incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marvin Humphrey <mar...@rectangular.com>
Subject Re: Binary file inclusion (was [VOTE] Apache Toree (incubating) 0.1.0-rc4 as 0.1.0)
Date Mon, 23 Jan 2017 13:03:46 GMT
On Mon, Jan 23, 2017 at 4:35 AM, John D. Ament <johndament@apache.org> wrote:

> What I'm trying to make sure we're agreeing to is
> that the problem isn't that there is a JAR to .tar.gz file in the
> distribution.  Its that the original source is missing.

No.  Bundling jar files is not OK in general and it is definitely the
intent of the policy to exclude them.  (Source: I led the redrafting
effort for the official policy.) Among other reasons, they are
potential trojan horses, because they cannot be audited by a PMC.

We might choose to make exceptions in some edge cases, like when the
jar files are used as data for tests. That does not invalidate the
policy.

> I'm personally in favor of
> having the gradle wrapper (and maven wrapper) present since it helps build
> the code.

The gradle wrapper and similar are also not permitted. Build processes
need to bootstrap it.

This isn't a big deal in practice because most people don't care about
the security implications of consuming the convenience binary and just
use that.

Marvin Humphrey

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message