incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Roman Shaposhnik <>
Subject Re: ASF hosted binaries collecting user data without an explicit opt-in
Date Fri, 09 Jun 2017 04:13:19 GMT
On Thu, Jun 8, 2017 at 12:43 AM, Bertrand Delacretaz
<> wrote:
> On Wed, Jun 7, 2017 at 5:32 PM, Sean Busbey <> wrote:
>> ...Who owns release policy? I presume it's VP Legal, which would suggest legal-discuss...
> I don't think our release policy is relevant here.

Actually, that's what I'm trying to figure out. My initial thought around why
release policy was relevant here was that THE ONLY reason we reacted
the way we did is because there was a piece of software associated with
ASF in two ways:
   1. branding
   2. distribution off of ASF infrastructure

It sounds like you're saying that #1 is actually more important that #2. I may
buy that, but let me ask you a hypothetical first. Suppose releases of Ingite
were only done as source tarballs. Suppose also that the company called
GridGain built it and made the binary available off of their website with
the binary (and associated branding) saying Apache Ignite.

Would we still have a problem if that binary did what Ignite's binary did?

> The issue is a project releasing software that a) collects user data
> without an explicit opt-in, and b) apparently does that in an insecure
> way.

I'm not concerned about b -- so lets cut it out of the discussion.

> a) is a privacy violation - we have
> for that, I
> suggest that we simply expand it with a "collecting user data"
> section. As Shane mentions
> is related.

Well, but what does that policy apply to? A source release? A binary
release? A binary release off of ASF infrastructure?

Please be specific.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message