Re: Can you spare 10 minutes to help Apache?
Sally Khudairi wrote: Fellow ASF Community members -- hi sally We have been working with PhD candidate Roland Schroll over the past two years as he's been compiling information on the value of the Apache brand. His advisor is community-based innovation expert Dr. Johann Füller. This is a joint project of the University of Innsbruck and the Massachusetts Institute of Technology. If you have 10 minutes to help, it would be much appreciated. The survey is at http://surveys.hyvelive.de/10_apache/p1.php?refGroup=ache They would like the surveys to be completed this month (February). They are seeking at least 300 respondents. As such, if you know others who are interested in Apache from a market perspective, feel free to forward the link to them as well. are people happy with this URL being made public? (as opposed to just publicly accessible). in other words, is it intended for community members only or are we free to blog, facebook, tweet etc...? - robert - To unsubscribe, e-mail: community-unsubscr...@apache.org For additional commands, e-mail: community-h...@apache.org
Re: Can you spare 10 minutes to help Apache?
Robert Burrell Donkin wrote: Sally Khudairi wrote: Fellow ASF Community members -- hi sally We have been working with PhD candidate Roland Schroll over the past two years as he's been compiling information on the value of the Apache brand. His advisor is community-based innovation expert Dr. Johann Füller. This is a joint project of the University of Innsbruck and the Massachusetts Institute of Technology. If you have 10 minutes to help, it would be much appreciated. The survey is at http://surveys.hyvelive.de/10_apache/p1.php?refGroup¬he They would like the surveys to be completed this month (February). They are seeking at least 300 respondents. As such, if you know others who are interested in Apache from a market perspective, feel free to forward the link to them as well. are people happy with this URL being made public? (as opposed to just publicly accessible). in other words, is it intended for community members only or are we free to blog, facebook, tweet etc...? if the answer to this is yes we are then can Roland's server cope? - robert - To unsubscribe, e-mail: community-unsubscr...@apache.org For additional commands, e-mail: community-h...@apache.org
Re: [OpenPGP] Key Transition
Simon Pepping wrote: Robert, You recommend that the new key be made the default key. But if it is only meant to be used for code signing, it cannot be the default key. Unless this key is on a separate keyring. Right? a keyring can contain more than one secret key. any secret key in the ring can be default. it's up to you but one good way to set things up is to have one, secure keyring for both new and old code signing keys. in this case, the new one needs to be the default. Is it possible to move secret keys from one keyring to another? http://www.apache.org/dev/openpgp.html#secret-key-transfer (probably need to add a link somewhere) - robert - To unsubscribe, e-mail: community-unsubscr...@apache.org For additional commands, e-mail: community-h...@apache.org
Re: [OpenPGP] Key Transition
Grant Ingersoll wrote: I'm trying to follow the instructions at: http://www.apache.org/dev/openpgp.html#generate-key And am getting [1] below. I think I have a public keyring (I've signed releases in the past so I thought it should just work). I'm using GPG 2.0.12 on OS X (10.6). I have a .gnupg directory and it contains a bunch of stuff, but I admit I've always just followed the instructions on this stuff and not understood the why behind it. the home directory is used by GnuPG to store private keys and configuration information. it's .gnupg by default but a useful trick is setting this to some other location to get a clean configuration to practice on or generate keys into. http://www.apache.org/dev/openpgp.html#home should have some more details. [1] gpg2 --gen-key gpg (GnuPG/MacGPG2) 2.0.12; Copyright (C) 2009 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? 1 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) 4096 Requested keysize is 4096 bits Please specify how long the key should be valid. 