incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex Harui <>
Subject Re: [VOTE] Release Apache FreeMarker 2.3.24-rc01 (incubating)
Date Fri, 22 Jan 2016 16:06:31 GMT

On 1/21/16, 11:52 PM, "Daniel Dekany" <> wrote:

>Friday, January 22, 2016, 1:08:36 AM, Justin Mclean wrote:
>> If may be (but unlikely IMO) that this applies [1]. Best to ask on
>> legal discuss to confirm.
>I have red the related ASF documents back then, and I don't understand
>how can this lead to any legal problem since:
>- These binaries were contributed directly to the project
>- Their origin is clarified in the NOTICE file.
>- As a side note, obviously, there can be images and such in a source
>  release, which are also binaries.
>But yes, I will ask this on legal if it isn't settled here pretty

IMO, this isn't a legal issue as much as a policy, convention and
usability issue.  AIUI, ASF releases should be the "raw" sources required
to implement some functionality so that
1) it is easy to examine and determine it is safe to use (no viruses or
trojans, licensing is as expected)
2) it is easy to modify files in the release and submit patches in order
to invite more community involvement and recruit new committers

A jar, even one that just compresses text files, doesn't quite fulfill
those goals, so I would take the time to alter the packaging scripts so
that the source package has a folder of the text files that went into the
jar but no jar file itself, and the build script that creates the
convenience binary packages those text files into a jar.  In fact, I did
just that when working on a recent code donation to a project that
originally contained zip files.

And that's why some binaries like GIF, PNG, JPG files are ok since they
are also the "raw" sources that invite folks to contribute patches and are
considered safe since the aren't known to contain executable code.

A nit: AIUI, the NOTICE file isn't so much about origin of individual
artifacts as it is about required notices like copyrights that have been
swapped out from their original homes in various files, and other
requirements from the licenses for bundled dependencies.  Since the jar
was apparently part of a larger software donation, the standard "Initial
Developer" line would cover all of the code in that donation and not
address the jar specifically.  Of course, this is all moot once you've
replaced the jar in the source package with the text files it contains.

Of course, I could be wrong...

To unsubscribe, e-mail:
For additional commands, e-mail:
View raw message