www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stian Soiland-Reyes <st...@apache.org>
Subject Re: Country of Origin of various ASF projects
Date Thu, 20 Oct 2016 11:26:39 GMT
Thanks! Hope you are able to re-shape my late-night ramblings..

There's also the partially overlapping
https://www.apache.org/licenses/exports/ - although Country of Origin
applies also to non-encryption software.

Any Apache committer can suggest an update using the CMS system at
https://cms.apache.org/www/ and navigating to the corresponding
folder. Suggest your patch on dev@community as it would be part of the
policy document.

On 20 October 2016 at 02:54, Wheeler, David A <dwheeler@ida.org> wrote:
> All - thanks for the insight.  I particularly appreciated the answer by Stian Soiland-Reyes
on Wednesday, October 19, 2016 04:19.
>
> However - can this *please* be documented somewhere in a public FAQ?  I recommend that
<http://www.apache.org/dev/release> be modified to specifically answer this question,
so that others can get the same answer.  I've cobbled up a draft, below, which is basically
a reformat of the answer by Stian Soiland-Reyes.
>
> Who should this be sent to?
>
> --- David A. Wheeler
>
> =============================================
>
> Proposed addition to <http://www.apache.org/dev/release> - add to the end of "Release
Licensing Questions":
>
> Q: What is the "Country of Origin" for purposes of the U.S. Trade Agreements Act (TAA)
and similar acts?
>
> Some country's laws involve the "country of origin".  For example, the U. S. Trade Agreements
Act (TAA) imposes laws involving the "country of origin", and it defines the Country of Origin
as the country where the software is built-(where final compilation occurs).
>
> The ASF only consider the source release the release.  This is what should be used by
downstream consumers who need to check Country of Origin or in other ways want to be sure
of what exact code they are using.  Source releases are acts of the Foundation.
>
> Many ASF projects also provide binary "convenience" artifacts, aka "convenience binaries".
 These include  the JARs in Maven Central, which Java developers generally use as-is.  Some
of these are also distributed by ASF as an organization, and even promoted and hosted by ASF
(via ASF mirrors).
>
> However, "convenience binaries" are built by the individual release managers (who may
vary per release), who would live in different locations (possibly temporarily residing in
a different location at the time of preparing a release), and who may be using build infrastructure
in a third location (in particular building Maven projects would commonly rely on Maven Central
and artifacts that themselves have mixed origin).  As such, it is difficult to define a single
Country of Origin for binary releases.  Consumers who need to consider Country of Origin should
only use the source releases, verified by their PGP signatures, and build it on their own
infrastructure.
>
> References:
> http://www.apache.org/dev/release#owned-controlled-hardware
> http://www.apache.org/dev/release#what
> https://www.apache.org/dev/release-distribution.html
>
>
>



-- 
Stian Soiland-Reyes
http://orcid.org/0000-0001-9842-9718

---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org


Mime
View raw message