The reason we "only officially" support source code releases is because that is what we produce.
> On Nov 14, 2018, at 6:24 AM, Myrle Krantz <my...@apache.org> wrote: > > I had understood the reason that the foundation only officially supports > source releases to be the fear of undetected malware in the release (like > in the Ken Thompson hack). > > Is that correct? Are we all are in agreement that the probability of that > kind of hack is very low? > > I'd extend that by one step: Isn't the probably of that kind of hack > *lower* if we compile our code ourselves, than if we ask our users to do it? > > Best Regards, > Myrle > > On Wed, Nov 14, 2018 at 12:08 PM Mark Thomas <ma...@apache.org> wrote: > >> 1. Dependencies with inappropriate licenses. Perhaps more likely with >> binary releases because they tend to ship with more dependencies but I >> don't recall this ever being more than "Whoops. Tell the users. Do a new >> release to fix it. Be more careful in future. Carry on." for either >> binary or source releases. >> >> 2. Copyright infringement. The only instance I can recall of this was a) >> related to a source release and b) invalid because the accusing party >> had actually originally copied "their" source from us and removed our >> license headers. If anything, I think issue is less likely with a binary >> release. >> >> 3. Download traffic. Some binaries are large and much more likely to >> cause infrastructure issues if the mirror network is not used correctly. >> Infra has monitoring in place to a) identify issues and b) stop them >> causing outages. >> >> So overall, the liability looks to be well within what we are already >> managing. I don't see anything that concerns me. Unless I have missed >> something. >> >> Mark >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org >> For additional commands, e-mail: general-h...@incubator.apache.org >> >> --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
