On Tue, Apr 3, 2012 at 3:23 PM, Dennis E. Hamilton <[email protected]>wrote:
> There's something that nags at me about logos and similar materials being > part of the source-code release (that, I am told, is *the* release in terms > of Apache principles). > > It is natural to have such artifacts in the SVN tree because it is > convenient and it probably feels essential to have the released source-code > be the precise source for the project-created binary distributions. > > On the other hand, while it is desirable for folks to be able to reproduce > our build, and have access to the source that was used, that they would end > up having something that can be claimed to be the authentic project-created > binary distribution. Yet it will appear indistinguishable from it. > > If the MD5's match, who cares where it was built? If the MD5's do not match then they are distinguishable. (For MD5's you could substitute code signing for a more end-user friendly form of the same thing.) > There is this odd hitch when binaries are built by someone else, even > without modification, but without preservation of provenance and > authenticity. Yet they are not distinguished from "the real thing." > > Ditto. If the hashes match, then it is the "real thing", for all intents and purposes. > There is also the problem that, when someone modifies the source and the > build, that the default is for the resulting binary to be > indistinguishable, in terms of surface features and the presence of > identifying information, from the project-created binary distribution. > > Ditto. In that case the hashes don't match so it would be distinguishable. > I'm also not clear that logos and related artifacts qualify as open-source > concerning the trademark issues. > > I don't know how to crack that strange entanglement. > > Look at what Mozilla does, for example. The default build options do not include the project logos. > I can see it working if it were considered that even our binary releases > are downstream from the Apache release and have some essential > customizations including being digitally signed and authenticated in other > ways. Then placeholders could appear in the released source for > binary-distribution items (some other content being provided instead) that > are to be provided/customized by any downstream producer, even ourselves. > > And then I can't figure out how the binary can be tied to the exact source > it was produced from. > > That is not really the issue, is it? The issue is how a user can distinguish an Apache release from something that is not an Apache release. The PMC is responsible for ensuring that the binary package was derived from the source. > Arghh. > > I keep thinking this must have been dealt with in the production of other > user-facing binary distributions from open-source code releases. Anyone > have any pointers? > > Mozilla is a good example. http://www.mozilla.org/foundation/trademarks/policy.html Also, "Passport without a Visa" is a good article that describes some of the considerations: http://www.ifosslr.org/ifosslr/article/view/11/37 -Rob > - Dennis > > > > -----Original Message----- > From: Rob Weir [mailto:[email protected]] > Sent: Tuesday, April 03, 2012 10:10 > To: [email protected] > Subject: Re: logo source files > > On Tue, Apr 3, 2012 at 4:00 AM, Jürgen Schmidt > <[email protected]>wrote: > > > On 4/3/12 9:41 AM, Kevin Grignon wrote: > > > >> @Drew > >> > >> Where do we keep the source files for the logos? > >> > >> > > I would like to suggest that we should create a new place for this kind > of > > stuff besides trunk > > > > > +1. Getting it into SVN makes it easy to get to from the build and the > website. > > > > Juergen > > > >
