incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex Harui <>
Subject Re: Convenience Binary Policy
Date Tue, 21 Oct 2014 04:34:46 GMT

On 10/20/14, 5:54 PM, "Ted Dunning" <> wrote:

>Why not just roll your own installer that has these additional options?
>Then this is the Acme Software Foundation installer and you can do what
I suppose we could, but it wouldn’t be easily found by folks who arrive at
flex.a.o looking for FlexJS.  They’ll probably end up using the current
Installer and getting an error.

I guess you are saying that there is no quick fix of a convenience binary.
 I guess I’ve been reading things like Marvin/Roy in this thread [1] that
says that a binary package isn’t official which made me think we had more
flexibility.  Here’s the quote from Marvin quoting Roy:

    An official release by the Apache Software Foundation
    consists of source code which has been audited by a PMC.
    Of course it is not possible to audit an entire codebase
    at each release point, but we achieve that effective result
    through PMC monitoring of a "commits" list: if the last
    release was fully reviewed, each delta since then has also
    been reviewed, and we can demonstrate that the difference
    between the two releases is the sum of those deltas, then
    the current release has been reviewed.

    Binaries combine that carefully audited source code with
    an opaque build machine, and the result is not audit able.
    Releasing source is an "act of the foundation".  A binary
    package is an act of the individual who prepared it.

    The Foundation was not set up to take on the liability
    associated with binary releases:

        How is that different from any of our other projects?
        End users don't compile Java.  Hell, most developers
        don't compile Java.   We distribute plenty of binaries.
        We just don't call them SOURCE.  The source is what we
        review.  The source is what we bless.  If anyone
        wants to go further than that, they are free to do so
        as long as they don't call the result an Apache release.
        It is a binary package, a user convenience, a download
        hosted by  I don't care.

And this from Bertrand [2]

    To clarify, the ASF only releases source code - votes on
    releases are not "more" about source, they are *only*
    about source.

What is the piece I’m missing that says we have to vote to update the
binary package?




View raw message