Re: [OpenPGP] Moving Away From DSA and SHA-1

2009-08-11 Thread Roy T. Fielding 

On Aug 11, 2009, at 8:24 AM, Robert Burrell Donkin wrote:

1024 bit keys and SHA-1 links are currently considered safe so there's
no reason to believe that apache keys have been compromised.  
transition

statements [1] in a trusted location will probably be good enough to
convince most people to re-sign. but we'd need to think carefully  
about

a sufficient secure infrastructure before recommending this.


There is nothing wrong with the existing keys. There is no danger
of any compromise, even by brute-force attack.  Our signatures are
used for verification, not privacy, and in any case the "schedule"
for key sizes becoming weak is based on speculation.  There is no
evidence to suggest that anyone has managed to find a specific
private key to match a given 1024-bit public key.

Quite frankly, I think that this effort to purge 1024 bit keys will
simply make PGP useless for verifications, since PGP without the
web of trust is a friggin waste of time.  What people should do is
increase the default key size for new keys and just be happy that
anyone uses PGP/GPG at all.

Roy


-
To unsubscribe, e-mail: community-unsubscr...@apache.org
For additional commands, e-mail: community-h...@apache.org

Java Service Wrapper

2008-04-02 Thread Roy T. Fielding 

The Java Service Wrapper is being used (and sometimes redistributed) by
many of our Java projects (ActiveMQ, ServiceMix, Geronimo, OFBiz,  
Tomcat).

It was formerly available under an MIT/BSD style license, as can be seen
in the 3.2.3 version at

  http://sourceforge.net/projects/wrapper/

More recent versions of the product are currently under dual GPLv2
and commercial licensing.

  http://wrapper.tanukisoftware.org/doc/english/licenseOverview.html

And yet no mention of its license is found in our documentation.

  http://activemq.apache.org/java-service-wrapper.html
  http://docs.ofbiz.org/display/OFBIZ/How+to+Run+OFBiz+as+Windows 
+Service+with+Java+Service+Wrapper

  http://people.apache.org/~fhanik/wrapper.html
  http://wiki.apache.org/db-derby/DerbyWindowsService

and the only pages we have that refer to the old version are in Geronimo

  http://cwiki.apache.org/GMOxDOC11/configuring-geronimo-as-a- 
windows-service.html
  http://cwiki.apache.org/GMOxDOC20/configuring-geronimo-as-a- 
windows-service.html


If your project is currently distributing or telling users to make  
use of
the Java Service Wrapper, please be sure that we only use the old  
licensed
version, that our documentation points to the old site, and that when  
we do
point folks to wrapper.tanukisoftware.org (which we should do because  
some

users are not allergic to GPLv2) we should also point out that the newer
versions are under different licenses (GPLv2/commercial).

Roy

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Community Guidelines (was Code of Conduct)

2007-06-29 Thread Roy T. Fielding 

On Jun 28, 2007, at 8:32 PM, Craig L Russell wrote:


I have a question about this part of the guidelines:

Project source code and documentation must be donated to the ASF  
under a


 Contributor's License Agreement. Donated source code and  
documentation must carry the ASF copyright and be placed under the  
Apache License. Code and documentation donated to the ASF must be  
maintained on ASF hardware. Obtaining a non-exclusive ASF  
copyright on all material in the ASF repository is encouraged.


I'd like to understand if the requirement is to donate code and  
documentation or to license it to ASF.


I thought that the requirement was to simply license it to ASF  
under ASL v2.0.


You are correct.  The word "donated" here is wrong because licenses are
not a donation, in spite of our habit of blurring the concept.

Roy


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: women@a.o mail list

2006-07-28 Thread Roy T. Fielding 

On Jul 28, 2006, at 7:49 AM, Jean T. Anderson wrote:


The [EMAIL PROTECTED] mail list was created in August 2005; the initial
charter is at http://wiki.apache.org/Women/InitialCharter .

We now want to take it to the next step and create a formal committee
(see the forwarded post below).


Sorry, -1.  The foundation should not be building infrastructure around
an inherently sexist and discriminatory group. [This comment has nothing
to do with the participants -- it is the way the topic is defined.]

If the discussion list has helped identify specific problems that can
be addressed, or non-discriminatory topics (such as "communication")
upon which meaningful work can be performed regardless of gender,
then that is what you should be making a proposal about.

Roy

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: At what point do you unsubscribe/deny a misbehaving user?

2005-12-16 Thread Roy T. Fielding 

On Dec 16, 2005, at 6:28 PM, Jean T. Anderson wrote:

For crying out loud, would you please supply links to the exact posts
you consider to be in poor taste and the person's name?  I just  
wasted

10 minutes trying to follow the bread crumbs.  You have to make it
easier on reviewers -- everyone seems to be painfully avoiding
a pointer to an actual message.


sorry -- I'm not trying to frustrate folks. I considered posting  
specific links, but withdrew them at the end, even though they are  
links to public archives. The name at the core is Michael Segel.


Below are links to public responses to some of his posts (which are  
numerous enough that they alone would be frustrating to wade through):


Well, yes, but what I asked for was the posts that you consider to be
in poor taste, not responses to those posts.  But now that I know who
you are talking about I could use the view-by-author and see that this
person is better than the typical troll with diarrhea of the fingers.
He is usually right, even when though he would fail miserably as a
strategist, and most of his posts in October were both useful
and normal.  In others, he slides into troll mode on responses.

