Personally, given the amount of binary releases that are distributed off of our very own infrastructure (and I'm not even counting our namespace on things like Docker hub -- I'm just talking about the INFRA we run) I don't think that the argument "binary releases are NOT endorsed by ASF" will fly very far.
I think the best defense for us is to, perhaps, position them as UGC, but given the practices around existing PMC I don't think that would be easy to do. So the question really boils down to -- how much of a liability this could potentially be for us? Thanks, Roman. On Tue, Nov 6, 2018 at 4:55 PM Daniel Shahaf <d...@daniel.shahaf.name> wrote: > > CC += legal-discuss@ since this really isn't an incubator-specific topic any > more. The context is precompiled binary artifacts on > https://www.apache.org/dist/. > > David Nalley wrote on Tue, Nov 06, 2018 at 17:06:50 -0500: > > So let's assume a PMC (or PPMC) goes through the same process with > > binaries in terms of reviewing, voting on, promoting, and publishing > > to the world a binary release on behalf of the PMC and Foundation. > > Binaries are published to the same location that source tar balls are > > - are featured on download pages provided by the ASF. Perhaps even > > with the situation being that people download the binary artifacts > > from ASF resources tens of thousands, or maybe even millions of times > > more frequently than the source tarballs. > > > > From that scenario I have some questions: > > > > 1. Would a reasonable person (or jury) suspend disbelief long enough > > to consider our protestations that our 'releases' are source only, and > > that as a Foundation we didn't release, propagate, promote, or > > distribute the binaries in question? A rose by any other name..... > > 2. Should the Board be taking an active interest in projects (release > > managers?) who promote and publish their binaries in this manner on > > our hardware? > > 3. Is lack of Board action tantamount to tacit approval of this > > behavior? Can we really claim ignorance? > > 4. Should Infrastructure be actively monitoring and removing binaries > > which find their way to dist.a.o/archive.a.o - especially since our > > header for dist.a.o says that the directories contain releases of > > Apache software? > > 5. Should we be alerting individual release managers that publishing > > convenience binaries exposes them individually to liability? > > 6. What alternative can we offer to projects that want to distribute binaries? > Can the RM upload precompiled binaries to his https://home.a.o/~availid/ > space? > Can the project's download page link to them as the > primary/canonical/recommended binaries? Can the project's download page link > to the RM's binaries as one alternative among many (compare > https://subversion.apache.org/packages#windows)? > > --------------------------------------------------------------------- > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > For additional commands, e-mail: general-h...@incubator.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
