incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Roman Shaposhnik <>
Subject Re: ASF hosted binaries collecting user data without an explicit opt-in
Date Tue, 06 Jun 2017 02:47:02 GMT
On Mon, Jun 5, 2017 at 7:34 PM, Julian Hyde <> wrote:
> If the binaries are built from the released source code I don’t think we should restrict
what the binaries do.

Well, but that's not how we treat licensing for example. For example
-- there's plenty of ASF project that
allow GPL licensed extension to be pulled into the build. That
mechanics is part of the source code. However,
as per our policy, we will not allow this kind of a convenience binary
(containing GPL bits) to be hosted by
ASF infrastructure.

Now, there's nothing wrong with those kinds of binaries -- and 3d
parties host them all the time -- its just that
WE at ASF decided that it wouldn't be aligned with what we do.

What I'm concerned about is that a combination of binaries hosted by
ASF and a lack of opt-in AND an unsecure
nature of the communication AND unclear data handling policies can
potential make ASF liable if this kind of
data ends up containing sensitive information and gets exploited.

IANAL, but I could see EU being especially strict here.

> The question is whether the community is aware of what the code is doing, and considers
it to be in the best interests of the project.
> The answer seems to be yes, and yes. I saw that the issue was discussed on dev@ignite[1],
and had a corresponding JIRA case[2],

As for the discussion on JIRA, I expected the podling to listen to the
advice given by one of the mentors:
but apparently that never happened.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message