The answer is to ask your community not to feed the troll when it
gets grumpy and just ignore him, and to limit discussion to the
topic of the list.  Yes, he is an annoying troll, but on balance
he hasn't done anything truly disruptive or offensive that I could find.

Personally, if I had been on the list when he started inventing big
words about GPL and IBM, I would have flamed him to a crisp so badly
that he would have unsubscribed (and I probably would have been
banned outright).  Your calls for politeness will only restrain those
who care.

The last two were recent (this week). Off line communication makes  
me believe he has no intention of moderating his behavior, hence  
the question of at what point you unsubscribe/deny a user.


When his presence is worse than his absence, you can deny him, but
it is better to ask everyone in the community to simply shun him.
He doesn't start off in troll mode.

One of the DB PMC members was asking about frequency of denial,  
which is an excellent question, which Noel responded to with  
"Rarely.  Really really rarely."  It's helpful for us to know how  
other projects at the ASF handle such situations. I'm getting  
questions from users asking why we don't just boot him. I'm happy  
to respond with "The ASF doesn't like to do that except for the  
most extreme cases" if that is the right answer. This case is  
merely very annoying, not extreme.


I think ignoring is an excellent tactic for a developer's list. I  
worry that isn't strong enough for a user's list, but I also  
wouldn't want to embark on a path that could backfire.


Then feel free to delete the users list.  I am serious.

Roy


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: At what point do you unsubscribe/deny a misbehaving user?

2005-12-16 Thread Roy T. Fielding 

On Dec 16, 2005, at 5:17 PM, Jean T. Anderson wrote:

derby-user@db.apache.org has been grappling with someone who  
delights in belittling other posters on the list. The topic was  
raised on women@ (see the thread starting with http://mail- 
archives.apache.org/mod_mbox/www-women/200511.mbox/%3c4371355F. 
[EMAIL PROTECTED] ), but I think it's more appropriate for  
this list.


For crying out loud, would you please supply links to the exact posts
you consider to be in poor taste and the person's name?  I just wasted
10 minutes trying to follow the bread crumbs.  You have to make it
easier on reviewers -- everyone seems to be painfully avoiding
a pointer to an actual message.

In general, it is the responsibility of the PMC to govern its own
lists.  If the PMC decides to boot them, then go ahead.  Most
groups just shun the user.

Roy


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

STOP CROSSPOSTING to Private/PMC/members lists

2005-06-24 Thread Roy T. Fielding 

Under no circumstances is it EVER appropriate to cc a private list
when talking in public, or cc a public list when talking in private.
I don't care why you think it is appropriate to hit two audiences
in a single mail, or why you think your time is more important than
everyone else's combined, this behavior must stop now.

Aside from being a terribly rude abuse of Internet etiquette and
a complete waste of time for those of us on both lists, it leads
to all sorts of antisocial behavior when people and machines do
a reply-all without noticing the scope of their reply.  Private
lists should never be used for public discussions, period.  If you
feel some desperate need to alert someone on a private list that
isn't watching on the public list, then send them a separate mail.

Roy


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Happy Birthday, we are 10

2005-02-27 Thread Roy T . Fielding 
10 years ago today, the Apache Group decloaked with the creation
of the new-httpd archive and initial accounts on hyperreal.org.
I had the lucky timing of having the first message archived on
the list, though we had actually been talking about what to do
for at least a week before that (sadly, without any archives).
Thanks to everyone for making Apache possible and for continuing
these efforts today.  I wish I had time to wax historical for a
bit and talk about all the great things that happened along the
way, but I have to rush out for another flight (to Boston).
In any case, I am extremely proud of what we have accomplished
and very grateful to have met so many friends along the way.
Cheers,
Roy T. Fielding<http://roy.gbiv.com/>
Chief Scientist, Day Software  <http://www.day.com/>
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Fwd: W3C Spanish Office’s Standards Tour 2004 to Visit Ten Cities Throughout (News Release)

2004-10-27 Thread Roy T . Fielding 
May be of interest to Santiago and friends ... note the prize is a
research grant.
Roy
Begin forwarded message:
From: Marie-Claire Forgue <[EMAIL PROTECTED]>
Date: October 27, 2004 12:31:38 AM PDT
Subject: W3C Spanish Office’s Standards Tour 2004 to Visit Ten Cities 
Throughout (News Release)

W3C Spanish Office’s Standards Tour 2004 to Visit Ten Cities Throughout
Spain
Bus Equipped With W3C Multimedia Demos; Multimodal Web Seminar in
Madrid; First W3C Spanish Office Prize for Web Standardization
Web Resources
This press release:
  In English: http://www.w3.org/2004/11/sptour-pressrelease.html.en
  In Spanish: http://www.w3.org/2004/11/sptour-pressrelease.html.es
  In French: http://www.w3.org/2004/11/sptour-pressrelease.html.fr
  In Japanese: http://www.w3.org/2004/11/sptour-pressrelease.html.ja
Check http://www.w3.org/Press/ for all hypertext versions
Info on the W3C Standards Tour:
  http://www.w3c.es/gira/info/intro.html.en
W3C Spanish Office: http://www.w3c.es/
http://www.w3.org -- 27 October 2004 -- The W3C Spanish Office brings
its first W3C Standards Tour to ten universities in Spain from 3 to 26
November 2004 to demonstrate W3C's work and promote the use and 
adoption
of W3C technologies. The environment-friendly tour bus has access to
people with disabilities, multimedia equipment where demos of W3C
technologies will be at visitors’ disposal, projection equipment,and
video conferencing and Internet connectivity via satellite. During the
tour, the ten universities will host conferences giving university
research staff, students and organizations interested in W3C standards
adoption and implementation the opportunity to establish relationships.

