Just FYI, Groovy had numerous such "test" jars and wrapper files and such initially. It turned out to only be a couple of hours work to remove them and build them on the fly within the build files. While I certainly see both sides of the argument about whether some "binary-like" artifacts might be considered as special and okay to include, I actually think what we ended up with does make it clearer exactly what is going on.
Cheers, Paul. On Tue, Jan 24, 2017 at 3:51 AM, John D. Ament <johndam...@apache.org> wrote: > On Mon, Jan 23, 2017 at 8:04 AM Marvin Humphrey <mar...@rectangular.com> > wrote: > >> On Mon, Jan 23, 2017 at 4:35 AM, John D. Ament <johndam...@apache.org> >> wrote: >> >> > What I'm trying to make sure we're agreeing to is >> > that the problem isn't that there is a JAR to .tar.gz file in the >> > distribution. Its that the original source is missing. >> >> No. Bundling jar files is not OK in general and it is definitely the >> intent of the policy to exclude them. (Source: I led the redrafting >> effort for the official policy.) Among other reasons, they are >> potential trojan horses, because they cannot be audited by a PMC. >> >> We might choose to make exceptions in some edge cases, like when the >> jar files are used as data for tests. That does not invalidate the >> policy. >> >> > I'm thinking then we need to explicitly call this out. Perhaps we need to > add a section next to > http://www.apache.org/legal/release-policy.html#what-must-every-release-contain > that > says "What must each release archive explicitly not contain" and list out > what's being called out. By only saying what it must contain, we don't say > what is not allowed. > > Sorry if my thick headedness is getting frustrating, as it seems like there > is a big gap between what expectations are and what's actually written > down. My goal is simply to get written down what the true expectations are. > > >> > I'm personally in favor of >> > having the gradle wrapper (and maven wrapper) present since it helps >> build >> > the code. >> >> The gradle wrapper and similar are also not permitted. Build processes >> need to bootstrap it. >> >> > I would like to understand why, from a legal standpoint, these are not > allowed. > > >> This isn't a big deal in practice because most people don't care about >> the security implications of consuming the convenience binary and just >> use that. >> >> Marvin Humphrey >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org >> For additional commands, e-mail: general-h...@incubator.apache.org >> >> --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
