www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marvin Humphrey <mar...@rectangular.com>
Subject Re: PyPI MXNet
Date Tue, 12 Feb 2019 03:26:21 GMT
On Mon, Feb 11, 2019 at 12:41 PM Justin Mclean <justin@classsoftware.com> wrote:

> > Why must we spell out "don't publish unreleased code to X" once for every
> > possible downstream distribution channel?  Our project and podling
> > contributors aren't infants.
>
> Because (in most cases) they want to make release candidates, snapshots and
> nightlys available. They see projects doing that with maven and GitHub
> [1](sigh) and assume it ok on other platforms.  You'll note MXNet releases
> nightlys on PyPi [2]. they are marked as “pre-releases” so their intentions
> are good. Is this allowed?

That depends on whether in practice those packages are being found and
consumed by people outside the MXNet dev community.

The #publication section from Release Policy quoted earlier continues:

    During the process of developing software and preparing a release, various
    packages are made available to the development community for testing
    purposes. **Projects MUST direct outsiders towards official releases
    rather than raw source repositories, nightly builds, snapshots, release
    candidates, or any other similar packages.**  The only people who are
    supposed to know about such developer resources are individuals actively
    participating in development or following the dev list and thus aware of
    the conditions placed on unreleased materials.

We don't place constraints on where these developer-facing resources are
located.  If there's some smoke tester or build farm out there on non-ASF
servers, fine so long as only the dev community knows about it.

The policy language is a bit ambiguous on this point, but in my judgment the
dynamics of the Board are such that if you are fulfilling the spirit of the
policy, the Board will be fine with it.  You just need to be able to make the
case while the resources in question may technically be publicly visible,
people outside the dev community are unlikely to find them.

What's not OK is to advertise such packages outside the dev community, e.g.
by linking to nightlies from your download pages, sending an email to the user
list inviting them to partake of nightlies, and so on.  Because then what
happens is that a change gets committed and users start depending on it before
someone on the PMC has a chance to object: "Hey wait I've discovered that
change breaks my app!"

As for where PyPI-specific guidance might live...

Definitely not in the formal text of Release Policy.  Our policies must be
succinct, clear, and bounded, because otherwise it is unfair to the projects
we expect to comply with them.

I suppose there could be something in the Release FAQ (which lives below the
formal policy on the same page).  But it's not reasonable to expand that out
for all the possible channels.  Rather than starting a matrix in the FAQ, I'd
argue for making an elaboration on the policy text with a limited number of
examples.

> In other cases podling find they moved their repos too early to the ASF or
> the process takes too long and can’t make an ASF release and so feel they
> need to make unofficial releases on these platforms. [3]

That particular issue is limited to the scope of the Incubator.  It's come up
before.  I suggest asking for guidance in the Incubator's monthly Board report
if you can't resolve it.

Marvin Humphrey

---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org


Mime
View raw message