The Standards Tour runs for three weeks and visits the following cities
in Spain. All events are free and open to the public.
* Gijón (Opening Ceremony): 3 November 2004
* Bilbao: 4-5 November 2004
* Zaragoza: 8 November 2004
* Barcelona: 9-10 November 2004
* Valencia: 11-12 November 2004
* Sevilla: 15-16 November 2004
* Madrid: 17-19 November 2004
* Salamanca: 22 November 2004
* A Coruña: 24 November 2004
* Oviedo: 26 November 2004
"Although the Web is in concentrated use in Spain, there is a lot of
exciting new technology coming in the near future. The bus is an
opportunity to see what's new and coming up," said Tim Berners-Lee,
Director of W3C.
"Our Spanish Office has come up with a novel way of reaching out in
Spain," said Ivan Herman, Head of Offices at W3C. "The Standards Tour 
as
well as the W3C Spanish Office Prize for Web Standardization are
exciting opportunities for the W3C and the Spanish technical community
to make active and lasting contact."

"It's wonderful to see the amount of new Web development work happening
in Spain," said José Manuel Alonso, Manager of the W3C Spanish Office.
"W3C encourages and supports the adoption of its standards and
technologies throughout Spain's academic and business communities."
The Standards Tour is organized by the W3C Spanish Office with the
generous support of Red.es and Fundación CTIC, and with the help of
Software AG España, TeleCable, Fundación ONCE and Centro de Estudios
Garrigues.
Multimodal Web Seminar in Madrid
Researchers and participants from industry are invited to the 
Multimodal
Web Seminar at the tour stop in Madrid, where speakers from W3C Member
organizations in Spain and members of the W3C Team will present the 
work
of the W3C Multimodal Interaction Activity. The seminar is funded by 
the
European Commission’s IST Programme as part of the Multimodal Web
Interaction (MWeb) Project.

First W3C Spanish Office Prize for Web Standardization
The W3C Spanish Office Prize for Web Standardization will be launched
during the tour. The prize encourages the use and adoption of W3C
Recommendations at Spanish universities, and is awarded to the 
prototype
that best demonstrates W3C technologies in one or more of the following
fields in an innovative way: Semantic Web, Device Independence, Voice,
and Multimodal Interaction. The prize winner will be selected by 
members
of the W3C Team from ten finalists.

The winner will receive an applied research grant to develop a full
project based on her or his winning prototype at the Fundación CTIC
headquarters in Gijón, Asturias, Spain. The best five finalists will
also receive a top of the line laptop computer, courtesy of Red.es and
Acer. The winner and winning prototype will be announced at an award
presentation ceremony to be held in Asturias during the first quarter 
of
2005.

About the W3C Spanish Office
Established in October 2003, the W3C Spanish Office is hosted by
Fundación CTIC. Located at the Science and Technology Park of Gijón,
Asturias, Fundación CTIC is a non-profit organization which carries out
and disseminates applied research on information technologies. For more
information see http://www.w3c.es.
About W3C Offices
W3C Offices assist with promotion efforts in local languages, broaden
W3C's geographic

Re: [OT] How to prevent abusing Apache priviliges

2004-10-16 Thread Roy T . Fielding 
A few weeks ago, many people encouraged Niclas Hedhman not to bring 
private matters into the public here.  Now, some people want this 
issue brought into public, whereas others say it should be handled 
only with the Incubator PMC, or possibly the Board.
The general at incubator mailing list is a public list.  Anyone 
interested
in participating in the incubation of new projects should join it.  That
is where such topics are discussed.  Cross-posting to two public lists,
when one of which is responsible for the topic and the other (community)
is not responsible for much of anything, only generates noise.

I don't like noise.  It interferes with progress.
Roy
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: release management

2004-05-24 Thread Roy T. Fielding 
Cutting a release jar/tarball is an individual act, regardless of
the person's status as being a committer, on the PMC, or an Apache
member. Because none of us are employees, we do not have the right
to make acts on behalf of the ASF (the only exception is ASF officers,
who are granted that right within the scope of their job description).
That is why all releases must be voted on and receive a minimum of
three binding +1s (and a majority of overall votes) before the
release can be made public: it is that vote which makes it a decision
of the PMC, and hence a decision by the ASF.  The ASF is only capable
of protecting people from suits directed against the distributor
when the ASF is the entity that made the decision to distribute.
Note, however, that *damages* associated with copyright are tied to
the act of distribution, so that is a significant benefit obtained
by following the ASF's release procedures.
At the same time, it is very hard for people who might want to sue
an individual (e.g., as an attempt to prevent that individual from
contributing to one of our projects) to do so on the basis that
the ASF violated their copyright -- instead, they would have to
sue the individual for some identifiable act of copying from the
expression (code) to which they own copyright and prove that their
contribution to the ASF was illegal.  That is not an easy thing to do,
makes them vulnerable to countersuits, and requires that they prove
that individual's act was responsible for some quantifiable damages.
[In the US, the last part was changed by the DMCA, but I have no
idea how far or if it could ever be applied in court aside from
cases where the original copy is a trade secret and making a single
copy is sufficient in itself to cause damage.]
Anyway, that is the theory of how it works.  IANAL and this has
never been tested in practice, but at the time we were particularly
concerned about individual volunteers being ripe targets for a large
company to bring legal action against, solely for the sake of
derailing a popular project.  Forcing such a company to bring suit
against the nonprofit reduces their chance of success, allows us
to defend ourselves collectively, and places the issue of
quantifiable damages on the shoulders of a corporate entity
rather than on our personal assets.
Roy
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: "The need for international protection for free software"

