www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sharan Foga"<sha...@apache.org>
Subject Re: Request for clarification of Release Policy regarding external jar files
Date Wed, 15 Jun 2016 10:08:45 GMT
Hi Alex

To respond to your query, it's the PMC that's looking at doing it - no-one else, and it if
we did do it, it would be as a you say, a direct follow on of the source release process.


On 2016-06-14 16:57 (+0200), Alex Harui <aharui@adobe.com> wrote: 
> Hi Sharan,
> Maybe I'm misinterpreting your last sentence, but while I guess it is true that the convenience
binary doesn't have to go through the same process in that the VOTE doesn't have to occur,
but because of statements in the release policy like: "In all such cases, the binary/bytecode
package must have the same version number as the source release and may only add binary/bytecode
files that are the result of compiling that version of the source code release", it means
to me that the convenience binary is a follow-on action (by individuals) from a source release.
 So, whatever sources an individual uses to generate the binary release must have first been
approved as a source release via the usual process.  I don't know that a PMC can enforce those
rules on a third-party or the RM, but I think the PMC is supposed to try to make sure that
approved source releases are available for binary release providers.
> IOW, a vote and vetting of a source package had to occur at some point before the binary
release is produced from it, and in the vetting of the source package, checking of LICENSE
and NOTICE for the binary release generally occur since they can be different from the source
> -Alex
> From: Sharan F <sharan@apache.org<mailto:sharan@apache.org>>
> Reply-To: "legal-discuss@apache.org<mailto:legal-discuss@apache.org>" <legal-discuss@apache.org<mailto:legal-discuss@apache.org>>,
"sharan@apache.org<mailto:sharan@apache.org>" <sharan@apache.org<mailto:sharan@apache.org>>
> Date: Tuesday, June 14, 2016 at 12:26 AM
> To: Jim Jagielski <jim@jaguNET.com<mailto:jim@jaguNET.com>>, "legal-discuss@apache.org<mailto:legal-discuss@apache.org>"
> Subject: Re: Request for clarification of Release Policy regarding external jar files
> Hi Jim
> We thought that we understood it but Marvin's response shows otherwise.
> I don't think we were far off, essentially the main difference being that we thought
that a compiled binary of a release with its dependencies was also a release (since it has
to have the same version number as the release). The confusion I think might have been caused
by the definition of what is release.
> “Releases are, by definition, anything that is published beyond the group that owns
it. In our case, that means any publication outside the group of people on the product dev
> so it looked to us like we could also publish optional “binary releases”, whereas
Marvin talks about the release process and the strict governance associated with that, and
a convenience binary (binary release) doesn't have to go through that same process.
> Thanks
> Sharan
> On 13/06/16 18:43, Jim Jagielski wrote:
> What parts of:
>          http://www.apache.org/legal/release-policy
> require clarification?
> On Jun 10, 2016, at 8:33 AM, Sharan F <sharan@apache.org><mailto:sharan@apache.org>
> Hi
> We need some confirmation regarding what is included in an Apache release. Essentially
we want clarification of what the policy is with regard to dependencies such as external jar
> In the the Guide to Release Management During Incubation (DRAFT) http://incubator.apache.org/guides/releasemanagement.html#check-list
under section 3.6 in the 'Release Check List' it says:
> "3.6 Release consists of source code only, no binaries. Each Apache release must contain
a source package. This package may not contain compiled components (such as "jar" files) because
compiled components are not open source, even if they were built from open source."
> On the Release Creation Process page http://www.apache.org/dev/release-publishing.html#valid
under the 'What is a Valid Release Package' section it says:
> "... the fundamental requirement for a release is that it consist of the necessary source
code to build the project. Optionally, a release may also be accompanied by compiled binaries
for the convenience of users."
> Based on these statements our understanding is that:
>         • projects must publish "source releases"
>         • "source releases" do not contain binaries
>         • projects may also publish "binary releases"
>         • "binary releases" can contain binaries compiled from source code created
by the project or binaries from external projects
> Please can you confirm that our understanding of the policy is correct (or not).
> Thanks
> Sharan

To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

View raw message