www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mark Thomas (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (LEGAL-288) Can the allowed embedded build tools be expanded?
Date Mon, 24 Apr 2017 08:06:04 GMT

    [ https://issues.apache.org/jira/browse/LEGAL-288?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15980830#comment-15980830

Mark Thomas commented on LEGAL-288:

Addressing various points wearing my "interested member who has been around for a while" hat.

Curation of the release policy has been delegated to V.P. Legal by the Board. This is the
right place to discuss this issue.

The current set of exceptions are essentially text files of various forms with licenses that
are not compatible with ALv2. By default, ASF policy does not permit these files to be included
in the source tree. Hence the exception. The exception is granted on the basis that they a)
they are necessary to build the source, b) and end user is not going to need to modify them
and c) they are used only at build time - i.e. the software produced by the build does not
depend on them at run time.

This request is different. It is not about adding non ALv2 compatible text files to the source
tree, it is about adding ALv2 licensed binaries to the source tree which in turn means the
binary turns up in the released source package. This comes up against two different issues.

1. The ASF distributes source. The source packages should contain exactly that - source code.
Not binaries.

2. The second is that we have seen technical difficulties (an over-loaded svn server) as a
result of TLPs storing binaries in svn. In the worst case, a huge Maven repository was present
that was responsible for a significant proportion of the load on the svn server. Hence Infra
frowns on TLPs putting binaries into source control.

It is also worth noting that these JARs are a convenience, not a requirement. The end user
can still download the necessary build tool themselves and with other build tools it is expected
that that is what they would need to do. There will always be dependencies that we expect
the user to obtain separately in order to build and/or run our software. Build tools are normally
in this category along with a JVM, an OS, etc.

In terms of this request, I don't think the second point will be an issue. The JARs are small
and will be downloaded as part of the source tree so I don't think Infra would have any objections.

It is really the first point that is the issue here. Having spent a few days thinking about
this, I'd like to propose the following solution:

1. Adding these JARs and associated files to source control is permitted.
2. The JARs and associated files are excluded when assembling the source distribution.
3. The build documentation makes clear that when building from a checkout the JAR and associated
files are provided but when using the source tarball, the build tool must be downloaded.

This solution:
- provides the convenience of the wrapper to (what I assume) is the majority of users that
want to build from a source checkout
- security conscious users that build from a source distribution will need to obtain the necessary
build tool (which they would want to do anyway via some secure channel)
- it doesn't help the (what I assume is) small minority of users that builds from a source
distribution and is not overly concerned about security
- meets the ASF principle of distributing source, not binaries

> Can the allowed embedded build tools be expanded?
> -------------------------------------------------
>                 Key: LEGAL-288
>                 URL: https://issues.apache.org/jira/browse/LEGAL-288
>             Project: Legal Discuss
>          Issue Type: Question
>            Reporter: John D. Ament
> http://www.apache.org/legal/resolved.html#build-tools
> This section lists out some basic build tools that are allowed to be included within
a release.  I would like to propose adding two tools to this list:
> - Gradle Wrapper - https://github.com/gradle/gradle
> - Maven Wrapper - https://github.com/takari/maven-wrapper
> Both tools are Apache v2 licensed.  However, to work 100% they should include an associated
precompiled JAR file.  This JAR file is responsible for retrieving the associated distribution
of the build tool for local use.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

View raw message