2004-03-17 Thread Roy T. Fielding 
A proposed "Free Software Act" provides an alternative to addressing
software licensing through the copyright process.
  http://www.linuxworld.com/story/44100.htm?DE=1
Just kind of an interesting read.  Especially if you are Roy, and 
understand
all of the big words.  ;-)
Interesting, though the author doesn't have a friggin' clue in regards
to the ramifications of creating a body of law in which anyone can sue
anyone else for a perceived violation of "any software licensed under
Free Software Foundation licenses."  Give me copyright law, please.
Roy
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Some Pointers for updating to Apache 2.0 license

2004-02-19 Thread Roy T. Fielding 
This document states the license file must be called 'LICENSE'
and the notice file called 'NOTICE'.  In jakarta-commons the
convention used for the license file is LICENSE.txt.  So my question
is, MUST the files be called 'LICENSE' and 'NOTICE' or will
'LICENSE.txt' and 'NOTICE.txt' suffice?  Just seeking clarification
on this.
Yes, it is alright.  Some filesystems don't even show the name 
extension.

Roy
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Some Pointers for updating to Apache 2.0 license

2004-02-12 Thread Roy T. Fielding 
For those who have not seen it - there are some guidelines (thanks to 
Roy!) on applying the 2.0 license to code at :

http://www.apache.org/dev/apply-license.html
Not just me -- thanks to Berin as well, for providing the first draft
and getting me off my butt to finish it.
Roy
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: What is a member?

2003-11-27 Thread Roy T. Fielding 
Roy Fielding once mentioned that anyone with a history of at least 6 
months of sustained contributions was entitled to ASF membership.
Not entitled -- deserving of nomination for membership.  It still has
to be voted on by all of the members, since we are effectively giving
that person an equal share of determining the future of the ASF.
I won't nominate someone who does not believe in collaborative
development, regardless of how long they have been working on their
own bits of ASF software.
That, BTW, is just my opinion.  I believe that we should have as many
active members as possible, since members have a more long-term view
of the foundation.  Others feel that members should be a fairly
cohesive group that likes to party together, since this should all
be fun.  Personally, I think that is what the projects should be,
since I don't find corporate stuff fun at all -- it is merely
necessary to allow others to have fun.
Some people have made comments to the effect that "Apache is no
longer fun any more."  Let me just say that much of the reason for
that is because they are now part of the core group, which means
they end up spending more time on corporate stuff and less time
doing the things that seem fun.  However, please understand that
Apache was designed for volunteerism -- when whatever you are doing
gets old and you'd like to start something new (or simply relax a
little bit more), understand that there will almost always be
someone willing and able to take over that task.  It won't be the
same without you, since every person breathes their own special
life into the things we do for Apache, but the developer guidelines
and, later, the foundation bylaws were designed to make it easy
and commendable for volunteers to take a break every once in a
while and enjoy other things in life, whether that be inside an
Apache project or simply at home.
If you aren't having fun, then choose what you'd like to do and
do that.  Of all the things I have done for Apache, what I am
most proud of is the fact that I can resign from the board and
feel confidant that the ASF will do just fine without me.
It means that I did my job well enough to deserve a little
time off, and that others have done well enough to deserve being
on the board.
Roy
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

volunteeritis

2003-11-27 Thread Roy T. Fielding 
I just wrote about the importance of volunteerism.  However,
I didn't want to let that go without also warning about the limits
of volunteerism, namely volunteeritis.  That particular malady
is found in the most well-meaning people you will ever meet --
the people who simply want to help in whatever ways they can,
but often without recognizing their own limits.
Volunteeritis is what you get when you volunteer to do more than
you can handle at any given moment.  There are hundreds of reasons
for that, but what must be understood is that volunteering isn't
always a good thing to do.  Even if someone else is ready to
volunteer to do a task, they will often defer to those whom they
consider more "senior" even when it is obvious that person is
already overloaded.  The result is a task that is never completed,
or at least not done anywhere near as quickly as it could have
been done by someone else.
So, my word of warning is simply this: if you are feeling
overwhelmed by what you have volunteered to do, don't just
let it grow on you.  Let others know -- encourage others to
volunteer -- spend your time teaching them how to do things
instead of just doing them yourself.
Happy Thanksgiving,
Roy
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [i18n] Internationalization project

2003-07-15 Thread Roy T. Fielding 
Fair enough. So basically if you have an innovative idea/concept don't
bother calling the ASF?
What is innovative about i18n?  Come on David, put your fricken thinking
cap on on stop acting like a baby.  All code changes have to be approved
by the project responsible for the code.  Likewise for documentation.
What purpose does the i18n project perform that is not already covered
by the existing project mailing lists?  Is it going to develop new
i18n technology or just discuss things related to all of our projects.
If the former, then the project had better come up with a decent goal
and an explanation of how it is going to create this new thing, after
which we can talk about going through incubator on a concrete level.
If the latter, then it is a mailing list and not an ASF project.
The ASF hosts many such mailing lists, including this one.
Roy
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [i18n] Internationalization project

2003-07-15 Thread Roy T. Fielding 
OK, well I had a discussion last night with some folks from the 
incubator
PMC and frankly it upset me. It was one of those evenings when you 
realise
how crap organisations can be and makes you wonder why you bother with 
them
:( I really wasn't impressed.
i18n isn't a code project.  It isn't even an documentation project.
In fact, there doesn't even seem to be any reason for it to be a 
project.
Why would incubator have anything to do with it?

