Return-Path: <legal-discuss-return-11997-archive-asf-public=cust-asf.ponee.io@apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 92A19200B21
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Fri, 10 Jun 2016 16:04:26 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id 91465160A38; Fri, 10 Jun 2016 14:04:26 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id D7DF3160A15
	for <archive-asf-public@cust-asf.ponee.io>; Fri, 10 Jun 2016 16:04:25 +0200 (CEST)
Received: (qmail 69652 invoked by uid 500); 10 Jun 2016 14:04:25 -0000
Mailing-List: contact legal-discuss-help@apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:legal-discuss-help@apache.org>
List-Unsubscribe: <mailto:legal-discuss-unsubscribe@apache.org>
List-Post: <mailto:legal-discuss@apache.org>
Reply-To: legal-discuss@apache.org
List-Id: <legal-discuss.apache.org>
Delivered-To: mailing list legal-discuss@apache.org
Received: (qmail 69641 invoked by uid 99); 10 Jun 2016 14:04:24 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 10 Jun 2016 14:04:24 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 378211A05A7
	for <legal-discuss@apache.org>; Fri, 10 Jun 2016 14:04:24 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: -0.701
X-Spam-Level: 
X-Spam-Status: No, score=-0.701 tagged_above=-999 required=6.31
	tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7,
	RCVD_IN_MSPIKE_H2=-0.001] autolearn=disabled
Authentication-Results: spamd2-us-west.apache.org (amavisd-new);
	dkim=pass (2048-bit key)
	header.d=rectangular-com.20150623.gappssmtp.com
Received: from mx2-lw-us.apache.org ([10.40.0.8])
	by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024)
	with ESMTP id sCbWV5rLK7cq for <legal-discuss@apache.org>;
	Fri, 10 Jun 2016 14:04:23 +0000 (UTC)
Received: from mail-oi0-f43.google.com (mail-oi0-f43.google.com [209.85.218.43])
	by mx2-lw-us.apache.org (ASF Mail Server at mx2-lw-us.apache.org) with ESMTPS id F07185F19B
	for <legal-discuss@apache.org>; Fri, 10 Jun 2016 14:04:22 +0000 (UTC)
Received: by mail-oi0-f43.google.com with SMTP id d132so9954609oig.1
        for <legal-discuss@apache.org>; Fri, 10 Jun 2016 07:04:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=rectangular-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to;
        bh=AAe/gWME052tBwgCuekR8qcPDwvDIOu8qXi0WhLflKk=;
        b=bChQObwVbjX6Wm1JPw2Zj1AszOb4vlO3Wl4Q6t1gJXlWFq8N2d5ZAT7en+5v9hhFH1
         /J0H7PZe+c+aBUzMU6wPUhE+6ZcfCTbZ4+gzd6L6gyrPkFuiVjq0WZ7U9VZIo/wLej1M
         ivudYYwEr8/z2gmhW64yef7QMsR714PR+bn+r0G4F1c75+VssdhUHnQNADtejX9sjOAB
         1uIdcHZatJoDlaF6oXnayXkl0eSlap3OQvWOHxEF5V6lPT0gE8SPxEEp8lhTW8mHnpGM
         scXOGOVSmF7ayRnsi9sleaGdVEZ+9Vs04qBnE99c4xEKSuDyPBYSuJW/+iVkeeWRDDxD
         8KBg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to;
        bh=AAe/gWME052tBwgCuekR8qcPDwvDIOu8qXi0WhLflKk=;
        b=OUwJyLAe3Gbox7EVecTSD2s14VJfVDEz5nWE2jDbef9ENDgfTlQsN70bvZ3szfq1D+
         CX1sg825ErW+nCeJsbsfaMtzsCqPlAcQhMMzMLj24mEUOx8bh0e8GT9SdOxyvLqBe4pQ
         KQfIXTsTCtZnl3RGCwgVv71EUEwfigq6Rt84EsR0U1b3qwumHsnecZQzoCg0Uczdzhnm
         tCpDGanidCf1tQTnn5vBfglwMnZphaorMQ6r1uIM7Y7kJbub64XSEmJk8v7TKu5SwjJF
         dxLWPDhr7f04ha+Bu3QhTTtgEokbJ+QNkARyH51M99Fn7CBnWgcgf+HPEVpnHkf1XooK
         AxSw==
X-Gm-Message-State: ALyK8tLqpVtZoEXtPHG3RKOrbgdcNcngnc87vuEJFVP1EwfoMQDsu8LisCSU3s0lwb+uKg7POfHkleQ992cCFw==
X-Received: by 10.157.3.117 with SMTP id 108mr1150910otv.172.1465567461956;
 Fri, 10 Jun 2016 07:04:21 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.182.115.100 with HTTP; Fri, 10 Jun 2016 07:04:02 -0700 (PDT)
X-Originating-IP: [2602:306:32e5:e8b0:c930:9b00:b815:c6ec]
In-Reply-To: <575AB39E.5090800@apache.org>
References: <575AB39E.5090800@apache.org>
From: Marvin Humphrey <marvin@rectangular.com>
Date: Fri, 10 Jun 2016 07:04:02 -0700
Message-ID: <CAAS6=7gVXGHqeKVeFV_r1849Qpi0+Ca0jc2QWQBQfRdZnCwVpA@mail.gmail.com>
Subject: Re: Request for clarification of Release Policy regarding external
 jar files
To: "legal-discuss@apache.org" <legal-discuss@apache.org>, sharan@apache.org
Content-Type: text/plain; charset=UTF-8
archived-at: Fri, 10 Jun 2016 14:04:26 -0000

On Fri, Jun 10, 2016 at 5:33 AM, Sharan F <sharan@apache.org> wrote:

> We need some confirmation regarding what is included in an Apache release.

The canonical page for Apache Release Policy is here:

  http://www.apache.org/legal/release-policy

> Based on these statements our understanding is that:
>
> projects must publish "source releases"

Yes.

> "source releases" do not contain binaries

Yes.

> projects may also publish "binary releases"

This is not accurate.  Third parties (most often the release manager) may
provide compiled packages.  The colloquialism typically used to refer to these
packages is "convenience binaries".

    http://www.apache.org/legal/release-policy#compiled-packages

    The Apache Software Foundation produces open source software. All releases
    are in the form of the source materials needed to make changes to the
    software being released.

    As a convenience to users that might not have the appropriate tools to
    build a compiled version of the source, binary/bytecode packages MAY be
    distributed alongside official Apache releases. In all such cases, the
    binary/bytecode package MUST have the same version number as the source
    release and MUST only add binary/bytecode files that are the result of
    compiling that version of the source code release and its dependencies.

The Foundation does not endorse binary packages because such packages are
opaque and cannot be audited by a PMC.

Over the last few years (post-Snowden), the extent to which security depends
on audited source and certified repeatable builds has become ever more clear.

> "binary releases" can contain binaries compiled from source code created by
> the project or binaries from external projects

See the quote above for constraints on what may go into convenience binaries.
Untrusted jar files (from wherever) are allowed.  They must represent
compilation of open source dependencies, but no verification step is
required -- i.e. there is no policy requirement that anyone actually validate
that dependency binaries actually derive from specific source code.

Security-conscious consumers will naturally take such matters into account
when deciding how best to consume our products.

Marvin Humphrey

---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org