CD40: perhaps change 'previous version' to 'released version' CD50: the committer is not necessarily the author; someone might read this and not understand what it implies for committers committing contributions via all of the channels allowed for by the AL. One patch would be 'immediate provenance', another would be some more lengthier language about the process.
LC20: do we need to explain what we mean by 'dependencies'? This has been a point of friction. Expand or footnote to the distinctions between essential and optional? LC50: the footnote seems wrong; the ASF does not own copyright, rather, the author retains, and grants the license. RE40: do you want to add an explicit statement that legal responsibility falls upon the head of the person who happened to run the build? QU20: Maybe we need to expands on 'secure'? Maybe this is too strong? What's wrong with building a product that is explicitly not intended for use attack-prone environments. QU40: Not all communities might agree. Some communities might see themselves as building fast-moving products. Some communities may lack the level of volunteer effort required to satisfy this. Does this make them immature, or just a group of volunteers with different priorities? IN10: I fear that a more detailed definition of independence is going to be called for here to avoid controversy.