I wasn't present for your conversation, but I am not at all surprised
by the result.
Personally, I think that creating a project that consists of people that
want to work on other projects is a bit weird.  Why don't you just ask
for a mailing list?  The actual commits will have to be made by the
specific projects, not by an uber-i18n-committee, so project formation
doesn't make any sense.
An ASF project exists as an organizational mechanism for releasing 
software
that might otherwise get people sued as individuals.  It does not exist
for the sake of replacing USENET news or community mailing lists.

Roy
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

URI specification

2003-06-09 Thread Roy T. Fielding 
I submitted draft 03 of the URI spec revision on Friday.  It can
also be obtained via the issues list at
   http://www.apache.org/~fielding/uri/rev-2002/issues.html
This draft is close to final, with maybe a few editorial changes
left before going to IESG last call.  It would be nice if the Apache
software projects were checked/updated for conformance.  Please let
me know if any implementations that should be listed when I send
the IESG documentation on independent implementations.
If you find a bug, please tell me within the next two weeks.
Cheers,
Roy
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: FYI: spam/viruses originating from apache.org

2003-06-03 Thread Roy T. Fielding 
You wouldn't believe how many are being caught on their way to 
apache.org
addresses; my spamfilter also catches messages bearing this virus.
Thousands per day.  Hundreds alone to people like myself, Roy, Ralf, 
and
many jakarta mailing lists.

Many of the messages do not have attachments, though, oddly enough, and
those aren't caught.  I don't see a reliable pattern to match them on; 
I
don't want to block all messages that say "Approved" for example.  :)
Yeah, I get hundreds a day and dozens more auto-responders responding
to worm mail sent out as "From: [EMAIL PROTECTED]" just because
that address is in the RFCs I wrote.  A lot of the messaged without
attachments are being forwarded by UCI after their virus checker
has stripped them.
BTW, feel free to block all e-mail with that address in From -- I never
use it to send mail.
Roy
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Licensing and modified GPLs (again!)

2003-04-04 Thread Roy T. Fielding 
The question is: is that enough to defeat GPL's virality? I'm starting 
to
Defeat isn't quite the right word.  It is actually distributed under two
licenses, one for unmodified and one for with-modifications.  The Apache
license also does that, though in our case they are just two clauses in
a single license.
 think that it might well be the case: as long as you don't modify 
Kawa or Qexo, those classes would be used just like any Sun classes so 
if it's OK to include a Sun jar it might be OK to include even 
Kawa/Qexo. Still, they are shipping even a copy of the GPL2 license 
with the distribution, so I'm not sure it would be enough.
It is enough.  To be fair, the distribution should always be paired with
a license file that describes the terms in effect.  A jar file would
list the simple terms described, with a link back to the source.  A
source distribution would have to include the GPL2 license inside,
though that alone does not make a distribution viral.
Note, however, that I wouldn't recommend this style of licensing to
everyone.  Among other things, it requires that the original author
maintain full copyright on the entire work, or at least not accept
any contributed modifications without an explicit grant of license.
Roy
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Sun and the JCP 2.5

2003-04-03 Thread Roy T. Fielding 
Sam, I've gotten rather disappointed with your tactics of late.  I 
choose to take part in the ASF and its decision making processes.  I 
choose not to have information that would limit my financial viability 
via making me party to a Non Disclosure Agreement.

I'd like to avoid a situations such as say someone posts some NDA'd 
spec for a VM as part of some JSR you're working on and I then go and 
start working on Mono and Sun takes my house for "disclosing"..  
(possibly without me even reading it)
That isn't possible.  Even if you were to read "secret" information, you
cannot be sued for making use of public information once it has become
public, nor can you be sued for making use of your secret knowledge
to create something that is not derived from the presentation of that
information from Sun, presuming that you can demonstrate it wasn't
derived from the secret (which would be easy for Mono).
What you can be sued for is taking information that is distributed under
NDA and making it public, even if you are not a party in the NDA.  As 
long
as you know that Sun considers it to be a trade secret and has not
published it themselves, you cannot publish that information regardless 
of
how it was obtained.  Signing, or not signing, the NDA is irrelevant.

Even if you never see the secret information, and have no ties to anyone
who has access to it, you can be sued.  The company simply needs a 
reason
to believe that someone under NDA (including its own employees) might
have given you the information.  However, they can only sue you for
damages caused to them by you making that information public prior
to others making it public.  They cannot sue you for what you know,
and they cannot claim damages if you keep it secret.

The purpose of the NDA is to establish a contract between those who
give us the information to those who receive it, such that we all agree
that it is secret and will treat it as such until the originator makes
the information public.
I think an open JCP list where no NDA material is permitted would be 
entirely appropriate.
[EMAIL PROTECTED] is more than sufficient for that purpose.  There is 
nothing
about the JCP that is public other than what you see on jcp.org and
what the spec leads offer for public review.

In any case, the notion that you would somehow lose economic viability
from being on the JCP list is just plain backwards.  A consultant with
inside information is far more valuable than one on the outside.  I'll
accept a claim that you simply don't what to partake in a closed 
process,
which is indeed why we created the jcp list (so members who refuse to
participate in the closed process can choose to do so).  However, you
should not go asking those who do participate about the facts that are
readily available to those on the list.  You need to read the public
output instead.

