www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex Harui <aha...@adobe.com.INVALID>
Subject Re: LICENSE and NOTICE file content
Date Tue, 26 Jun 2018 17:28:12 GMT

From: Jan Lahoda <lahoda@gmail.com>
Reply-To: "legal-discuss@apache.org" <legal-discuss@apache.org>
Date: Tuesday, June 26, 2018 at 1:44 AM
To: "legal-discuss@apache.org" <legal-discuss@apache.org>
Subject: Re: LICENSE and NOTICE file content

(As the NetBeans has (among others) a library for reading classfiles, I guess this discussion
also relates to it, and I'd like to share some of my thoughts.)

On Tue, Jun 26, 2018 at 7:15 AM, Alex Harui <aharui@adobe.com.invalid<mailto:aharui@adobe.com.invalid>>
code unless there is some way to solve the “security/safety” goal.  Maybe it is good enough
to give the file a different suffix so it appears as a non-executable file.  But I would probably
just have the tool’s source package build script download the convenience binary of the
upstream test source package.

That is extra overhead for sure, but I don’t think that is ‘impractical’.  And I still
wouldn’t hold up any release for this kind of issue.  Incrementally make improvements in
subsequent releases.  Create a test-data source release.  Then adjust the main source package
to download the test jar.

I may be too pessimistic, but in my experience when creating a test is more complicated, the
probability of having a test decreases. And not having a test feels like a sub-optimal software
engineering practice.
FTR, I think there are multiple variants to avoid having classfiles in the repository, like
maybe using jcod (not sure if that's OK or not); at the same time, I think having an approach
that does not discourage proper engineering practices has benefits.

Lots of things in ASF open source are “more complicated”.  As you noted, it takes at least
3 days to make a release.  You can’t just turn to a colleague, make a major decision and
implement it.   Do these things discourage proper engineering practices?  Maybe, but they
exist to help ensure the “sharing” and “safety”, and as you also mention, there are
probably variants, or creative ways to not sacrifice integrity of your software.  Hopefully
you have a team of folks reviewing commits that would catch that a test is missing or use
a tool to check that sufficient tests exist.  If a bug were found in the test source package,
you could put both packages up for vote at the same time.

What doesn’t seem right to me is that you can ship a binary without any way to recreate
that binary from sources in a way sufficient enough to make it useful to others.  That doesn’t
seem “open” or “source” to me.

My 2 cents,
View raw message