www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex Harui <aha...@adobe.com>
Subject Re: Request for clarification of Release Policy regarding external jar files
Date Tue, 14 Jun 2016 14:57:44 GMT
Hi Sharan,

Maybe I'm misinterpreting your last sentence, but while I guess it is true that the convenience
binary doesn't have to go through the same process in that the VOTE doesn't have to occur,
but because of statements in the release policy like: "In all such cases, the binary/bytecode
package must have the same version number as the source release and may only add binary/bytecode
files that are the result of compiling that version of the source code release", it means
to me that the convenience binary is a follow-on action (by individuals) from a source release.
 So, whatever sources an individual uses to generate the binary release must have first been
approved as a source release via the usual process.  I don't know that a PMC can enforce those
rules on a third-party or the RM, but I think the PMC is supposed to try to make sure that
approved source releases are available for binary release providers.

IOW, a vote and vetting of a source package had to occur at some point before the binary release
is produced from it, and in the vetting of the source package, checking of LICENSE and NOTICE
for the binary release generally occur since they can be different from the source release.


From: Sharan F <sharan@apache.org<mailto:sharan@apache.org>>
Reply-To: "legal-discuss@apache.org<mailto:legal-discuss@apache.org>" <legal-discuss@apache.org<mailto:legal-discuss@apache.org>>,
"sharan@apache.org<mailto:sharan@apache.org>" <sharan@apache.org<mailto:sharan@apache.org>>
Date: Tuesday, June 14, 2016 at 12:26 AM
To: Jim Jagielski <jim@jaguNET.com<mailto:jim@jaguNET.com>>, "legal-discuss@apache.org<mailto:legal-discuss@apache.org>"
Subject: Re: Request for clarification of Release Policy regarding external jar files

Hi Jim

We thought that we understood it but Marvin's response shows otherwise.

I don't think we were far off, essentially the main difference being that we thought that
a compiled binary of a release with its dependencies was also a release (since it has to have
the same version number as the release). The confusion I think might have been caused by the
definition of what is release.

“Releases are, by definition, anything that is published beyond the group that owns it.
In our case, that means any publication outside the group of people on the product dev list.”

so it looked to us like we could also publish optional “binary releases”, whereas Marvin
talks about the release process and the strict governance associated with that, and a convenience
binary (binary release) doesn't have to go through that same process.


On 13/06/16 18:43, Jim Jagielski wrote:

What parts of:


require clarification?

On Jun 10, 2016, at 8:33 AM, Sharan F <sharan@apache.org><mailto:sharan@apache.org>

We need some confirmation regarding what is included in an Apache release. Essentially we
want clarification of what the policy is with regard to dependencies such as external jar
In the the Guide to Release Management During Incubation (DRAFT) http://incubator.apache.org/guides/releasemanagement.html#check-list
under section 3.6 in the 'Release Check List' it says:

"3.6 Release consists of source code only, no binaries. Each Apache release must contain a
source package. This package may not contain compiled components (such as "jar" files) because
compiled components are not open source, even if they were built from open source."

On the Release Creation Process page http://www.apache.org/dev/release-publishing.html#valid
under the 'What is a Valid Release Package' section it says:
"... the fundamental requirement for a release is that it consist of the necessary source
code to build the project. Optionally, a release may also be accompanied by compiled binaries
for the convenience of users."
Based on these statements our understanding is that:
        • projects must publish "source releases"
        • "source releases" do not contain binaries
        • projects may also publish "binary releases"
        • "binary releases" can contain binaries compiled from source code created by the
project or binaries from external projects
Please can you confirm that our understanding of the policy is correct (or not).

View raw message