Hi Tommaso,
On 07/09/15 21:00, Tommaso Teofili wrote:
Hi all,
2015-09-07 18:36 GMT+02:00 Andy Seaborne <[email protected]>:
On 07/09/15 14:32, Reto Gmür wrote:
The binaries have had the NOTICE and LICENSE files replaced in both jar
and sources.jar. These miss the necessary declarations.
I don't think anything changed here. Do you think something need to be
changed for the release candidate to be acceptable (the vote is on the
source zip linked in the original mail).
There are two strands of issue here. A general one about approving
binaries and a point about distributing modified Jena as binary without
it's NOTICE and LICENSE files.
Approving binaries:
Binaries must correspond to a release.
The distribution mechanism for binaries is via
repository.ao/content/repositories/releases/org/apache/...
Note "releases".
Material that is published through the Apache maven repository needs sort
of VOTE. It transfers the legal liability from the RM to the foundation for
one thing.
Surely, a "+1" ought to include checking what is produced is correct.
I think what we are meant and required to vote on is a "source release".
I agree with Roy Fielding's point on that in a previous discussion on
general@incubator [1], basically we vote and release open source code (the
source release), binaries can be seen as a "convenience artifact" in that
view.
No disagreement about what the vote is on. The only time convenience
binaries are created is in a (source) release so that is when they are
checked. A project doesn't produce binaries out of cycle.
Convenience binaries are distributed by the foundation, not an individual.
[3] [4] [5]
Removing NOTICE and LICENSE:
Clerezza is redistributing modified Jena binaries via
repository.ao/content/*releases* without the NOTICE and LICENSE from
Jena. Xerces, for example, cause material in LICENSE and some BSD code
causes material in NOTICE.
if we do redistribute modified Jena sources or binaries I think we need to
mention that in the NOTICE file, if I understand [2] correctly.
Agreed. The artifacts are a product of Clerezza and signed as part of
the Clerezza release [6], nothing to do with Jena.
No project should modify or remove the licensing without good reason and
that the new licensing is correct whether in binaries or source. That's
what NOTICE, especially, is for after all.
Andy
[3]
http://www.apache.org/dev/release.html#what-must-every-release-contain
"""
It is also necessary for the PMC to ensure that the source package is
sufficient to build any binary artifacts associated with the release.
"""
[4]
http://www.apache.org/dev/release.html#what
"""
Releases are, by definition, anything that is published beyond the group
that owns it. In our case, that means any publication outside the group
of people on the product dev list. If the general public is being
instructed to download a package, then that package has been released.
...
may only add binary/bytecode files that are the result of compiling that
version of the source code release.
"""
Let's take "compile" to really mean "build" - i.e. running maven.
[5]
http://www.apache.org/dev/release-publishing.html#voted
A vote is needed for it to become a formal offering of the ASF.
[6]
http://www.apache.org/dev/licensing-howto.html#binary
Regards,
Tommaso
Andy
http://www.apache.org/dev/release.html#what
[1] : http://markmail.org/message/yzetzkhfahrlv5um
[2] : http://www.apache.org/dev/licensing-howto.html#bundled-vs-non-bundled
