On Thu, Sep 27, 2012 at 6:41 PM, Rob Weir <robw...@apache.org> wrote: > > I think that is just engineering prudence. Take the example of a > component that you might have a dependency. I see no problem with a > PMC wanting to be informed about all changes to that component as well > as all bugs found in that component. That information is entirely > relevant to the Apache project. At the very least a PMC should be > aware of security flaws identified in any dependencies, optional or > otherwise, since this may require steps such as a patch to interface > code. >
This is a very common scenario at Apache, when project A has a dependency in project B, does it start forwarding mailing lists or particular members go subscribe to the mailing lists of the other project ? When someone comes to project A and says there is a problem, which is really a big in project B, we might create a jira in project A, but we really send people to create a defect in project B. There is clear boundaries between the two projects, and in case of apache projects, they have compatible licenses. When we consider Apache Extras, most of the time there will be license issues and that's why we want to make clear they are different projects. > I understand the concern about avoiding the appearance that the PMC is > "building source code that is not under the AL", but surely that > depends on what the PMC *pushes or writes* to the Apache Extras, not > on what they *read*. Being informed is never a crime. > > Specific example. OpenOffice podling has signed up for a security > mailing list where we receive security-related bug reports from > LibreOffice, an open source project that is LGPL/MPL, not ALv2. We do > this by subscribing our security list directly to theirs. Is this > against policy? This seems directly analogous to a project receiving > bug reports from a non ALv2 Apache Extras project. > My main concerns are with commit notifications, which will contain non AL2 code being forwarded to the same archive where the main apache commits are being archived and can cause confusion with in the long run. > Regards, > > -Rob -- Luciano Resende http://people.apache.org/~lresende http://twitter.com/lresende1975 http://lresende.blogspot.com/
