[jira] [Comment Edited] (INCUBATOR-253) Issues with MXNet releases and their distribution

[Leonard Lausen (Jira)]

[ 
https://issues.apache.org/jira/browse/INCUBATOR-253?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17149872#comment-17149872
 ] 

Leonard Lausen edited comment on INCUBATOR-253 at 7/2/20, 5:38 PM:
---

Please see the MXNet report to the incubator for an update on the 14 items: 
https://cwiki.apache.org/confluence/display/INCUBATOR/July2020#mxnet

EDIT as per Justin's recommendation


was (Author: lausen):
I'm including below an excerpt from the MXNet report to the Incubator:

 

{code:java}

 Issues with releases and distributions

# Background
In May 2020 The MXNet PPMC has proactively initiated a ASF policy compliance
review [1] and a license review [2] with the Apache Legal team.

The license review uncovered that

- Building unmodified MXNet release source code with the optional NVidia GPU
 support enabled results in a binary subject to restrictions of NVidia EULA.
- PPMC members and committers uploaded convenience releases to
 repository.apache.org which contain Category-X components. Both GPL and
 NVidia EULA components were found.
 
The policy review uncovered that:

- Prior ASF guidance to the PPMC (December 2018 legal review [3]) was incomplete
 and did not include a reference to the "unwritten" rule that convenience
 binary distributions created by third-parties using ASF Trademarks must not
 include Category-X components. Based on this discovery, the Draft Downstream
 Distribution Branding Policy was updated in June 2020 to include the
 "unwritten" requirement. Based on the updated guidance, PPMC discovered
 various third-party trademark infringements.
 
The policy review did not yet conclude on the questions if

- The PPMC may create nightly development builds (audience restricted to dev
 list subscribers as per Release policy [4]) for the purpose of testing and
 developing MXNet;

# List of issues and their status

Justin classified the issues into 14 items.

1) Source and convenance binary releases containing Category X licensed code.

See summary from license review in Background section. Source code releases do
not contain Category X code; Takedown of binary releases on
repository.apache.org is pending on Apache Infra. (Trademark infringements of
3rd-parties such as on pypi are discussed separately)

2. Website giving access to downloads of non released/unapproved code.

Website contained links to nightly development builds which have been removed 
[5];
Going forward the PPMC intends to begin periodical voting on Alpha and Beta
Releases which will then be linked from the website.

3. Website giving access to releases containing Category X licensed code.

Website contained links to third-party distributions incorporating Category-X
components (see summary from license review above). Disclaimers were added to
the website clarifying the third-party status of the releases and their
licenses. [5]

4. Web site doesn't given enough warning to users of the issues with non
(P)PMC releases or making it clear that these are not ASF releases.

Website contained links to third-party distributions incorporating Category-X
components (see summary from license review above). Disclaimers were added to
the website clarifying the third-party status of the releases and their
licenses. [5]

5. Maven releases containing Category X licensed code.

See summary from license review in Background section. Source code releases do
not contain Category X code; Takedown of binary releases on
repository.apache.org is pending on Apache Infra. [6] (Trademark infringements 
of
3rd-parties are discussed separately)

6. PyPI releases containing Category X licensed code.

There are no PiPy releases by the PPMC. Please refer to the trademark
infringement section of the report.

7. Docker releases containing Category X licensed code.

There are no Docker releases by the PPMC. Please refer to the trademark
infringement section of the report.

8. Docker releases containing unreleased/unapproved code.

There are no Docker releases by the PPMC. The existence of third-party releases
containing unreleased code was approved in [3] and is also in line with the
current Downstream Distribution Branding Draft Policy. ("using any particular
revision from the development branch is OK" [3])

9. Trademark and branding issues with PiPy and Docker releases.

There are no PiPy releases by the PPMC. Please refer to the trademark
infringement section of the report.

10. Trademark and brand issues with naming of releases.

There are no binary releases by the PPMC besides the repository.apache.org
releases discussed above, which are being removed.
Please refer to the trademark infringement section of
the report.