Roy
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Sun and the JCP 2.5

2003-04-02 Thread Roy T. Fielding 
Does anyone know why JBoss isn't being granted the scholarship?  I 
read the Happiness is here today JCP 2.5 announcement 
(http://java.sun.com/features/2002/10/new_jcp.html) again and it says 
"qualified achedemic, non-profit and opensource members".
I am not sure about the announcement text, but I know that the agreement
was for nonprofit or academic organizations, or for individuals working
on behalf of a nonprofit.  JBOSS is none of the above.

While I realize that this isn't an Apache opensource project, it was 
my understanding that Apache had invested a great deal of effort in 
getting Sun to open up the JCP and enact these reforms.  I would hate 
to thing and be very disappointed if they were not being applied 
fairly.
We did.  Under the old rules, JBOSS would not be allowed to implement
a compatible implementation as open source.  Under the new rules, they
only need to pass the TCK, and as a commercial organization it is up
to them to pay for it.
Roy
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [Fwd: Prof Eben Moglen on L/GPL and jars]

2003-02-21 Thread Roy T. Fielding 
Is this clarification sufficient?  If not, what more do we require?
No.  What the FSF needs to say is that inclusion of the external
interface names (methods, filenames, imports, etc.) defined by
an LGPL jar file, so that a non-LGPL jar can make calls to the
LGPL jar's implementation, does not cause the including work to
be derived from the LGPL work even though java uses late-binding
by name (requiring that names be copied into the derived executable),
and thus does not (in and of itself) cause the package as a whole
to be restricted to distribution as (L)GPL or as open source
per section 6 of the LGPL.
Roy
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: licensing issues and jars in Avalon

2003-02-11 Thread Roy T. Fielding 
In this case, that is using LGPL such as checkstyle for the build, is 
it possible that the build system downloads it automatically for the 
developer? And /GPL/ buildtools, is it different? Would it have to ask 
permission of the developer to download given that it's GPL (ie making 
it clear)?
You can't isolate questions.  If no other condition exists that causes
it to be a derived work, then a build system download won't either,
assuming that the build system is an independent mechanism (i.e., it
doesn't exist for the sole purpose of placing the GPL'd functionality
within a non-GPL product).
The GPL specifically excludes bundling for the purpose of distribution
from its list of things that makes one work derived from another.  That
is what allows RPMs and Debian packages and FreeBSD ports to work.  You
can safely assume that any such system is okay, even if it is written
in Java.  However, note that we are not in the business of providing
bundles (like RedHat), so the storage for such a system should make
use of the origin sites rather than assuming an uber-repository.
The fink system (Debian based) does that rather well.
This is completely separate from the Sun binary license issue, which
specifically forbids anyone from allowing such downloading.  Placing
the repository on someone else's machine doesn't remove culpability
for the license infringement -- it only increases it.
Roy
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: licensing issues and jars in Avalon

2003-02-11 Thread Roy T. Fielding 
What I find strange in all this discussion about tools that are 
licensed under
LGPL is, why does it matter if you do not use the tool in the actual 
code of
the project.
It does not matter in that case.  It only matters when use of the code
restricts the license under which our own code is distributed beyond
the Apache license.
Take for example Checkstyle, you use this tool to check that your code
conforms to a coding standard. Checkstyle does NOT:
  - modify project source code in anyway;
  - need to be imported/linked/referenced in project source code; or
  - need to be shipped in project deliverables.
So if all of this is accepted, why does it matter that Checkstyle is 
licensed
under LGPL? It is not being "viral".
It doesn't matter.  However, it also doesn't need to be distributed from
the ASF servers.  There is no reason that developers couldn't use it --
we use dozens of such tools for httpd development.
Roy
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Classpath Licensing

2003-02-11 Thread Roy T. Fielding 
On Thursday, February 6, 2003, at 12:30  PM, Noel J. Bergman wrote:
I believe Classpath has a special exception for distribution, but,
AIUI, that isn't typical of FSF packages.
I agree.  The only issue for me is whether or not the Classpath 
packages are
a suitable special case that we can use.
The answer is no.  Look, this should be clear from the license text.
The exception refers to the effect of linking done by the Classpath
code, which is a neutral third-party.  The exception is to allow the
neutral third-party (GPL code) to cause other object code to be
combined without altering the license of that object code.  It does
not make an exception to any direct use of the GPL code itself,
such as if some part of our code did an import of one of the classes
within the GPL library.
As to the rest, you have a valid point that the FSF holds a copyright 
on the
code.  However, Nic is entitled to multi-license his own code (not all 
of
Classpath, but I was specifically thinking of his implementation of 
JavaMail
and Chris' implementations of JavaMail handlers), and thus it seems 
that
their representation would have effect.
Nic just repeated what the license says.  It has no relevance to a
situation where one java app/library imports from an LGPL class.
Personally, I'd prefer for them to license their source under the ASF
license, but as long as we can use their binaries, that suffices.
We can *use* their binaries.  We cannot introduce features that depend
only on their binaries (or their source code, for that matter).  Doing
so restricts the distribution of our entire product to LGPL or GPL,
which is why it is forbidden within the ASF.
If the developer dual-licenses the code in a form that is non-viral,
such as the Apache or MPL 1.1 licenses, then we can depend on it.
Roy
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: primary distribution location