0 = key does not expire n = key expires in n days nw = key expires in n weeks nm = key expires in n months ny = key expires in n years Key is valid for? (0) 0 Key does not expire at all Is this correct? (y/N) y GnuPG needs to construct a user ID to identify your key. ... gpg: no writable public keyring found: Unknown system error Key generation failed: Unknown system error my best guess is either a permissions issue or a version conflict. either way, the best approach is just to use another home for generation. hopefully this should be covered in http://www.apache.org/dev/openpgp.html#home. i usually generate my keys in a new directory on an encrypted USB stick. that way, if anything goes wrong my active keyrings are not effected. maybe this should be added as a tip. - robert - To unsubscribe, e-mail: community-unsubscr...@apache.org For additional commands, e-mail: community-h...@apache.org
Re: [OpenPGP] Key Transition
Grant Ingersoll wrote: Another question: When updating my KEYS file (per http://www.apache.org/dev/key-transition.html#transition-export), do I replace my old one with the new dual export, or do I append to the KEYS file? there's no functional difference (at least during the transition) but there's less work later if you replace the old with the new. (i'll add that to the instructions). - robert - To unsubscribe, e-mail: community-unsubscr...@apache.org For additional commands, e-mail: community-h...@apache.org
Re: [OpenPGP] Key Transition
Grant Ingersoll wrote: On Oct 14, 2009, at 3:51 PM, Robert Burrell Donkin wrote: Grant Ingersoll wrote: Another question: When updating my KEYS file (per http://www.apache.org/dev/key-transition.html#transition-export), do I replace my old one with the new dual export, or do I append to the KEYS file? there's no functional difference (at least during the transition) but there's less work later if you replace the old with the new. (i'll add that to the instructions). I feel like I'm missing something. Is the new one the new standalone one, or the dual one, per the transition instructions? It seems like I need to have the old key in there for the old releases I have done (although, arguably, they are in the KEYS file for that release). the instructions for the dual export should export both keys. providing that you replace the old one with the dual export then both old and new keys will be imported. (if you just export the new key then the old one should be left) - robert - To unsubscribe, e-mail: community-unsubscr...@apache.org For additional commands, e-mail: community-h...@apache.org
[OpenPGP] Key Generation Instructions
i've blogged some instructions for generating stronger keys at http://www.jroller.com/robertburrelldonkin/entry/openpgp_generating_a_strong_key which i hope can be the basis of apache key generation documentation. feedback and testing welcomed - robert - To unsubscribe, e-mail: community-unsubscr...@apache.org For additional commands, e-mail: community-h...@apache.org
Re: [OpenPGP] Moving Away From DSA and SHA-1
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Roy T. Fielding wrote: On Aug 11, 2009, at 8:24 AM, Robert Burrell Donkin wrote: 1024 bit keys and SHA-1 links are currently considered safe so there's no reason to believe that apache keys have been compromised. transition statements [1] in a trusted location will probably be good enough to convince most people to re-sign. but we'd need to think carefully about a sufficient secure infrastructure before recommending this. There is nothing wrong with the existing keys. There is no danger of any compromise, even by brute-force attack. Our signatures are used for verification, not privacy, and in any case the schedule for key sizes becoming weak is based on speculation. There is no evidence to suggest that anyone has managed to find a specific private key to match a given 1024-bit public key. the weakness with 1024 bit keys is that they have to use SHA-1 which is now looking vulnerable. this issues effects both the WOT and signing but not encryption. i agree that the key size estimates beyond 2048 are just speculation. no one really knows whether 4096 will be found to be too weak before SHA-3 