incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul King <>
Subject Re: Binary file inclusion (was [VOTE] Apache Toree (incubating) 0.1.0-rc4 as 0.1.0)
Date Tue, 24 Jan 2017 05:48:36 GMT
Just FYI, Groovy had numerous such "test" jars and wrapper files and
such initially. It turned out to only be a couple of hours work to
remove them and build them on the fly within the build files. While I
certainly see both sides of the argument about whether some
"binary-like" artifacts might be considered as special and okay to
include, I actually think what we ended up with does make it clearer
exactly what is going on.

Cheers, Paul.

On Tue, Jan 24, 2017 at 3:51 AM, John D. Ament <> wrote:
> On Mon, Jan 23, 2017 at 8:04 AM Marvin Humphrey <>
> wrote:
>> On Mon, Jan 23, 2017 at 4:35 AM, John D. Ament <>
>> wrote:
>> > What I'm trying to make sure we're agreeing to is
>> > that the problem isn't that there is a JAR to .tar.gz file in the
>> > distribution.  Its that the original source is missing.
>> No.  Bundling jar files is not OK in general and it is definitely the
>> intent of the policy to exclude them.  (Source: I led the redrafting
>> effort for the official policy.) Among other reasons, they are
>> potential trojan horses, because they cannot be audited by a PMC.
>> We might choose to make exceptions in some edge cases, like when the
>> jar files are used as data for tests. That does not invalidate the
>> policy.
> I'm thinking then we need to explicitly call this out.  Perhaps we need to
> add a section next to
> that
> says "What must each release archive explicitly not contain" and list out
> what's being called out.  By only saying what it must contain, we don't say
> what is not allowed.
> Sorry if my thick headedness is getting frustrating, as it seems like there
> is a big gap between what expectations are and what's actually written
> down.  My goal is simply to get written down what the true expectations are.
>> > I'm personally in favor of
>> > having the gradle wrapper (and maven wrapper) present since it helps
>> build
>> > the code.
>> The gradle wrapper and similar are also not permitted. Build processes
>> need to bootstrap it.
> I would like to understand why, from a legal standpoint, these are not
> allowed.
>> This isn't a big deal in practice because most people don't care about
>> the security implications of consuming the convenience binary and just
>> use that.
>> Marvin Humphrey
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail:
>> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message