> On Jun 22, 2020, at 6:52 AM, Jarek Potiuk <jarek.pot...@polidea.com> wrote:
> 1) Is this acceptable to have a non-officially released image as a
> dependency in released code for the ASF project?
My understanding the bigger problem is the license of the dependency (and their
dependencies) rather than the official/unofficial status. For Apache Yetus'
test-patch functionality, we defaulted all of our plugins to off because we
couldn't depend upon GPL'd binaries being available or giving the impression
that they were required. By doing so, it put the onus on the user to
specifically enable features that depends upon GPL'd functionality. It also
pretty much nukes any idea of being user friendly. :(
> 2) If it's not - how do we determine which images are "officially
> maintained".
Keep in mind that Docker themselves brand their images as 'official'
when they actually come from Docker instead of the organizations that own that
particular piece of software. It just adds to the complexity.
> 3) If yes - how do we put the boundary - when image is acceptable? Are
> there any criteria we can use or/ constraints we can put on the
> licences/organizations releasing the images we want to make dependencies
> for released code of ours?
License means everything.
> 4) If some images are not acceptable, shoud we bring them in and release
> them in a community-managed registry?
For the Apache Yetus docker image, we're including everything that the
project supports. *shrugs*
