LC50: I think the LC50 is actually correct but could perhaps be phrased better
My understanding was that the ASF owns the copyright for the collective work of the project I.e. releases. As Benson notes contributors retain copyright on their contributions but grant the ASF a perpetual license to their contributions QU30: Agreed, some projects may not do anything that is attack prone or are likely only to be run such that any "security" is provided by whatever runtime they use and the security of that runtime is well beyond the purview of the project. Consensus building: Should there be a CS60 about the rare need for private discussions CS60: In rare situations (typically security, brand enforcement, legal and personnel discussions) the project may need to first reach consensus in private in which case the project should use their official private communications channel such that these rare private discussions are privately archived. The outcomes of such consensus should where possible be discussed in public as soon as it is appropriate to do so. That isn't great wording but hopefully you get what I am trying to convey - projects should rarely discuss in private and any discussions should become public as soon as it is possible to do so Rob On 14/01/2015 15:33, "Benson Margulies" <bimargul...@gmail.com> wrote: >CD40: perhaps change 'previous version' to 'released version' > >CD50: the committer is not necessarily the author; someone might read >this and not understand what it implies for committers committing >contributions via all of the channels allowed for by the AL. One patch >would be 'immediate provenance', another would be some more lengthier >language about the process. > >LC20: do we need to explain what we mean by 'dependencies'? This has >been a point of friction. Expand or footnote to the distinctions >between essential and optional? > >LC50: the footnote seems wrong; the ASF does not own copyright, >rather, the author retains, and grants the license. > >RE40: do you want to add an explicit statement that legal >responsibility falls upon the head of the person who happened to run >the build? > >QU20: Maybe we need to expands on 'secure'? Maybe this is too strong? >What's wrong with building a product that is explicitly not intended >for use attack-prone environments. > >QU40: Not all communities might agree. Some communities might see >themselves as building fast-moving products. Some communities may lack >the level of volunteer effort required to satisfy this. Does this make >them immature, or just a group of volunteers with different >priorities? > >IN10: I fear that a more detailed definition of independence is going >to be called for here to avoid controversy.