is finalised. it is clear that 4096 is a better size for new keys than 2048. Quite frankly, I think that this effort to purge 1024 bit keys will simply make PGP useless for verifications, since PGP without the web of trust is a friggin waste of time. What people should do is increase the default key size for new keys and just be happy that anyone uses PGP/GPG at all. this isn't about a purge but an orderly transition whilst there's time to do that. if it were just encryption i'd agree that it's a waste of time. the problem is that the WOT uses SHA-1. if people act whilst SHA-1 can still be reasonably trusted then the WOT can be re-established relatively easily. every SHA-1 link between weaker keys can be replaced by a SHA-512 link between stronger keys. if it's broken before we start the transition it will be much more difficult. - - robert -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIcBAEBAgAGBQJKgrl4AAoJEHl6NpRAqILLgG0P/1LYdFIDKSvQW9k3ERsX6qEC yqbDvX+wW4xK2HtkoVO/JLQ95QT8QsgTsmYz1SHaRebn4DERejF16WXji7k34vJY GpUUweGm68MKeUBpMZhNPeT6lV+ytbwkO983xkmllYpqkCPF7q34FX/dDN/7y3uX O5qtubz0bUCupIFvGPWmLTnlOIXBxbsoxaanf36oMk6vYL3HLOQxGOp66FAbgNdV f7Ofl/PG+VDtIPFxeOuZmVIn5YX+EJiL0o2kTvhoBCgfj4cRoKJI6QUba7Ofzlq4 1UI1+qHeyrUl83i/OyjHPk8S9DiNnZ+z1JsTkA7r1PAdq5ZN3UW3XFPrgreQDlFk y5oPpRqpAcWF5YS57KgLgp35bTxJhb1oi7uxvtv84If9K7TW+eecG+3OQJFu4J9F S5iQ0IDd6uDZ/gApmApTZJyqAa4UWCqVLd9ySEiSLXOpE0pUfyo37c+2L1delBhg UYUtcDbgF7x7P0ju7bNxomJ8Ibb5dUttinzGlD+kTfD5hpd6G6J9OkXXKR+Me0f4 5XjZqv5YJXure/Ujc+svEzOGDIUORqDznTT7Rut3iIpLhVpNDjnWiXw7tPtn9WDM sZBLKTHLH6vRgfacrdkjSy278834o+0NOK5zO3Z2Udu0EbVwKDadelnwSP4NIPL0 G7CwOeSmCINhs1wJrFoe =16P1 -END PGP SIGNATURE- - To unsubscribe, e-mail: community-unsubscr...@apache.org For additional commands, e-mail: community-h...@apache.org
Re: [OpenPGP] Moving Away From DSA and SHA-1
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Henri Yandell wrote: Need to update http://www.apache.org/dev/release-signing.html to say 4096 asap I suspect :) Stop new people being lured into this problem. yes but... key size isn't the direct cause of the problem: SHA-1 is AIUI the OpenPGP WG assumed that the next generation hash algorithm (and so the next OpenPGP revision) would be available before SHA-1 was broken. this is now looking very unlikely. so, new keys need to be generated using the latest tools with specific settings (older tools and default settings typically try to force people into the OpenPGP defaults for compatibility), and everyone (even those with longer keys) need to upgrade their tools and adjust the settings. we also need to ensure that we're setting up the infrastructure for an orderly, measured transition rather than rushing to create a panic. - - robert -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIcBAEBAgAGBQJKgru2AAoJEHl6NpRAqILLf3AP/RPhP1RED+VhnpPrgBacYc/l CQhVthk5sAru4aFLm/v4FcDab0eqLbnhexq9eKAamkehkW5x+F7qyuwng/RHtN7T kQkLgjS8LGxfP+nhs11iHzOdtCPVJ5Q1VOaDJ4HbOTnV7H4jhHgAzdB2700LCB4r /mSk2YG9zfBJXc8kXYD9r/LkHtKlWfdC9evbvlVO8WMionbKwzcq87vD+10dW23Z ne0lqKDyw/9pCn8HMRt2S5o5E/QynZ+681ONgeNGGU67W5FWW8NPmH20AYLwEFXH pPPMXHyLMQFZffHenJHMeJJLpEtOwKBL/Fa7ITiOTv7+2jd+EBrghUIa/K9p2VYK 3GcOzvK/tfhR2qV05N1NyScTbHFq6HgpL++r0ijB4thhqrZzXoLrVQRJzO58iXBI +HHJ6GRdSNN6Dt9eZ58dsnvwONd9x8M0Omsut1azbNfOtO9WrjveBgygLwWE4LgI iqoxaY4zZmahPPvFag4urdVcl4Lu0T77q0llO94YucIHgHJMITk8dACJey/Fp1SO xHqMpn2AiMRlbfbOESAbG70yUvRS8QZ7z28E17pSXHMrXrf6vrIG0dhVKSUfIE/A PQ8qR/t9gi70FDKs+awA5b9D5k3fL2fQGVaq+NTovnHmS5z7jKZJQWpstBsZ2rCo DqJkyt6lLNfC+B5pB01b =mL9t -END PGP SIGNATURE- - To unsubscribe, e-mail: community-unsubscr...@apache.org For additional commands, e-mail: community-h...@apache.org
Re: [OpenPGP] Moving Away From DSA and SHA-1