2003-02-05 Thread Roy T. Fielding 
The import statement alone is sufficient to make the source code a
work based on the Library, which means we could distribute under the
terms of section 6.  Those terms are viral and disallow binary-only
releases, making our product viral because the Apache license does
not require redistribution of source with executables.
In short, the answer is no, and this applies to any software with
copyright of The Apache Software Foundation.
Roy, I'm trying hard to understand. I went into section 6 of 
http://www.gnu.org/copyleft/lesser.html, and suppose you are referring 
to one of the 5 conditions (a->e) in that clause which we cannot 
comply with.
No, I am referring to the first paragraph, which states
   6. As an exception to the Sections above, you may also combine or
   link a "work that uses the Library" with the Library to produce a
   work containing portions of the Library, and distribute that work
   under terms of your choice, provided that the terms permit 
modification
   of the work for the customer's own use and reverse engineering for
   debugging such modifications.

which is okay for the ASF, but not okay for all of the people who
redistribute ASF software as parts of other projects.  That is why
this is not an issue of legality -- it is an issue of policy.  The
ASF policy is to not use LGPL code in any of our projects.
Roy
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: primary distribution location

2003-02-05 Thread Roy T. Fielding 
Can I explore the issue a little bit further? The question that 
usually arises on Ant is not the storing and distribution of LGPL code 
itself, but the storing of code that "links" with or depends on the 
LGPL code. As an example, let's say we want to provide an SSH task for 
Ant (a recent question). There are a number of LGPL SSH java libraries 
around. The code in our respository would be developed under the ASF 
licence - it would consist of a Java class that merely drives the LGPL 
library. It will typically have import statements - something like:

import lgpl.sshlibrary.Thingy;
This code cannot be compiled without the LGPL library. Once compiled. 
however, it can be distributed without the library. To use the task 
code a user needs to supply the LGPL library independently.

So can the above code be stored in our repository? Can the compiled 
code be included in a binary distribution?
The import statement alone is sufficient to make the source code a
work based on the Library, which means we could distribute under the
terms of section 6.  Those terms are viral and disallow binary-only
releases, making our product viral because the Apache license does
not require redistribution of source with executables.
In short, the answer is no, and this applies to any software with
copyright of The Apache Software Foundation.
Roy
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: sponsoring of asf: fud or truth?

2003-01-29 Thread Roy T. Fielding 
On Tuesday, January 28, 2003, at 01:06  PM, Greg Stein wrote:
On Tue, Jan 28, 2003 at 08:55:33AM -0500, Ben Hyde wrote:
...
are accounting records available?
I thought there were, I know we discussed having them be public in the
first year.  It maybe that some reason arose to keep them underwraps.
The short form though is they wouldn't help resolve this issue.  Most
of our needs are met by donations in kind of resources - particularly
the labor of the many kinds of community members.
As a public charity, I believe they are required to be public. Roy 
would
know the definitive answer (CC'd on this email).
Not exactly.  They are required to be available for IRS audit.  A member
of the public might be able to request a record, but that would be very
strange.  We've made a practice of recording them in the board meetings
unless the donor requests anonymity (nobody has so far).  The only
significant financial donation has been from Siemens AG (Germany),
with lesser amounts from ACM's software system award and Copyleft for
t-shirts.  The bulk of our funding (something like 70%) has come from
past ApacheCon conferences.
Roy

Re: ApacheWiki RSS feed moved into apachewiki.cgi

2003-01-08 Thread Roy T. Fielding 
infrastructure, can we have a new mail list called 
[EMAIL PROTECTED]
It appears to have been set up this morning with only you subscribed.
Roy

why my home page is on www.apache.org

2002-12-04 Thread Roy T. Fielding 
Unfortunately, Roy's site is sort of an example of what I don't want to 
see.  However, what I believe Sam hasn't realized is that Roy *just* 
moved his site there from the UCI servers while he looks for a new home 
for his web site.  (Roy will correct me if I'm wrong.)
That is only half the story. The reason my home page is on www.apache.org
is because I need a politically neutral and noncommercial webspace,
where I have complete control over the content, that I can give as a
pointer to my work as an individual distinct from my employer du jour.
I need it because the ASF frequently wants me to present a completely
noncommercial face to the people that we negotiate with, particularly
when talking to the press.
That is also why I kept my home page at UCI so long, but that situation
became untenable as the school's Unix expertise went elsewhere.  Apache
is the only place I can trust not to take advantage of my association.
I've actually had a page on www.apache.org for a very long time,
longer than cvs has been on a separate machine, but it wasn't kept
up to date until recently.  I'll move it to people.apache.org or
community.apache.org if we ever decide on such a thing.
I own several domain names.  None of them are hosted because the place
where I live doesn't have DSL and there are no cheap hosting solutions
in So. Cal.  More importantly, I don't have time to maintain one.
The information on my website is stuff about me, my vita, and my
nonprofit projects related to Apache.  That's all.  I see no reason
why any committer should not be able to place such information on
an apache.org site.  I happen to do a lot more stuff as an individual
than most people (projects, protocols, talks, etc.), so it shouldn't
be surprising that there is a lot of stuff there, but there isn't
anything that would cause bandwidth waste or disk space concerns.
The tilde character is a universally known syntax for defining
user-controlled namespaces within an HTTP server's naming authority,
so the notion that the content might somehow reflect poorly on Apache,
somehow more than my personal participation already reflects on
Apache, is just nonsense.  If that is a genuine concern, then host
one of the hundred or so other hostnames we have available.
I'd be happy to pay a hosting fee to the ASF if we could arrange for
such a thing, but that's hard to do until we have an accounting of
ASF hosting costs.  Furthermore, since I've personally raised more
money for the ASF than my homepage could ever cost in terms of
bandwidth, I won't be feeling guilty about that any time soon.
In the mean time, I have far more important things to burn time on
than this issue, and so does everyone else.
Roy

