incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject Re: How to review so-called "binary releases"?
Date Wed, 14 Nov 2018 11:08:53 GMT
On 13/11/2018 20:49, Roman Shaposhnik wrote:
> Personally, given the amount of binary releases that are distributed off of
> our very own infrastructure (and I'm not even counting our namespace
> on things like Docker hub -- I'm just talking about the INFRA we run) I don't
> think that the argument "binary releases are NOT endorsed by ASF" will
> fly very far.
> I think the best defense for us is to, perhaps, position them as UGC, but
> given the practices around existing PMC I don't think that would be easy to
> do.
> So the question really boils down to -- how much of a liability this could
> potentially be for us?

Applying the usual test of "What issues have we seen in the last 20
years?" I can't think of any that have been specific to a binary release.

Of the issues I can recall with releases since I have been involved at
the ASF (and I'm sketchy on the details because issues are few and far
between and I haven't gone looking in the archives):

1. Dependencies with inappropriate licenses. Perhaps more likely with
binary releases because they tend to ship with more dependencies but I
don't recall this ever being more than "Whoops. Tell the users. Do a new
release to fix it. Be more careful in future. Carry on." for either
binary or source releases.

2. Copyright infringement. The only instance I can recall of this was a)
related to a source release and b) invalid because the accusing party
had actually originally copied "their" source from us and removed our
license headers. If anything, I think issue is less likely with a binary

3. Download traffic. Some binaries are large and much more likely to
cause infrastructure issues if the mirror network is not used correctly.
Infra has monitoring in place to a) identify issues and b) stop them
causing outages.

So overall, the liability looks to be well within what we are already
managing. I don't see anything that concerns me. Unless I have missed


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message