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 William A. Rowe, Jr. wrote: Jukka Zitting wrote: Hi, On Tue, Aug 11, 2009 at 4:09 PM, Rich Bowenrbo...@rcbowen.com wrote: Is it possible to regenerate my gpg key without losing all the signatures on my existing key? To bootstrap the new key, you could sign it with your old key. Not sure if that should be enough for others to trust that it came from you even without a F2F keysigning party. for the moment, yes once 1024 bit keys become generally untrusted, no this is the big advantage of a measure transition: having to purge your only key when DSA is conclusively broken will be a PITA Signed with Ultimate trust, it should be enough. You can have multiple private keys in place so enigmail and other programs will still decrypt all of your artifacts. But you should have people sign the new key (and we can do so, trusting that you-were-you, and your new key has ultimate trust from the key we already signed). E.g. my old key is still valid, not yet revoked, but used far too often for far too many artifacts. So I rolled a 10 year (you might want it to be forever) master key, and just roll some one or two year encryption and signing keys to use for 'a while'. The nice bit, people sign your master key. You sign your subordinate keys for various purposes, creating new ones whenever you want. So no more need to get new keys signed. this is the setup i'm using ATM - - robert -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIcBAEBAgAGBQJKgr0pAAoJEHl6NpRAqILLQewP/jEaNbFJ3M9MjzSfKir0N1T/ qKLDPkO+tfU6tkq/ywr2j10QJkTm4G23AUMiEMHA0AMmg8mz0QhPb+WiuVxMm+9S Sl0mgbhtn/ZOKd9SrctksDqThq3N03we+OtIkSJ5WJkjqxl8umkZhSaIyJWluFrs a8JVLrmYLs4niUAtJ2o5QJZbWHrf5W0QRCtx5Kh7g/PtXuooNYNphh8OBty4N56y mzv3QwmILlaoiMxwYW/UOBH4Jq7lzpIF+xC3Eqh8Pa+KXd2034nW/3lQnqi5aEbj 81iT3BYWrADIszurr2xvOnbDNrTxnhSCT1aXFFhAPpRBumrvvudtTOL2FHmLbqOu 36AztnlGIyAO+ho48AEybx1GuSLO/BkBaeiWTGrkEtv4gZiSvWwWooFjp/gbYpIJ +gwWiBuUH3FBdAN7YAb7il4bH9L/Iip0hxWtDhq63FM6qlKgKoiDB/fG0h7Gl5M8 MFozOk8GBMF5sJJvmEfcqC691am5rHYO5KWYBuiEl2Bc9BJQC/rdwwggk2o8V9uP n1bw4jwrwR9YsO9aLEHgNiCAh0xq1MD57HbeFNLstBy9HtQto8VAisHh6rF8qPYA 0+RwdnSBiKaJMiMPzOrts/XEC41CMb3FqLWHrMUp9Y8cY6qSaGrWFcZHLdsKireg hL6yTDt0cgiSqUbi4JZm =1Zsv -END PGP SIGNATURE- - To unsubscribe, e-mail: community-unsubscr...@apache.org For additional commands, e-mail: community-h...@apache.org
Re: [OpenPGP] Moving Away From DSA and SHA-1
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Robert Burrell Donkin wrote: Henri Yandell wrote: Need to update http://www.apache.org/dev/release-signing.html to say 4096 asap I suspect :) Stop new people being lured into this problem. i've committed something (as a stopgap measure) yes but... key size isn't the direct cause of the problem: SHA-1 is AIUI the OpenPGP WG assumed that the next generation hash algorithm (and so the next OpenPGP revision) would be available before SHA-1 was broken. this is now looking very unlikely. so, new keys need to be generated using the latest tools with specific settings (older tools and default settings typically try to force people into the OpenPGP defaults for compatibility), and everyone (even those with longer keys) need to upgrade their tools and adjust the settings. we also need to ensure that we're setting up the infrastructure for an orderly, measured transition rather than rushing to create a panic. should probably expand that section explaining the situation. maybe something like: Recent research has revealed weaknesses in SHA-1, and in the DSA and 1024 bit RSA OpenPGP keys which must use this algorithm. Though these weaknesses are not yet feasible but - if experience with similar weaknesses in MD5 can be a guide - further advances may well lead to practical attackers within the next few years. There is no reason for owners of these keys to panic but new keys of short length should not be generated. All new RSA keys generated should be at least 4096 bits. Do not generate new DSA keys. See discussions on the community list for more information. opinions? improvements? - - robert - - To unsubscribe, e-mail: community-unsubscr...@apache.org For additional commands, e-mail: community-h...@apache.org -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIcBAEBAgAGBQJKgsXCAAoJEHl6NpRAqILLRfMQANmiqQ6PIIqxXj2E913/U1py 9pcBZE5veSmXqEu0p7gL/U0QWkbFd8Ogfv2NAlKAZaA39bAyB6U2h3Pi0KSAJkQ4 VtFhjwTdqGYSU+DZW/TCR06W1V8VNWcXRjCujuVE6Zp59DAn2/qYHKwh09D77BRt M+gYyPHQWf5WqUt1yQlLq56aXIzkwoFccPMEjGvbztwaK7lFYNbx8/LQZclvFTEn 5kinUIHakU8vsz+UT92Cz/kuzBYheO8Ih1zjO1h3PXJfoZyulDgOHj+M1cYNbHrp een0Y21zAK9NaB1arPargd4yIjGpaI0BVp2nSCvI5MZT3VpJUm025RiYvSjQn3f4 psfG6Y4vS3X/d7FsNszx4uQgtIoP8S1Iq8QFqF0p5zzxW91i3JaLGwq4dNS92to8 DLRb/3Q+90LfANdIjorDYDeybF4DICXUK6bIcAe3ejEhnsIGx41OxKrhIl17UWwl +ZJuBIZfjQXLpg3DpExnCawo23vB02+Op2anzN1AISlIUtZqGu4EkArZA/i3fy4X QRNd28/eh/JeozVPjDhhD+K0Uph1154hu8RgTKBs9emLzCsy5h67wtQJVbRrmbI+ zuZ6g6okhQPUtrjQzKlv6WwgdqjxVSAl+uuJdbr+BkDdSI1gJxlUwAfh5a0uHY1B IJrs7IDy429sbaMylGrJ =2LWM -END PGP SIGNATURE- - To unsubscribe, e-mail: community-unsubscr...@apache.org For additional commands, e-mail: community-h...@apache.org
