Hi, > Well, I can only speak for myself, but I have learned over the years that, > while we can't say "Community over Policy" since policy is important, > community is still more important than trying to nail every last detail of > the licensing.
If we start making releases that don’t conform to policy we may attract board attention and we really don’t want that. > For sure, early on, I thought we had to nail every last > detail, but senior Apache members have advised us that we can use "trust" > and "intent" in approving releases. That have also advised that policy must be followed and issues need to be fixed when they are brought up. > Because if we do make a mistake in the details, it isn't the end of the > world, we can fix it in > the next release Or the next RC if needed. Most of these issues are very easily fixed and where there is some doubt on what to do they can be “fixed" so that at worse it’s a documentation error rather than a licensing error. > it would be great if you could share your processes with us and the ASF in > general. I’ve shared several times my process for reviewing releases, there’s noting special there. Mostly an understanding of policy and knowing what to look for and a few simple searches of the code. I have submitted a talk to ApacheCon on this subject and if accepted will share here after the event. > Another way to look at it is that if the ASF truly cared about nailing > every last detail, the policy would be that you could use a licensing > issue to veto a release. You can’t veto a release but it is common for PMC members to vote -1 on a release that contains: - security software without an export license - binaries - bundled or dependancies on category X licensed software - category B code in source - licensing errors Fix in the next release is generally: - documentation errors in license/notice - missing headers The incubator is a little more lenient to projects starting out and the answer is always going to be "it depends” some licensing errors are more serious than others. It is for example possible to get VP legal to give you permission to release something with GPL licensed software in it. > And thus, we don't have to look too hard, especially at third-party bundles. IMO we need look a little harder when we bundled 3rd party stuff as it's easier to make mistakes. But the issues we currently have are due to what we have done not what 3rd parties have done. Thanks, Justin
