www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Marvin Humphrey (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (LEGAL-288) Can the allowed embedded build tools be expanded?
Date Thu, 26 Jan 2017 02:51:26 GMT

    [ https://issues.apache.org/jira/browse/LEGAL-288?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15839084#comment-15839084

Marvin Humphrey commented on LEGAL-288:

Even when jar files are derived from open source, they are not themselves open source.  They
are opaque blobs which result from processing source with an unknown build environment.  They
are potential trojan horses.  They cannot be audited by a PMC, and contributors cannot reasonably
be held accountable for their content.  Their inclusion complicates the task of security-conscious
downstream consumers, who must detect and replace them.

We believe in the value of "open source software" in part because transparency is a superior
means of addressing security, reliability ("given enough eyeballs, all bugs are shallow"),
and many other problems.  It is not necessary or wise to blow a hole in our dedication to
open source for the sake of these two build tools.  Projects are welcome to use them -- they
just need to bootstrap the build a different way.  The availability of "convenience binaries"
and other packages built by third parties makes build-wrapper caching a moot issue for many
downstream users anyway.

The preference for source form over object form is not a [licensing issue|http://www.apache.org/legal/resolved],
it is a policy issue which emerges from core philosophical principles on which the organization
was founded.  What's most important is to understand the principles, but for the record the
relevant policy clause is in our [Release Policy|http://www.apache.org/legal/release-policy]:

The Apache Software Foundation produces open source software. All releases are
in the form of the source materials needed to make changes to the software
being released.

> Can the allowed embedded build tools be expanded?
> -------------------------------------------------
>                 Key: LEGAL-288
>                 URL: https://issues.apache.org/jira/browse/LEGAL-288
>             Project: Legal Discuss
>          Issue Type: Question
>            Reporter: John D. Ament
> http://www.apache.org/legal/resolved.html#build-tools
> This section lists out some basic build tools that are allowed to be included within
a release.  I would like to propose adding two tools to this list:
> - Gradle Wrapper - https://github.com/gradle/gradle
> - Maven Wrapper - https://github.com/takari/maven-wrapper
> Both tools are Apache v2 licensed.  However, to work 100% they should include an associated
precompiled JAR file.  This JAR file is responsible for retrieving the associated distribution
of the build tool for local use.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

View raw message