On Mon, Jan 23, 2017 at 8:04 AM Marvin Humphrey <mar...@rectangular.com> wrote:
> On Mon, Jan 23, 2017 at 4:35 AM, John D. Ament <johndam...@apache.org> > wrote: > > > What I'm trying to make sure we're agreeing to is > > that the problem isn't that there is a JAR to .tar.gz file in the > > distribution. Its that the original source is missing. > > No. Bundling jar files is not OK in general and it is definitely the > intent of the policy to exclude them. (Source: I led the redrafting > effort for the official policy.) Among other reasons, they are > potential trojan horses, because they cannot be audited by a PMC. > > We might choose to make exceptions in some edge cases, like when the > jar files are used as data for tests. That does not invalidate the > policy. > > I'm thinking then we need to explicitly call this out. Perhaps we need to add a section next to http://www.apache.org/legal/release-policy.html#what-must-every-release-contain that says "What must each release archive explicitly not contain" and list out what's being called out. By only saying what it must contain, we don't say what is not allowed. Sorry if my thick headedness is getting frustrating, as it seems like there is a big gap between what expectations are and what's actually written down. My goal is simply to get written down what the true expectations are. > > I'm personally in favor of > > having the gradle wrapper (and maven wrapper) present since it helps > build > > the code. > > The gradle wrapper and similar are also not permitted. Build processes > need to bootstrap it. > > I would like to understand why, from a legal standpoint, these are not allowed. > This isn't a big deal in practice because most people don't care about > the security implications of consuming the convenience binary and just > use that. > > Marvin Humphrey > > --------------------------------------------------------------------- > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > For additional commands, e-mail: general-h...@incubator.apache.org > >
