Return-Path: <legal-discuss-return-11998-archive-asf-public=cust-asf.ponee.io@apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 2E80A200B21
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Fri, 10 Jun 2016 16:19:36 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id 2D0CA160A38; Fri, 10 Jun 2016 14:19:36 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 752C4160A15
	for <archive-asf-public@cust-asf.ponee.io>; Fri, 10 Jun 2016 16:19:35 +0200 (CEST)
Received: (qmail 11360 invoked by uid 500); 10 Jun 2016 14:19:29 -0000
Mailing-List: contact legal-discuss-help@apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:legal-discuss-help@apache.org>
List-Unsubscribe: <mailto:legal-discuss-unsubscribe@apache.org>
List-Post: <mailto:legal-discuss@apache.org>
Reply-To: legal-discuss@apache.org
List-Id: <legal-discuss.apache.org>
Delivered-To: mailing list legal-discuss@apache.org
Received: (qmail 11346 invoked by uid 99); 10 Jun 2016 14:19:29 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 10 Jun 2016 14:19:29 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id CEE84C0EB4
	for <legal-discuss@apache.org>; Fri, 10 Jun 2016 14:19:28 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: -0.72
X-Spam-Level: 
X-Spam-Status: No, score=-0.72 tagged_above=-999 required=6.31
	tests=[HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_LOW=-0.7,
	RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001]
	autolearn=disabled
Received: from mx2-lw-us.apache.org ([10.40.0.8])
	by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024)
	with ESMTP id MsOQBTFddDVc for <legal-discuss@apache.org>;
	Fri, 10 Jun 2016 14:19:27 +0000 (UTC)
Received: from mail-wm0-f47.google.com (mail-wm0-f47.google.com [74.125.82.47])
	by mx2-lw-us.apache.org (ASF Mail Server at mx2-lw-us.apache.org) with ESMTPS id 696265FAC5
	for <legal-discuss@apache.org>; Fri, 10 Jun 2016 14:19:27 +0000 (UTC)
Received: by mail-wm0-f47.google.com with SMTP id v199so150889213wmv.0
        for <legal-discuss@apache.org>; Fri, 10 Jun 2016 07:19:27 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:reply-to:subject:references:to:from:message-id
         :date:user-agent:mime-version:in-reply-to:content-transfer-encoding;
        bh=p2My+uyaXipr5TngldOppJRN/TWJa//MZa4mILfQQqA=;
        b=B34DapBugzrUFW0I7nHm162NykQqoYdYNzztx2PVspn9PtsLy6iiPdwdV3DnKOsved
         pDqYLpT/xcQo8vfaybBrrigyQMN1UX4KrtC1gFsxLcHJk6wTakFV/jEiFJ14Sd+plAr5
         mS9fHMmUke9LlFu0SC/pfRDNtxnBo0Cfsg2WTkcRfBriWAorsEA5dalBfOcGc0VJ0Eqm
         1+6Z+KjpnGI6f5Ls7TPCAF4xEuDMKK/XZM7566Nq0Hvn1lpwlfU1LVgof2+pgYANv500
         DSnuJUlKUVT1ABXygV+vWx9PkY2OF/z4y/vBuco/v9tmOfOV9JD9nL76hopjdlsTjg1h
         QAgQ==
X-Gm-Message-State: ALyK8tKX2uMYVKuqA4PDc2b+9DOBLYAZ/83Gw96202F6jIY44pnrtl2v8ZRcd73ohQMrEg==
X-Received: by 10.28.85.3 with SMTP id j3mr19922308wmb.0.1465568361191;
        Fri, 10 Jun 2016 07:19:21 -0700 (PDT)
Received: from [10.11.0.175] ([88.208.91.78])
        by smtp.googlemail.com with ESMTPSA id q71sm13202235wme.17.2016.06.10.07.19.19
        (version=TLSv1/SSLv3 cipher=OTHER);
        Fri, 10 Jun 2016 07:19:20 -0700 (PDT)
Reply-To: sharan@apache.org
Subject: Re: Request for clarification of Release Policy regarding external
 jar files
References: <575AB39E.5090800@apache.org>
 <CAAS6=7gVXGHqeKVeFV_r1849Qpi0+Ca0jc2QWQBQfRdZnCwVpA@mail.gmail.com>
To: Marvin Humphrey <marvin@rectangular.com>,
 "legal-discuss@apache.org" <legal-discuss@apache.org>
From: Sharan F <sharan@apache.org>
Message-ID: <575ACC67.4080306@apache.org>
Date: Fri, 10 Jun 2016 16:19:19 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
 Thunderbird/38.8.0
MIME-Version: 1.0
In-Reply-To: <CAAS6=7gVXGHqeKVeFV_r1849Qpi0+Ca0jc2QWQBQfRdZnCwVpA@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
archived-at: Fri, 10 Jun 2016 14:19:36 -0000

Hi Marvin

Thanks very much for the clarification.

Thanks
Sharan

On 10/06/16 16:04, Marvin Humphrey wrote:
> On Fri, Jun 10, 2016 at 5:33 AM, Sharan F <sharan@apache.org> wrote:
>
>> We need some confirmation regarding what is included in an Apache release.
> The canonical page for Apache Release Policy is here:
>
>    http://www.apache.org/legal/release-policy
>
>> Based on these statements our understanding is that:
>>
>> projects must publish "source releases"
> Yes.
>
>> "source releases" do not contain binaries
> Yes.
>
>> projects may also publish "binary releases"
> This is not accurate.  Third parties (most often the release manager) may
> provide compiled packages.  The colloquialism typically used to refer to these
> packages is "convenience binaries".
>
>      http://www.apache.org/legal/release-policy#compiled-packages
>
>      The Apache Software Foundation produces open source software. All releases
>      are in the form of the source materials needed to make changes to the
>      software being released.
>
>      As a convenience to users that might not have the appropriate tools to
>      build a compiled version of the source, binary/bytecode packages MAY be
>      distributed alongside official Apache releases. In all such cases, the
>      binary/bytecode package MUST have the same version number as the source
>      release and MUST only add binary/bytecode files that are the result of
>      compiling that version of the source code release and its dependencies.
>
> The Foundation does not endorse binary packages because such packages are
> opaque and cannot be audited by a PMC.
>
> Over the last few years (post-Snowden), the extent to which security depends
> on audited source and certified repeatable builds has become ever more clear.
>
>> "binary releases" can contain binaries compiled from source code created by
>> the project or binaries from external projects
> See the quote above for constraints on what may go into convenience binaries.
> Untrusted jar files (from wherever) are allowed.  They must represent
> compilation of open source dependencies, but no verification step is
> required -- i.e. there is no policy requirement that anyone actually validate
> that dependency binaries actually derive from specific source code.
>
> Security-conscious consumers will naturally take such matters into account
> when deciding how best to consume our products.
>
> Marvin Humphrey


---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org