www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Hen <bay...@apache.org>
Subject Re: Informal review of a blog post draft on the Apache Legal Shield
Date Sun, 29 Jul 2018 05:58:56 GMT
On Fri, Jul 27, 2018 at 9:22 AM, Bertrand Delacretaz <bdelacretaz@apache.org
> wrote:

> Hi Hen,
>
> On Fri, Jul 27, 2018 at 5:47 PM Hen <bayard@apache.org> wrote:
> > (Love the doc :) )
>
> Thanks for this and for your feedback!
>
> > The first section is "Acts of the Foundation" and the
> > second is "Developer Builds". I love 'Acts of the Foundation' as a
> title, though I
> > worry about promoting Developer Builds as a topic higher than
> Releases....
>
> I changed that second title to "The Rest is for Contributors", WDYT?
>

+1


> > Similar note, I think you should be stronger that the developer builds
> are
> > for Apache contributors to use to develop and test as a part of
> contributing.
> > "Please look for issues in these developer builds and submit bug
> reports/patches".
>
> I've made changes along those lines, in
> https://github.com/bdelacretaz/blog-drafts/commit/
> 650ca2afd694758f438b0b1fbf3b4e38b155a2df
>
>
Thank you :)


> >
> > One concern I have is that, when finding a random file on Apache, the
> default
> > should not be "it's a release". ie: What we should do is have firm
> labelling on
> > releases just as much as firm labelling on developer builds. Within the
> context
> > of this blog, how about something on how to tell a particular url is an
> Apache
> > Release? Perhaps point to the URL structure of where we put our
> releases?...
>
> https://www.apache.org/legal/release-policy.html#release-distribution
> says that our PMCs can " redistribute the artifacts in accordance with
> their licensing through other channels" so I don't think URL patterns
> would work - to me the only 100% valid reference is a strong digest
> that points to the release archive but it's kinda hard to explain
> concisely. Maybe point to https://www.apache.org/info/verification ?
>

Not crucial I think. Your change above helps to set the scene that a
random-file found from apache != an apache release.


>
> > ...On this topic - is a file on Maven, NPM and PyPI an Act of the
> Foundation,
> > or is it something someone has personally uploaded based on the contents
> > of an Apache release?...
>
> I think those fall in the "distribution through other channels"
> category, but you'll often find a mix of release archives and
> convenience binaries in those places - which again means the only
> surefire way to identify a release is via its digest.
>

It's grey. It says "The project (or anyone else)" which is pretty accurate.

For Maven for example, the apache section is definitely an official
channel. I imagine the same is true of some other artifact repositories,
but others rely on individuals with expertise.


>
> > ...I wonder if a third topic is our position that our releases are
> source?...
>
> Ah yes that's a good point of course. To keep things concise I have
> just added "...if we follow our release policy [2], which defines a
> simple release approval process *for releasing source code*...", let
> me know if you have a different suggestion.
>

Sounds good to me.

Hen

Mime
View raw message