www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Austin, Richard (Fort Collins)" <richard.aus...@hpe.com>
Subject RE: Country of Origin of various ASF projects
Date Wed, 19 Oct 2016 22:46:16 GMT
Many thanks to all of you who have responded to my question--you have been prompt and unambiguous.
 :)  Your answers are much appreciated!

Regards,
 Richard Austin
 Software Development Engineer
 Hewlett Packard Enterprise



-----Original Message-----
From: Stian Soiland-Reyes [mailto:stain@apache.org] 
Sent: Wednesday, October 19, 2016 04:19
To: legal-discuss@apache.org
Subject: Re: Country of Origin of various ASF projects

The ASF only consider the source release the atomic Release (tm) - which certainly is what
should be used by downstream consumers who need to check Country of Origin or in other ways
want to be sure of what exact code they are using.

However our binary "convenience" artifacts (e.g. the JARs in Maven Central which Java developers
generally use as-is) are also distributed by ASF as an organization, promoted and hosted by
us (via our mirrors) - so I don't think we can argue them to be irrelevant.

So I think the answer is that "convenience binaries" are built by the individual release managers
(varies per release), which would live in different locations (possibly temporarily reside
in a different location at the time of preparing a release), and which may be using build
infrastructure in a third location (in particular building Maven projects would commonly rely
on Maven Central and artifacts that themselves have mixed origin) - and as such it is difficult
to define a single Country of Origin for binary releases.  Consumers who need to consider
Country of Origin should only use the the source releases, verified by their PGP signatures,
and build it on their own infrastructure.


Refs:

http://www.apache.org/dev/release#owned-controlled-hardware
http://www.apache.org/dev/release#what
https://www.apache.org/dev/release-distribution.html

On 19 October 2016 at 01:53, Ted Dunning <ted.dunning@gmail.com> wrote:
>
> On Tue, Oct 18, 2016 at 2:30 PM, sebb <sebbaz@gmail.com> wrote:
>>
>> > Releases are acts of the Foundation, due to our PMCs voting on 
>> > them, so I don't think the release manager has any impact on this.
>>
>> I was responding to the statement in the original e-mail which said:
>>
>> "TAA defines the Country of Origin as the country where the software 
>> is built--where final compilation occurs"
>>
>> However as others have pointed out, the ASF releases source, so the 
>> question is largely moot.
>
>
> Moot is not exactly the right word (events have not placed the issue 
> beyond the law).  Better would be "irrelevant".
>
> There is no "final compilation" with Apache source releases, therefore 
> the question of where that compilation occurs is not a valid question 
> and thus has no answer.
>
>



--
Stian Soiland-Reyes
http://orcid.org/0000-0001-9842-9718

---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

Mime
View raw message