11. Developer releases available to users and public searchable
https://repo.mxnet.io / https://dist.mxnet.io

Links to the nightly development builds were removed from the MXNet website and
a robot.txt file was added to prevent 

[jira] [Comment Edited] (INCUBATOR-253) Issues with MXNet releases and their distribution

[Leonard Lausen (Jira)]

[ 
https://issues.apache.org/jira/browse/INCUBATOR-253?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17149872#comment-17149872
 ] 

Leonard Lausen edited comment on INCUBATOR-253 at 7/2/20, 5:08 AM:
---

I'm including below an excerpt from the MXNet report to the Incubator:

 

{code:java}

 Issues with releases and distributions

# Background
In May 2020 The MXNet PPMC has proactively initiated a ASF policy compliance
review [1] and a license review [2] with the Apache Legal team.

The license review uncovered that

- Building unmodified MXNet release source code with the optional NVidia GPU
 support enabled results in a binary subject to restrictions of NVidia EULA.
- PPMC members and committers uploaded convenience releases to
 repository.apache.org which contain Category-X components. Both GPL and
 NVidia EULA components were found.
 
The policy review uncovered that:

- Prior ASF guidance to the PPMC (December 2018 legal review [3]) was incomplete
 and did not include a reference to the "unwritten" rule that convenience
 binary distributions created by third-parties using ASF Trademarks must not
 include Category-X components. Based on this discovery, the Draft Downstream
 Distribution Branding Policy was updated in June 2020 to include the
 "unwritten" requirement. Based on the updated guidance, PPMC discovered
 various third-party trademark infringements.
 
The policy review did not yet conclude on the questions if

- The PPMC may create nightly development builds (audience restricted to dev
 list subscribers as per Release policy [4]) for the purpose of testing and
 developing MXNet;

# List of issues and their status

Justin classified the issues into 14 items.

1) Source and convenance binary releases containing Category X licensed code.

See summary from license review in Background section. Source code releases do
not contain Category X code; Takedown of binary releases on
repository.apache.org is pending on Apache Infra. (Trademark infringements of
3rd-parties such as on pypi are discussed separately)

2. Website giving access to downloads of non released/unapproved code.

Website contained links to nightly development builds which have been removed 
[5];
Going forward the PPMC intends to begin periodical voting on Alpha and Beta
Releases which will then be linked from the website.

3. Website giving access to releases containing Category X licensed code.

Website contained links to third-party distributions incorporating Category-X
components (see summary from license review above). Disclaimers were added to
the website clarifying the third-party status of the releases and their
licenses. [5]

4. Web site doesn't given enough warning to users of the issues with non
(P)PMC releases or making it clear that these are not ASF releases.

Website contained links to third-party distributions incorporating Category-X
components (see summary from license review above). Disclaimers were added to
the website clarifying the third-party status of the releases and their
licenses. [5]

5. Maven releases containing Category X licensed code.

See summary from license review in Background section. Source code releases do
not contain Category X code; Takedown of binary releases on
repository.apache.org is pending on Apache Infra. [6] (Trademark infringements 
of
3rd-parties are discussed separately)

6. PyPI releases containing Category X licensed code.

There are no PiPy releases by the PPMC. Please refer to the trademark
infringement section of the report.

7. Docker releases containing Category X licensed code.

There are no Docker releases by the PPMC. Please refer to the trademark
infringement section of the report.

8. Docker releases containing unreleased/unapproved code.

There are no Docker releases by the PPMC. The existence of third-party releases
containing unreleased code was approved in [3] and is also in line with the
current Downstream Distribution Branding Draft Policy. ("using any particular
revision from the development branch is OK" [3])

9. Trademark and branding issues with PiPy and Docker releases.

There are no PiPy releases by the PPMC. Please refer to the trademark
infringement section of the report.

10. Trademark and brand issues with naming of releases.

There are no binary releases by the PPMC besides the repository.apache.org
releases discussed above, which are being removed.
Please refer to the trademark infringement section of
the report.

11. Developer releases available to users and public searchable
https://repo.mxnet.io / https://dist.mxnet.io

Links to the nightly development builds were removed from the MXNet website and
a robot.txt file was added to prevent indexing of the sites. These websites are
removed from Google search index.

12. Releases and other nightly builds on
https://repo.mxnet.io / https://dist.mxnet.io containing category X licensed 
code.

