> Our intention is to specifically use this platform to deliver the Xerces-C++
> 3.1.2 NuGet package that we have put together so that users of DNV GL -
> Energy software products can have access to it in a public and easily
> accessible repository. We would clearly indicate that the package has been
> put together with this specific goal in mind, and it is for this target 
> audience
> that we would, indeed, be maintaining it.

Then I don't think anybody would have any objections (and even if they did, the 
license permits you to, so apart from courtesy (thanks), there's really nothing 
stopping you.

What I would caution you about is simply the security model around this. If 
somebody were to ask me to obtain a package like this from a source that I had 
no reason to trust, I would tell them they were crazy. To draw an analogy, 
people using Maven Central as a source for artifacts but don't constrain the 
signers of the software they get from it are, well, let's say "ignorant of 
basic security practice".

Without authentication of the source of an artifact (not just authentication of 
an artifact, and that assumes you are in fact signing and people are in fact 
verifying that), you have no way to know what somebody might have done to the 
source.

But none of that really pertains to whether you *may* do this: you certainly 
may.

-- Scott


---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org
For additional commands, e-mail: c-dev-h...@xerces.apache.org

Reply via email to