incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marvin Humphrey <>
Subject Re: Binary file inclusion (was [VOTE] Apache Toree (incubating) 0.1.0-rc4 as 0.1.0)
Date Mon, 23 Jan 2017 13:03:46 GMT
On Mon, Jan 23, 2017 at 4:35 AM, John D. Ament <> wrote:

> What I'm trying to make sure we're agreeing to is
> that the problem isn't that there is a JAR to .tar.gz file in the
> distribution.  Its that the original source is missing.

No.  Bundling jar files is not OK in general and it is definitely the
intent of the policy to exclude them.  (Source: I led the redrafting
effort for the official policy.) Among other reasons, they are
potential trojan horses, because they cannot be audited by a PMC.

We might choose to make exceptions in some edge cases, like when the
jar files are used as data for tests. That does not invalidate the

> I'm personally in favor of
> having the gradle wrapper (and maven wrapper) present since it helps build
> the code.

The gradle wrapper and similar are also not permitted. Build processes
need to bootstrap it.

This isn't a big deal in practice because most people don't care about
the security implications of consuming the convenience binary and just
use that.

Marvin Humphrey

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message