On 13/11/2018 20:49, Roman Shaposhnik wrote: > Personally, given the amount of binary releases that are distributed off of > our very own infrastructure (and I'm not even counting our namespace > on things like Docker hub -- I'm just talking about the INFRA we run) I don't > think that the argument "binary releases are NOT endorsed by ASF" will > fly very far. > > I think the best defense for us is to, perhaps, position them as UGC, but > given the practices around existing PMC I don't think that would be easy to > do. > > So the question really boils down to -- how much of a liability this could > potentially be for us?
Applying the usual test of "What issues have we seen in the last 20 years?" I can't think of any that have been specific to a binary release. Of the issues I can recall with releases since I have been involved at the ASF (and I'm sketchy on the details because issues are few and far between and I haven't gone looking in the archives): 1. Dependencies with inappropriate licenses. Perhaps more likely with binary releases because they tend to ship with more dependencies but I don't recall this ever being more than "Whoops. Tell the users. Do a new release to fix it. Be more careful in future. Carry on." for either binary or source releases. 2. Copyright infringement. The only instance I can recall of this was a) related to a source release and b) invalid because the accusing party had actually originally copied "their" source from us and removed our license headers. If anything, I think issue is less likely with a binary release. 3. Download traffic. Some binaries are large and much more likely to cause infrastructure issues if the mirror network is not used correctly. Infra has monitoring in place to a) identify issues and b) stop them causing outages. So overall, the liability looks to be well within what we are already managing. I don't see anything that concerns me. Unless I have missed something. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
