www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Wheeler, David A" <dwhee...@ida.org>
Subject RE: Country of Origin of various ASF projects
Date Thu, 20 Oct 2016 00:54:42 GMT
All - thanks for the insight.  I particularly appreciated the answer by Stian Soiland-Reyes
on Wednesday, October 19, 2016 04:19.

However - can this *please* be documented somewhere in a public FAQ?  I recommend that <http://www.apache.org/dev/release>
be modified to specifically answer this question, so that others can get the same answer.
 I've cobbled up a draft, below, which is basically a reformat of the answer by Stian Soiland-Reyes.

Who should this be sent to?

--- David A. Wheeler

=============================================

Proposed addition to <http://www.apache.org/dev/release> - add to the end of "Release
Licensing Questions":

Q: What is the "Country of Origin" for purposes of the U.S. Trade Agreements Act (TAA) and
similar acts?

Some country's laws involve the "country of origin".  For example, the U. S. Trade Agreements
Act (TAA) imposes laws involving the "country of origin", and it defines the Country of Origin
as the country where the software is built-(where final compilation occurs).

The ASF only consider the source release the release.  This is what should be used by downstream
consumers who need to check Country of Origin or in other ways want to be sure of what exact
code they are using.  Source releases are acts of the Foundation.

Many ASF projects also provide binary "convenience" artifacts, aka "convenience binaries".
 These include  the JARs in Maven Central, which Java developers generally use as-is.  Some
of these are also distributed by ASF as an organization, and even promoted and hosted by ASF
(via ASF mirrors).

However, "convenience binaries" are built by the individual release managers (who may vary
per release), who would live in different locations (possibly temporarily residing in a different
location at the time of preparing a release), and who may be using build infrastructure in
a third location (in particular building Maven projects would commonly rely on Maven Central
and artifacts that themselves have mixed origin).  As such, it is difficult to define a single
Country of Origin for binary releases.  Consumers who need to consider Country of Origin should
only use the source releases, verified by their PGP signatures, and build it on their own
infrastructure.

References:
http://www.apache.org/dev/release#owned-controlled-hardware
http://www.apache.org/dev/release#what
https://www.apache.org/dev/release-distribution.html



Mime
View raw message