On Mon, Oct 13, 2014 at 7:14 AM, Julian Hyde <julianh...@gmail.com> wrote:
> It seems to me that each of those jars is a de facto binary release.
Definitely not.
An official release by the Apache Software Foundation consists of source code
which has been audited by a PMC. Of course it is not possible to audit an
entire codebase at each release point, but we achieve that effective result
through PMC monitoring of a "commits" list: if the last release was fully
reviewed, each delta since then has also been reviewed, and we can demonstrate
that the difference between the two releases is the sum of those deltas, then
the current release has been reviewed.
Binaries combine that carefully audited source code with an opaque build
machine, and the result is not auditable. Releasing source is an "act of the
foundation". A binary package is an act of the individual who prepared it.
The Foundation was not set up to take on the liabilitiy associated with binary
releases:
http://s.apache.org/roy-binary-deps-3
How is that different from any of our other projects? End users
don't compile Java. Hell, most developers don't compile Java.
We distribute plenty of binaries. We just don't call them SOURCE.
The source is what we review. The source is what we bless. If anyone
wants to go further than that, they are free to do so as long as they
don't call the result an Apache release. It is a binary package, a
user convenience, a download hosted by openoffice.org. I don't care.
People have to understand this. There will always be a role for
downstream commercial or non-commercial redistributions of Apache
products. Why? Because the ASF is incapable of taking on the enormous
liability associated with released binaries that are not produced in
a controlled environment with a controlled set of tools.
Changing policy to make binary releases official acts by the foundation would
require us to account for those liability issues -- a daunting undertaking.
Marvin Humphrey
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org
