On 1/21/16, 11:52 PM, "Daniel Dekany" <ddek...@freemail.hu> wrote:
>Friday, January 22, 2016, 1:08:36 AM, Justin Mclean wrote: > >> If may be (but unlikely IMO) that this applies [1]. Best to ask on >> legal discuss to confirm. > >I have red the related ASF documents back then, and I don't understand >how can this lead to any legal problem since: >- These binaries were contributed directly to the project >- Their origin is clarified in the NOTICE file. >- As a side note, obviously, there can be images and such in a source > release, which are also binaries. > >But yes, I will ask this on legal if it isn't settled here pretty >soon. IMO, this isn't a legal issue as much as a policy, convention and usability issue. AIUI, ASF releases should be the "raw" sources required to implement some functionality so that 1) it is easy to examine and determine it is safe to use (no viruses or trojans, licensing is as expected) 2) it is easy to modify files in the release and submit patches in order to invite more community involvement and recruit new committers A jar, even one that just compresses text files, doesn't quite fulfill those goals, so I would take the time to alter the packaging scripts so that the source package has a folder of the text files that went into the jar but no jar file itself, and the build script that creates the convenience binary packages those text files into a jar. In fact, I did just that when working on a recent code donation to a project that originally contained zip files. And that's why some binaries like GIF, PNG, JPG files are ok since they are also the "raw" sources that invite folks to contribute patches and are considered safe since the aren't known to contain executable code. A nit: AIUI, the NOTICE file isn't so much about origin of individual artifacts as it is about required notices like copyrights that have been swapped out from their original homes in various files, and other requirements from the licenses for bundled dependencies. Since the jar was apparently part of a larger software donation, the standard "Initial Developer" line would cover all of the code in that donation and not address the jar specifically. Of course, this is all moot once you've replaced the jar in the source package with the text files it contains. Of course, I could be wrong... -Alex --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
