On 3/24/19, 9:27 AM, "Boris Kolpackov" <bo...@codesynthesis.com> wrote:
> I used GitHub as an example. I am happy with any similar service(e.g., > GitLab). I think most/all of them have similar terms. I get their perspective, it's free, so they have to protect themselves, but I can't afford indemnification insurance. > Well, my motivation for forking would be to continue maintaining the > project for general use but with less "friction". It may be useful to unpack that a bit. Practically speaking, the security process and the web site have been the main sources of friction for me, and I think the latter is definitely a choice. We could simply accept that it's not viable and shut it down in favor of a simple wiki page with the download links, etc. Apache's security process is definitely a source of problems for me, it demands too much effort and is one of the reasons I tend to look for reasons not to do them. I don't believe in doing the work of downstream packagers as a precondition for doing fixes, and their process leans too far in that direction. So that would be a win, certainly. > I also think you are over-burdening yourself with responsibility: > yes, security issues are bad news but in the end the license clearly > states that things come as-is and without any warranty. I definitely have a different perspective on that. I don't think the code should be in the open and under an Apache banner if that's the level of support it has. I think the ASF would rightly view that as a justification for terminating the active project. It's important that projects not receiving active maintenance be documented that way. If that applies to specific parts of the code base, then that's also a useful qualifier. I just believe in transparency so everybody knows the situation. > We have a product (CodeSynthesis XSD) that depends on it so we are > planning to use and maintain it going forward. At the same time we > view it as a mature (if not legacy) codebase so we have no plans to > add any new features, etc. I am, however, not sure whether Apache is > interested in a project like this. They don't handle it especially well culturally, but I think they are correct in recognizing that just because it's in maintenance mode doesn't mean bug reports, and especially security reports, should get ignored, whether due to resources or simple lack of ability to fix the code due to unfamiliarity. -- Scott
