www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andy Seaborne <a...@apache.org>
Subject Convenience binaries [Was: Country of Origin of various ASF projects]
Date Mon, 31 Oct 2016 10:41:23 GMT
I am trying to understand the implications of all this for convenience 
binaries for a project that uses the excellent Apache HttpClient as a 
dependency but has no crypto software itself.

The project produces convenience binaries: zip file including all 
dependencies and combined shaded uber jars which includes all 
dependencies.  The project also uses maven for distribution of built 

The source-release does not include HttpClient so there is nothing to do 
for the formal release product.

There are 3 channels for the binaries where ASF is first point at which 
the binaries are accessible.

archive.a.o, repository.a.o/snapshots and repository.a.o/releases.

(To me, it looks like the maven repo as publication channel is no 
different from archive.a.o, except that "snapshots" get published there 
and while primarily for the developers, they are publicly accessible.)


A/ The project should register the binaries.

B/ The project should not point to the git repo (no crpyto there).

C/ All 3 channels (archive.a.o and 2 maven repos) are ControlledSource.


C/ The README in the source-release does not include a crypto notice.

D/ The binaries (zip and combined jar maven artifacts) include a README 
with a crypto notice.


On 19/10/16 11:18, Stian Soiland-Reyes wrote:
> The ASF only consider the source release the atomic Release (tm) -
> which certainly is what should be used by downstream consumers who
> need to check Country of Origin or in other ways want to be sure of
> what exact code they are using.
> However our binary "convenience" artifacts (e.g. the JARs in Maven
> Central which Java developers generally use as-is) are also
> distributed by ASF as an organization, promoted and hosted by us (via
> our mirrors) - so I don't think we can argue them to be irrelevant.
> So I think the answer is that "convenience binaries" are built by the
> individual release managers (varies per release), which would live in
> different locations (possibly temporarily reside in a different
> location at the time of preparing a release), and which may be using
> build infrastructure in a third location (in particular building Maven
> projects would commonly rely on Maven Central and artifacts that
> themselves have mixed origin) - and as such it is difficult to define
> a single Country of Origin for binary releases.  Consumers who need to
> consider Country of Origin should only use the the source releases,
> verified by their PGP signatures, and build it on their own
> infrastructure.
> Refs:
> http://www.apache.org/dev/release#owned-controlled-hardware
> http://www.apache.org/dev/release#what
> https://www.apache.org/dev/release-distribution.html

To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

View raw message