[OpenPGP] Moving Away From DSA and SHA-1
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 with ApacheConUS only three months away, we really need to start planning how apache can move away from short keys (DSA and RSA 2048) and weak WOT links (SHA-1)[1]. the consensus on infra was that this is the best list for this discussion. if it happens to get too busy then a new list can be created. the first step needs to be updating the documents so that new release managers know how to set up and use GnuPG[2] to generate keys unlikely to need changing in the next couple of years. i'll start a thread over on site dev to cover this. the first question for discussion is recommended key length. 2048 is the minimum safe size for new keys but only just. for keys used to sign releases, 4096 is more credible today. 8192 bit keys are possible with GnuPG[3] but are fiddly and - in older tools - support may be patchy. going for 4096 would mean a second transition before 2015 but the next generation (SHA-3 and next generation of OpenPGP) should be available by then. consensus on infra was to go for 4096 but if anyone knows any good reasons to go for some other value, please jump in. - - robert [1] http://www.jroller.com/robertburrelldonkin/entry/release_distribution_renewing_the_web [2] http://www.gnupg.org [3] http://www.jroller.com/robertburrelldonkin/entry/gnupg_8192bit_rsa_keys -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIcBAEBAgAGBQJKgWaEAAoJEHl6NpRAqILLzzQP/RI/ZpkauHrLMzW48lNRsmUc h9a4HJ1WXL6eESSbJK9rawPxrAvG/p3rbH3TTixIkwLPz8BQDuG8kxmTHn8LDlGg /YLZbDtgFpF3SElGn1MbzldI48DTgw/JXa4opVHi/gvSAoA72+P7td5D12YiA+6R Urr6I8hcDOdHRfDsXPHbu5MLh4S//vVgrdOXahLqwzwJK0GCdsjJ88RGJgPXrWfH abfzKY3jGUheLtIJUbQiMI2IKA5VrCK+WMXoWxnqnnxL6JDQUGXfpai5dxoRy22D wcv6UN+FIUF8OCBymYRXMcngwczYDkYkUyrVEjOSlnmtC4rHKq/wZGtn3VJGSCEf hLoSC+aZ+HLHxK5pA0ZxRs4IFhMtTijV5ng6VA1aOPW0N1ySIUd7fgAO7QpksCcL 84LZMAzstH48Ce2Zzrj8oJ5NLYIR531Mh0C7N/JRkUdPLTXDByvXBTJ9uRXoRw6v a1IexoewUxXfAcR2Yi0lVtkL9ZBVWMm/caXpSqLHKxFvQND71dWg+7UsfJR057c3 CP5bwJIp4dANLOeYa6kj07b+Xu2ZutKBAdZWSH/u3lx1Grh3apq1gbGmdoyKyLyj d4px2wyB6oWS5C3ZEdAG8oy9QC1LERgnqTt7kMGMNl5j8E1AAMsPTw7laULss1S1 itF2Nys9bJZA1dfQTx7B =w79Q -END PGP SIGNATURE- - To unsubscribe, e-mail: community-unsubscr...@apache.org For additional commands, e-mail: community-h...@apache.org
Re: [OpenPGP] Moving Away From DSA and SHA-1
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Rich Bowen wrote: On Aug 11, 2009, at 10:13, Tony Stevenson wrote: You cannot retrospectively 'upgrade' your key, AIUI, at least. So you will sadly lose all your signatures as you will need a new key. it should be possible to use a script to transfer them Thankfully I created mine with a 4096 key length so I'm ok, but I get impression many folks wont be. Get your key created now, and at Apachecon we will have to have a large key signing party. :) yes :-) but we can probably do a little better than that 1024 bit keys and SHA-1 links are currently considered safe so there's no reason to believe that apache keys have been compromised. transition statements [1] in a trusted location will probably be good enough to convince most people to re-sign. but we'd need to think carefully about a sufficient secure infrastructure before recommending this. we should really probably think about setting up some minimal revocation infrastructure (subversion space plus mailing list, perhaps) plus documentation while we're thinking about it... Pity. Also, there's the issue of being unable to read encrypted email I receive by the old key. But I suppose that I can deal with that on a case-by-case basis. And hardly anybody sends me encrypted email any more anyways. the particular problem for apache is that it's the code signing usage that has been