Re: Rules for Revolutionaries

2002-11-15 Thread Roy T. Fielding 
On Wednesday, November 13, 2002, at 04:20  AM, Rodent of Unusual Size 
wrote:
Costin Manolache wrote:
What you would have liked is your problem. As I repeated quite a few
times and you don't seem to hear is that the decision about a release
is a majority vote and can't be vetoed - even if it pisses off some
people.
not strictly true, although mostly.  a product release may be effectively
vetoed by the asf officer with oversight of the project, if it appears
in that person's judgement that releasing it would be the Wrong Thing
for the foundation.  in that case, it doesn't matter what the majority
think, since the product is an *asf* product and not just theirs, although
they certainly have the privilege of and responsibility to try to convince
the officer (pmc chair) of the Rightness of the view to release.
Umm, you are both wrong.  Technical decisions are made by the PMC,
according to the PMC bylaws (usually the developer guidelines).
Those bylaws do not allow the chair to make decisions by fiat, nor
is it safe (legally) for them to do so.  The PMC chair is ultimately
responsible for oversight, which means being aware of and making
sure that the decisions are being made according to our policies,
which are mercifully short aside from the redirect to 501(c)(3)
obligations.  The PMC chairs are further responsible for reporting
anything questionable (or simply interesting) to the board.
The board of directors can make decisions about anything, though we
have an explicit agreement with members that technical decisions are
delegated to the PMCs (read, acknowledged voting committers, because
that's what I meant it to say), which means we make "technical
decisions" by closing whole projects until the issue is fixed.  The
Chairman of the Board is responsible for oversight of the board's
decision-making process, which includes making sure that the board
acts when it must, such as when a project is doing something without
legal right to do so.  Please note that the board members have taken
on legal responsibility for acting on behalf of the ASF when an
issue like that occurs, and the only ways to get out of that bind
is to force a correction or resign.
Regarding vetoes, in the httpd guidelines (which should still be the
same as those for Jakarta), no software can be released without
resolving the veto, which happens when the vetoed change is reversed,
or the technical reason is no longer applicable (perhaps due to a fork
agreed to by the vetoer), or the vetoer simply changes his/her mind
and removes the veto, or the person has their voting privileges
revoked.  There is no way for the majority to "vote around" a veto
aside from revoking the vetoer's right to vote at all, which is
pretty much an explicit way of telling them to go fork off.
None of this came up with Tomcat once it was acknowledged that 3.x
would be implementing a different servlet spec from 4.x, at which
point all of the technical reasons for vetoing further 3.x work
disappeared.  It then simply became an issue of whether or not enough
people would work on it to pass the minimal quorum requirement (3 +1s).
Under no circumstance did they ever "vote around" a veto.
Roy

Re: [VOTE] Openness

2002-10-30 Thread Roy T. Fielding 
VOTE 1:  would you like to make it possible for non-committers to
read this mail list thru a web archive?
  [X] +1 yes, let's make it readable
  [ ]  0 don't know/don't care
  [ ] -1 no, let's keep it private
VOTE 2:  would you like to make it possible for non-committers to
fully subscribe to this mail list?
  [ ] +1 yes, let's open it to everyone
  [ ]  0 don't know/don't care
  [X] -1 no, let's keep it for committers only
and invitees (contributors).
Though I hesitate to say so, I need to make this perfectly clear.
I will unsubscribe from this list if non-contributors join.  I am
not going to take time away from my life for people who haven't
earned the right to be in this community.
Roy

Re: Planting a seed

2002-10-26 Thread Roy T. Fielding 
We have to start moving threads off of reorg.  Please do not cross-post.
Oh - What's "open"?  I'd suggest:
[EMAIL PROTECTED], members, board lists: mandatory subscriptions to only the
communities; only subscribers can post; archives are private but
accessible by the constituencies (in case of board, I'd think all members
should be able to see archives?).
All members are already able to see the archives of any list and
subscribe to the board list.  The only list that isn't viewable by
members and private to the board is board-private, which is really
just an alias for the current board, and the board is not allowed
to do any official business on that list (only private discussion
that leads to a later public discussion and vote on board or during
the board meeting).
As for PMC lists, I suggest that all committers (or equivalent) on
a project be able to subscribe and post to the PMC list, but only
PMC members (as named by the board or by the project's V.P.)
be able to vote.
I agree with Sam's suggestions that private list discussion be limited
whenever possible, just as it is for the board.
committers list: mandatory subscription to only committers; only
subscribers can post; archives public.
+1
reorg, community, infrastructure, etc. list: anyone can subscribe but
posts are moderated; archives public.
I disagree.  Anyone who is contributing to the community should be able
to join and post.  I simply cannot tolerate any more noise from people
who are not contributing to one or more of our projects -- allowing them
in the discussion would force me to remove myself from the list, and I
suspect so will almost all of the other committers who are maxed-out
on mail.  +1 to archives being public.
general lists: anyone can subscribe but posts are moderated; archives
public and linked to from www.apache.org site and the various project
site(s).
*-dev lists: strongly suggested subscriptions for active committers; each
community can decide posting/moderator policy; archives public and
prominently linked to from their project pages.
+1
Roy