(Apologies if I'm missing context from start of thread)
On 2025/03/14 12:22:37 Drew Foulks wrote:
Hey all,
My current understanding is that this is primarily internal tooling so
we're not really _releasing_ software per se, though that's subject to
change. Additionally, I don't think that this group is in danger of
becoming something so formal as a TLP.
My understanding is this work is pretty clearly ASF Infra providing
(when ready) new supported services to PMCs that use GitHub features.
Presuming Infra will be supporting these for PMC use, and given the
(waves at world) larger issues around software & supply chain security,
this sounds like an excellent service to be providing organizationally
to our projects.
That, to me, means the mechanisms of how the ASF manages this service,
including it's main set of actions, is clearly an Infra effort, managed
by VP Infra and supported by paid staff time. Thus, not a TLP.
> "No idea what's legally required, after all the whole 'release as an act
of the foundation' thing is a legal protection)."
What parts of GHA seems like a thing we need to understand better before we
do too many more of these things.
...
Can someone provide a very specific example of why we keep talking about
this GH Actions service and some approved roster of services and
"official acts of releases" and legal protections?
While various code bits and GitHub-related
configuration/actions/whatever of this will all be publicly visible,
it's also all going to be documented and obviously focused only on our
own ASF projects, correct? So there will be cases where some outside
party will see this code, grab it, and use and remix it elsewhere.
Which is fine, if it's just some licensed code we happen to have at an
apache.org domain or namespace; that doesn't make it a software
*product* like the things our PMCs put up on dist.a.o or the future ATR.
In terms of licensing, is there any reason Infra won't be using
Apache-2.0 on all of this work? I don't think infra needs to include
license headers on everything, but I do expect that the repos would
include Apache-2.0 as the LICENSE file.
I think it is important for infra to explicitly use Apache-2.0 for this
kind of work, because of our core licensing principle of least surprise.
Much of the value of the ASF brand is that users expect they can grab
any of our work and only have to deal with Apache-2.0 itself (in
general). So while we technically aren't offering PMC-created releases
(which have some expectation of maintenance) as a product to the world
here, this will be a bunch of code that users might find and want to
re-use. Thus, we should keep using Apache-2.0, to reduce surprises.
Does that make sense? Are there any reasons we couldn't use Apache-2.0
for this work?
--
- Shane
Member
The Apache Software Foundation
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
