www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stian Soiland-Reyes <st...@apache.org>
Subject Re: Country of Origin of various ASF projects
Date Wed, 19 Oct 2016 10:18:52 GMT
The ASF only consider the source release the atomic Release (tm) -
which certainly is what should be used by downstream consumers who
need to check Country of Origin or in other ways want to be sure of
what exact code they are using.

However our binary "convenience" artifacts (e.g. the JARs in Maven
Central which Java developers generally use as-is) are also
distributed by ASF as an organization, promoted and hosted by us (via
our mirrors) - so I don't think we can argue them to be irrelevant.

So I think the answer is that "convenience binaries" are built by the
individual release managers (varies per release), which would live in
different locations (possibly temporarily reside in a different
location at the time of preparing a release), and which may be using
build infrastructure in a third location (in particular building Maven
projects would commonly rely on Maven Central and artifacts that
themselves have mixed origin) - and as such it is difficult to define
a single Country of Origin for binary releases.  Consumers who need to
consider Country of Origin should only use the the source releases,
verified by their PGP signatures, and build it on their own
infrastructure.


Refs:

http://www.apache.org/dev/release#owned-controlled-hardware
http://www.apache.org/dev/release#what
https://www.apache.org/dev/release-distribution.html

On 19 October 2016 at 01:53, Ted Dunning <ted.dunning@gmail.com> wrote:
>
> On Tue, Oct 18, 2016 at 2:30 PM, sebb <sebbaz@gmail.com> wrote:
>>
>> > Releases are acts of the Foundation, due to our PMCs voting on them,
>> > so I don't think the release manager has any impact on this.
>>
>> I was responding to the statement in the original e-mail which said:
>>
>> "TAA defines the Country of Origin as the country where the software
>> is built--where final compilation occurs"
>>
>> However as others have pointed out, the ASF releases source, so the
>> question is largely moot.
>
>
> Moot is not exactly the right word (events have not placed the issue beyond
> the law).  Better would be "irrelevant".
>
> There is no "final compilation" with Apache source releases, therefore the
> question of where that compilation occurs is not a valid question and thus
> has no answer.
>
>



-- 
Stian Soiland-Reyes
http://orcid.org/0000-0001-9842-9718

---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org


Mime
View raw message