broken by the SHA-1 collisions. it's safe to keep the old key around to read encrypted email. personally speaking, i'd just delete the signing private key and transfer the encryption subkey to the new ring (setting an appropriate expiry date). Ok. Generating new key. I guess this is my chance to purge all of those former employer email addresses from my key, too. there are some settings that need changing before you do. probably need to upgrade to the latest version of GnuPG as well. i'm working on some instructions which i'll tidy up and blog some time soon. it'd be great if people could wait and alpha test the official apache documentation. i have some instructions about replacing the existing uses at apache which i'll tidy up and blog. since the DSA keys are still considered safe ATM, i recommend retaining both for a transitional period. the important point is to use the new, longer key for signing. - - robert [1] http://www.jroller.com/robertburrelldonkin/entry/openpgp_transition_statement -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIcBAEBAgAGBQJKgY1CAAoJEHl6NpRAqILLL8oQAMNJk1Zy6e+zkbpqcYtE/x6N lny/kYTMrnIM6xeewlFVUnLBkB9nIgYhrHaqCpQx3yRCh8ouUKzCFOWMNbCGZHxf sOZmOOTHa36y0K+9+iJI38VFfT03wXoI3qGHcCT/AE04oSVSGKZE9wveb/0uPhjs pNmcuvvaJ01urZioKnZw7H37b2kPLMowqtf+t+4w/NWy5iok1QKN50xW15yJDfnh 83D8EoW191Zbg9beba51WmdWzk3Wio/J3ngpM69LxmJTxYSs0BI5rK+cUaD/E5XF XiDx7ZS7dAfHeRGGU47SVlmJ+IIf1BK2DCiP43cYKjZOJnP11C3p00Bytc+MyQ02 x+412rSZDyqEEL5odlYfFiwj7lWWw7dji4koeszJDNQtKdiC+VZX24TXYhQmLLhw R53OCe6hW9l4hi903C+hJ9zXVwy+UMRRG6GkQ1tZt04H6Ag8yUSATCLoD0YrCzXe M3ngr2wr3uPvxwyUftJ4KUYJyKdwrMvaUPDBNg+ruETpI47t/Ry6DJDzdT0OU5PF UK+KPkmAWdc07RjkxzrtnAllsRVCLwHsu5FeOLvLBBYW8iHuZinfr/Ia0QTz245v 3BW+PFy78IAmJ38tF109mAD9idqM7TJI4uVtg6XyaaK9Gh+KenAGkf4JeAwU+Urw j1ZLV+qgpTdVE9vOvYPG =jBlm -END PGP SIGNATURE- - To unsubscribe, e-mail: community-unsubscr...@apache.org For additional commands, e-mail: community-h...@apache.org
Re: [VOTE] Change community@ list settings
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [X] +1 Change list settings (allow anyone to subscribe or post) [ ] -1 Keep the current settings - - robert -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIcBAEBAgAGBQJKVGGSAAoJEHl6NpRAqILLf7kP/0nXSMYZc3irsDnQEXbhtasB 05CBZZSHEdLuNuZ/pW/nSz3mxsgDy/Itw4BjlPL5mg3YQl+aDNIf/JWG4Pfi4X3p vT33crsKu5UKbBL5jwp5v/SUqZ4yFax1Ft3aiujXc+4XkM2Di3+SvA91/BaRzsCs RQazYvoxcNvOMT2oGvBqWK0Q2wrBTg6+63To26VO21sMSFt0LR7ohbioumeU1zHB CzyijBw4E3hp/SlzlnF/pPLzg4UjJcsvpNTQdqD+qRCy453IpgXUw3mCJES/BBFQ 9k6X20IdGbmn9uXmlV7mmxOGDC8LS1cAg7rOe8W7FsRPVrYNiHtTbRMfwNJ9/0ZU DPFMbyOQq8MMJke+taowEi2LayNfOIwHXciTYoekItsSjcjZ9BEvpnz97dHqktiv XeXQS8WdSVpZRXq6nVGFn1swFwGb9GmieaRmf8cffIJ2JhQeSgPhx8lxy+c/ZlNm b7TDfBYMag+OI97KTQzI//IlhIjGXXeErmahYjGuwmNF7quKdvOkZOwjO8Xto5Dz HhcWJLmrU3SxwPSHyaP0GpNc92JwuS7uGyhskycyjd7u+vKUihyFcIuDb6s3cbw1 RVdECimA7+amVy9qDrHvUO/nnpGER3jHlmiXWKbrt89tjQU1B/5nx1nbkijYcYKt U5iKOirqHzWGBbwiM16N =FcgY -END PGP SIGNATURE- - To unsubscribe, e-mail: community-unsubscr...@apache.org For additional commands, e-mail: community-h...@apache.org
Re: [apachecon] Meet the developers corner
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jukka Zitting wrote: Hi, Here's an idea I came up with for the proposed Content/Web Technology track in ApacheCon US 2009: We'd reserve and mark a table or a corner of the Hackathon area as the Meet the developers corner where conference attendees could come and meet the speakers and other project committers in a semi-organized manner. The corner would have a wiki page where people from various projects can sign up so everyone will know when they'll be there and what projects they know about. This should make it easier for users and other interested people to connect with the developers. The corner could also be used as a place for ad-hoc demos, hands-on tutorials, etc. and I'd like to ask the speakers of this track to drop by the corner for 10-15 minutes after their presentation for any followup questions and discussions for which there wasn't enough time earlier. If people like this idea, we could even expand it to cover the entire conference instead of just a single track. WDYT? +1 - - robert -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkoavlAACgkQQ617goCdfgNywQCfZTb0dCV3X+AJPv0ukxGT86A1 dXcAn2+KLRpMGm5DcvtMe0vQOmiAmdpz =RlgU -END PGP SIGNATURE- - To unsubscribe, e-mail: community-unsubscr...@apache.org For additional commands, e-mail: community-h...@apache.org
