On Tue, Aug 4, 2015 at 2:22 AM, Jochen Theodorou <blackd...@gmx.org> wrote: > Am 03.08.2015 21:46, schrieb David Nalley: >> >> On Mon, Aug 3, 2015 at 5:55 AM, Jochen Theodorou <blackd...@gmx.org> >> wrote: >>> >>> Hi all, >>> >>> some of the general discussion recently made me wonder about one point >>> with >>> regards to binary distributions. It was pointed out, that a binary >>> distribution of a source code release has to be handled like a release >>> itself, and that there should be no download source of it outside of >>> apache. >>> This seems to be one motivation for the asf having its own maven >>> repository. >>> >>> I seem to misunderstand something here, or why can there be apache maven >>> artifacts in maven central and package in linux distributions for for >>> example httpd, if this policy is followed? I mean it was even suggested >>> to >>> use the trademark to forbid the distribution through third parties. I am >>> quite irritated about this. >>> >>> bye blackdrag >>> >> >> I am not aware of any policy that dictates that (but would love to see >> links.) > > > yeah, next time I will do that better. Getting the stuff out of here, will > require me reading thousands of mails through that stupid web interface and > google doesn't help either. > >> I am aware that releases MUST at least be distributed via >> dist.apache.org [1], but that isn't exclusive, meaning the PMC is >> welcome to distribute _released software_ via other means (PyPy, NPM, >> Maven, Docker Registry, CPAN, Bintray, carrier pigeon, etc). >> >> --David >> [1] http://www.apache.org/dev/release.html#where-do-releases-go > > > The problem already starts with that what a release is on > http://www.apache.org/dev/release.html > > I read that as anything that goes beyond the dev-list is to be handled as > release. It does not say by whom. And there is no mentioning of the > releasing of released software, only the distribution of releases.
As you probably remember we've discussed this issue not that long time ago: http://thread.gmane.org/gmane.comp.apache.incubator.general/49852 The consensus there is that as long as you're communicating intent clearly you can let downstream developers test/develop against your development artifacts. IOW, the definition of "developers" starts including downstream developers integrating with your project. > But anyway... le tme phrase some scenarios and question: > > Let us assume httpd makes the release 2.4.10, a linux distributor takes the > source, adapts them (for example security patches), compiles packages out of > it and releases it as http://packages.ubuntu.com/vivid-updates/apache2-bin > in source and binary form. Then it means they took a release and made their > own release out of it, while using the apache name. Correct. At that point it constitutes a derived work. The Apache License is very permissive that way, but it is considered a good practice to distinguish the derived work by at leas a version ID. That is also, how all of the Hadoop ecosystem vendors are creating dervived works when they distribute Apache Hadoop as part of their products. E.g. the version string of Cloudera's Hadoop is: ASF_VERSION-CDH_VERSION. This is in line with most of the Linux packaging guidelines as well. > The point being here, for the end-user this will be > the official release, not what is found on the apache servers. Why is this > ok? Because technically it is an artifact that is a derived work. > It was also mentioned here, that for example publishing snapshot builds to > maven central is not allowed. This is where it gets tricky with our current policy. Personally I see absolutely no reason to NOT publish Maven artifacts as widely as possible provide that the version ID or name communicates the intent. It seems, however, that I'm in a minority here (although truth be told nobody has been able to communicate a convincing enough argument for why my approach may be dangerous to the foundation and/or Projects). > What would happen if a third party would do this? Is the project/apache > required to do something about this? I mean if you read this: > http://mail-archives.apache.org/mod_mbox/incubator-general/201506.mbox/%3CD1B01671.4EE90%25rvesse%40dotnetrdf.org%3E > some even see nightly builds, not communicated beyond the dev-list on > non-apache servers already as a problem. Third party is at complete liberty of doing so. Provide the artifact is marked in such a way that is can NOT be confused with an official ASF artifact (IOW it can be called a derived work). Again, this happens all the time with Hadoop vendors. Their Maven repos host -SNAPSHOTS of essentially re-built ASF projects. > Let us put that last part a step up... Let us assume someone takes one of > the released sources of one of the java projects out there, makes maven > artifacts out of it and publishes them at maven central. Is that ok? I mean > that is very near the distributor case, so it should be ok, or not? I honestly see no problem with that, again provided that the artifact can NOT be confused with the one coming from Apache project. Thanks, Roman. --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
