On Mon, Oct 13, 2014 at 1:49 PM, Marvin Humphrey <mar...@rectangular.com> wrote:
> The Foundation was not set up to take on the liabilitiy associated with > binary > releases: > > http://s.apache.org/roy-binary-deps-3 > > How is that different from any of our other projects? End users > don't compile Java. Hell, most developers don't compile Java. > We distribute plenty of binaries. We just don't call them SOURCE. > The source is what we review. The source is what we bless. If anyone > wants to go further than that, they are free to do so as long as they > don't call the result an Apache release. It is a binary package, a > user convenience, a download hosted by openoffice.org. I don't care. > > People have to understand this. There will always be a role for > downstream commercial or non-commercial redistributions of Apache > products. Why? Because the ASF is incapable of taking on the enormous > liability associated with released binaries that are not produced in > a controlled environment with a controlled set of tools. > > Changing policy to make binary releases official acts by the foundation > would > require us to account for those liability issues -- a daunting undertaking. > Fine. But I will still perform as much diligence on those artifacts that I am involved in as possible. I think it is important that this be done to make my consumers have as good a life as possible. The final difference is that due diligence /must/ be applied to source artifacts and /should/ be applied to binary artifacts. The nature of the diligence does not, however, change.