Re: [meetup] Hadoop in Berlin
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Bertrand Delacretaz wrote: Hi Isabel, On Tue, Apr 28, 2009 at 11:23 PM, Isabel Drost isa...@apache.org wrote: ...In the past year there have been quite a few Apache events (Bar Camps, Meetups, User Groups etc.). Actually there were so many, I think it would be helpful to have one calendar*, where all (or at least most) of these events get posted. I think this list should be published somewhere at Apache. However, I have no idea where that should be done. Any suggestions?... http://blogs.apache.org/foundation/ might be good - that's managed by the PRC, the best might be to send a draft blog post to them (p...@apache.org) for approval and publication. +1 a public calendar associated with the blog would be useful as well - - robert -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkn5eRAACgkQQ617goCdfgMACACg4b3WcFh1vqmyjQs5b635troE lCMAoNg62g29ndLbhAqm/e8Xm1k2sqtv =/fBn -END PGP SIGNATURE- - To unsubscribe, e-mail: community-unsubscr...@apache.org For additional commands, e-mail: community-h...@apache.org
How To Get (More) Apache Products Into Linux Distros
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 this has been in the air for a while. it popped up recently on the incubator list. i've create an issue (https://issues.apache.org/jira/browse/INCUBATOR-104) for anyone who has a comment but doesn't want to join gene...@incubator.apache.org - - robert -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAknd4r0ACgkQQ617goCdfgNdhQCgxmq9Lc90kB2MblvnlREoOa5O FZcAoKnCi+3yxHv3heQoN2mxLB4jn6Fj =rgLA -END PGP SIGNATURE- - To unsubscribe, e-mail: community-unsubscr...@apache.org For additional commands, e-mail: community-h...@apache.org
Themes [WAS Re: Topic-based mailing lists]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jukka Zitting wrote: Hi, At the ApacheCon we discussed about introducing some generic topic-based mailing lists at Apache. Currently inter-project cooperation is a bit difficult as joining another dev@ or user@ mailing list can be a pretty overwhelming experience due to the heavy volume of project-specific discussion. To avoid this problem we could introduce some generic mailing lists that cover technologies or other topics that are of interest to multiple Apache projects. Such lists could be osgi-interest@, http-interest@, xml-interest@, rest-interest@, jcr-interest@, build-interest@, etc. Whatever topic where two more projects have a shared interest and believe that they could benefit from a low volume forum where they could coordinate their efforts and exchange experience and code. WDYT? a good start :-) i think these issues are definitely in the air ATM, so i would like to hijack this thread to start to talk about a related issue i think we need to start thinking about how apache - as an organisation - - can re-invent the social integration that jakarta did so well (see http://www.jroller.com/robertburrelldonkin/entry/apache_the_foundation_needs_themes). though mailing lists are a reasonable start, documentation will be needed to write up what happens on list and to share presentations and other material. it's now hard for people to find which projects have interesting code related to a topic which doesn't directly map to a particular top level project. so, a directory role is also needed. i would like to see a new organisational unit introduced to focus integration efforts (both social and developmental) that cross-cut project boundaries. i think a 'theme' would be a good name. i see this as a way to meet an emerging grassroots need. for example, lots of projects are now starting to take OSGi tooling seriously. felix is the emerging hub but - as a conventional project - it is not really the right long term organisational vehicle. i also see this as a way to allow apache to push broader strategy. for example, starting a Cloud Computing theme would