting of the
> source package, checking of LICENSE and NOTICE for the binary release
> generally occur since they can be different from the source release.

While it isn't strictly necessary to have 3 +1's for such convenience
packages, it is quite valuable to announce those packages and solicit
review, just to ensure the correct LICENSE, NOTICE and other aspects of the
binary correspond to the sources and follow all of our conventions. Extra
eyes never hurt.

View raw message