Neither of 

[jira] [Commented] (INCUBATOR-253) Issues with MXNet releases and their distribution

[Leonard Lausen (Jira)]

[ 
https://issues.apache.org/jira/browse/INCUBATOR-253?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17149872#comment-17149872
 ] 

Leonard Lausen commented on INCUBATOR-253:
--

I'm including below an excerpt from the MXNet report to the Incubator:

 

 Issues with releases and distributions

# Background
In May 2020 The MXNet PPMC has proactively initiated a ASF policy compliance
review [1] and a license review [2] with the Apache Legal team.

The license review uncovered that

- Building unmodified MXNet release source code with the optional NVidia GPU
 support enabled results in a binary subject to restrictions of NVidia EULA.
- PPMC members and committers uploaded convenience releases to
 repository.apache.org which contain Category-X components. Both GPL and
 NVidia EULA components were found.
 
The policy review uncovered that:

- Prior ASF guidance to the PPMC (December 2018 legal review [3]) was incomplete
 and did not include a reference to the "unwritten" rule that convenience
 binary distributions created by third-parties using ASF Trademarks must not
 include Category-X components. Based on this discovery, the Draft Downstream
 Distribution Branding Policy was updated in June 2020 to include the
 "unwritten" requirement. Based on the updated guidance, PPMC discovered
 various third-party trademark infringements.
 
The policy review did not yet conclude on the questions if

- The PPMC may create nightly development builds (audience restricted to dev
 list subscribers as per Release policy [4]) for the purpose of testing and
 developing MXNet;

# List of issues and their status

Justin classified the issues into 14 items.

1) Source and convenance binary releases containing Category X licensed code.

See summary from license review in Background section. Source code releases do
not contain Category X code; Takedown of binary releases on
repository.apache.org is pending on Apache Infra. (Trademark infringements of
3rd-parties such as on pypi are discussed separately)

2. Website giving access to downloads of non released/unapproved code.

Website contained links to nightly development builds which have been removed 
[5];
Going forward the PPMC intends to begin periodical voting on Alpha and Beta
Releases which will then be linked from the website.

3. Website giving access to releases containing Category X licensed code.

Website contained links to third-party distributions incorporating Category-X
components (see summary from license review above). Disclaimers were added to
the website clarifying the third-party status of the releases and their
licenses. [5]

4. Web site doesn't given enough warning to users of the issues with non
(P)PMC releases or making it clear that these are not ASF releases.

Website contained links to third-party distributions incorporating Category-X
components (see summary from license review above). Disclaimers were added to
the website clarifying the third-party status of the releases and their
licenses. [5]

5. Maven releases containing Category X licensed code.

See summary from license review in Background section. Source code releases do
not contain Category X code; Takedown of binary releases on
repository.apache.org is pending on Apache Infra. [6] (Trademark infringements 
of
3rd-parties are discussed separately)

6. PyPI releases containing Category X licensed code.

There are no PiPy releases by the PPMC. Please refer to the trademark
infringement section of the report.

7. Docker releases containing Category X licensed code.

There are no Docker releases by the PPMC. Please refer to the trademark
infringement section of the report.

8. Docker releases containing unreleased/unapproved code.

There are no Docker releases by the PPMC. The existence of third-party releases
containing unreleased code was approved in [3] and is also in line with the
current Downstream Distribution Branding Draft Policy. ("using any particular
revision from the development branch is OK" [3])

9. Trademark and branding issues with PiPy and Docker releases.

There are no PiPy releases by the PPMC. Please refer to the trademark
infringement section of the report.

10. Trademark and brand issues with naming of releases.

There are no binary releases by the PPMC besides the repository.apache.org
releases discussed above, which are being removed.
Please refer to the trademark infringement section of
the report.

11. Developer releases available to users and public searchable
https://repo.mxnet.io / https://dist.mxnet.io

Links to the nightly development builds were removed from the MXNet website and
a robot.txt file was added to prevent indexing of the sites. These websites are
removed from Google search index.

12. Releases and other nightly builds on
https://repo.mxnet.io / https://dist.mxnet.io containing category X licensed 
code.

Neither of the two site contains Releases. It is an open question of the