On Mon, Jan 23, 2017 at 4:35 AM, John D. Ament <johndam...@apache.org> wrote:
> What I'm trying to make sure we're agreeing to is > that the problem isn't that there is a JAR to .tar.gz file in the > distribution. Its that the original source is missing. No. Bundling jar files is not OK in general and it is definitely the intent of the policy to exclude them. (Source: I led the redrafting effort for the official policy.) Among other reasons, they are potential trojan horses, because they cannot be audited by a PMC. We might choose to make exceptions in some edge cases, like when the jar files are used as data for tests. That does not invalidate the policy. > I'm personally in favor of > having the gradle wrapper (and maven wrapper) present since it helps build > the code. The gradle wrapper and similar are also not permitted. Build processes need to bootstrap it. This isn't a big deal in practice because most people don't care about the security implications of consuming the convenience binary and just use that. Marvin Humphrey --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
