On Fri, Dec 9, 2016 at 8:03 AM, Jim Jagielski <j...@jagunet.com> wrote:
> > > On Dec 9, 2016, at 12:20 AM, William A Rowe Jr <wr...@rowe-clan.net> > wrote: > > > > On Thu, Dec 8, 2016 at 12:16 PM, William A Rowe Jr <wr...@rowe-clan.net> > wrote: > > > > @VP Legal, is this worth an escalation? You didn't see fit to respond > today, > > but I think this falls under the purview of your committee, w.r.t. > unapproved > > release artifacts living at www.apache.org/dist/. Did you have any > thoughts > > or opinions one way or another? > > How is this different from, say, the win32 src zips or the > complimentary binary builds? That's an interesting question, or questions... For starters, source aren't binaries, but of course you knew that, as our esteemed VP, Legal. When ASF projects convey binaries, they convey them (purportedly) based on the current jars/wars of the dependencies (are there other dependent projects? SVN doesn't ship binaries, and I have no clue what OpenOffice does. Other non-java examples are few and far between.) These are fetched up fresh from maven or whatnot, and don't have a lot of bearing on how non-java projects do things. AIUI, those jars don't even supplant what is already provisioned, if those are more current, unless the manifest demands an old rev. The prior win32 src (before I committed that to branch, not trunk, and didn't worry our silly heads about crlf after I wrote the apr fix script) didn't include extra artifacts, unless you count apr-iconv. And I have deep reservations about that call, if you've seen my comments about what citrus might bring us and lack of maintaining that BSD iconv fork. Thanks for the redaction on the 2.4.25-deps artifact. Frankly, I would not have helped you push that out the door without that one concession. And mad props to JChapmion for pushing the announce, since I didn't have ASF smtp at the ready. So as always, it was an effort of many. Fundamental issue with pushing -deps of, say, APR 1.5.2, is that the following week is that 1.5.3 with bug fixes is released. Is the httpd project responsible for updating -deps? Or f' ya all, download this package... it won't hurt you... hopefully? Believe me, I went through all that as an httpd win32 binary distributor who bundled openssl, so I know this specific pain-point, and sense of responsibility, and did have to ship new interim binaries when bad things were disclosed. I hope you sort this out in your ombudsman role, because this is the test of whether you understand ASF responsibilities, both legally, and in the sense of our entire ecosystem, and the will of your specific project who had a very firm position, before you undermined it. Cheers, and a Merry Christmas! Bill
