On 9/19/16, 8:55 AM, "shaposh...@gmail.com on behalf of Roman Shaposhnik" <shaposh...@gmail.com on behalf of ro...@shaposhnik.org> wrote:
>On Mon, Sep 19, 2016 at 8:51 AM, Mark Struberg ><strub...@yahoo.de.invalid> wrote: >>But we don't yet know what is part of the hg repo and what is part of >>the Oracle contribution. >> >> What would happen if someone e.g. did commit some GPL licensed jar to >>the repo a few years ago? >> It's easy to catch such things if they are still in the latest version. >> But what if they got added and later removed? Do we need to filter them >>out? > >No we don't. What ASF stands behind is a release (which is a source >tarball and optional >binary convenience artifacts) that we distribute via our own >infrastructure. While we try >to keep our repos clean, we are not forced to have them at the same >level of IP hygene >that we need for our official releases. > >Case in point: Apache Geode (incubating). We entered incubation (and >ingested the source) >with a known LGPL dependency embedded in our tree. Getting rid of if >via refactoring was >a pre-requisite for our first release, but you can still find history >in our Git repo of it being >there before the first release was done. I agree that the repos don't have to be as clean. IMO, Oracle has an incentive to submit a tar ball or import data that is ASF-ready. This doesn't mean they have to clean up a GPL add-and-remove, but Oracle might want to consider scrubbing the donation for that and other things. At Adobe, our QA team often used test images that weren't ok to donate such as pictures of famous people. The test media never got released so it didn't matter until donation time. I think we attempted to scrub out some traces of how security issues were handled as well. They could choose to scrub-and-replace author names for commits as well. Adobe Flex came in via Subversion before going to Git, so I don't know how Git import works, but blame works just fine, it just blames "Adobe Import" instead of some Adobe employee and I think does include the commit message. Yes, sometimes knowing who did it helps you understand why, but most of the time it doesn't matter. -Alex
