www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Niclas Hedhman (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (LEGAL-288) Can the allowed embedded build tools be expanded?
Date Sun, 23 Apr 2017 01:39:04 GMT

    [ https://issues.apache.org/jira/browse/LEGAL-288?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15980212#comment-15980212
] 

Niclas Hedhman commented on LEGAL-288:
--------------------------------------

The notion that these jars are "not open source" and must therefor not be used in the way
they are intended is a preposterous stance. It is also counter-productive to say "it is policy",
since that is a way of saying "I don't like it, and I have no strong arguments that you respect,
and I am unwilling to work towards a solution". But to continue on that "policy track", since
I know you are not susceptible to common sense, I present you the argument that these are
"tools" and as policy states "provided they have access to the appropriate platform and tools",
our release makes sure that the "appropriate tools" are readily available.

Security-sensitive downstreams knows not to use these convenience tools, or binary blobs of
anything, and will build their entire toolchain from GCC anno 1988 or something, ensuring
nothing has been tampered with since. For the rest of us, these convenience tools are highly
appreciated and just as likely to contain malware as does the binary tool that I download
from website. 

Now, these jars should change incredibly seldom and when they do get updated in source control
system, the community (I for one) should react. But to make you and paranoid people more happy,
we could even have a little job that traverses all the ASF projects and ensure that the approved
jars are used and not altered by unwanted agents.

John's point of "not enough on Windows" is some kind of misunderstanding. The whole point
of having a small Java app, is to get that platform independent download mechanism.


> Can the allowed embedded build tools be expanded?
> -------------------------------------------------
>
>                 Key: LEGAL-288
>                 URL: https://issues.apache.org/jira/browse/LEGAL-288
>             Project: Legal Discuss
>          Issue Type: Question
>            Reporter: John D. Ament
>
> http://www.apache.org/legal/resolved.html#build-tools
> This section lists out some basic build tools that are allowed to be included within
a release.  I would like to propose adding two tools to this list:
> - Gradle Wrapper - https://github.com/gradle/gradle
> - Maven Wrapper - https://github.com/takari/maven-wrapper
> Both tools are Apache v2 licensed.  However, to work 100% they should include an associated
precompiled JAR file.  This JAR file is responsible for retrieving the associated distribution
of the build tool for local use.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org


Mime
View raw message