be a way to crystalise and evangelise efforts in this area which are compatible with the foundation's aims. here's my current thinking (in organisational terms): 1. themes would be grassroots, self organised committees like projects with a management committee and committers, and not top down appointed committees (like legal, infra) 2. unlike projects they would not be allowed to host code or make releases. they would be allowed the other infrastructure of a project (versioned documentation, a website, mailing lists, issue tracking, wiki's). opinions? - - robert -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkncao0ACgkQQ617goCdfgP7xQCfdgxSqDayPmvPWOD6oy7+vraI wCMAoKKhqukXWx+cfH9rKbGW3Ou4RhfX =Nhhc -END PGP SIGNATURE- - To unsubscribe, e-mail: community-unsubscr...@apache.org For additional commands, e-mail: community-h...@apache.org
Re: Topic-based mailing lists
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 J Aaron Farr wrote: On Tue 31 Mar 2009 21:34, Henri Yandell hyand...@gmail.com wrote: Use community@ - if people get annoyed they'll voice that and the correct context list can be created. Community gets used so rarely that I don't have a filter for it, so there's nothing to complain about yet and you're making make work. +1 for using community@ gene...@jakarta used to be like that. Some people loved it. Some people didn't. Personally, I think we as a foundation have lost something as Jakarta has disbanded. A lively general discussion list is useful. And members@ is too closed. +1 IMHO there's a definitely feeling in the air that we lost - as well as gained - when jakarta was disbanded, and that now's the time to start doing something about it. it didn't make sense to devote effort to this until the new way was bedded in. the incubator is now working ok (we need to complete the documentation but i talked to a few people at apachecon, and we'll get that done over the next few months). i'm going to formally introduce this idea over on members in a few days, but the idea i kicked around at ApacheCon was introducing a new organisational unit (a theme - projects on the right and themes on the left). the aim would be to be like the non-code part of Jakarta which worked well as a spur to the development of serverside java. this is basically an cross cut integration project and is only allowed to talk (documentation, mailing lists, committers, PMC as per standard projects but no code and no releases). so, it would have to work with other projects to achieve it's goals. themes would also use the incubator access rule (conventional access to PMC/committership for members/committers, others by invitation). themes would provide the members and the board with a vehicle for long term, strategic plans spanning many projects. the initial worked example would be Apache Cloud a hub and focus for cloud related activity especially the tooling that's required across projects. The trouble with a general@ list is that it's hard to build a specific community there. Just because there are occasional good threads about, say, osgi on a general@ list, why would a non-ASF committer subscribe to general@ instead of existing osgi specific mailing lists? So I think you have to consider your goal: If you want to create a public community for discussing a specific topic, then specific interest lists are appropriate, either here or outside the ASF, such as Google Groups. If you want to bounce ideas around other people already inside the ASF, then use a general list like commun...@. You can always move the discussion elsewhere if necessary. +1 i would like to suggest that we encourage PMCs to approach the board with requests for general lists supervised by their PMC. for example, ATM OSGi talk is starting to converge on felix but risks - in the long term - drowning development work there. it would make sense to encourage felix to be able to ask the board for permission to host a general OSGi list for apache even though that's technically out of scope for the project. - - robert -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAknTHT4ACgkQQ617goCdfgNtxACfcJRweXa+DljXLhMbJysidsjc VCIAn1FzJh/xG7gvG1ADshhxsdBBgyU8 =ewx3 -END PGP SIGNATURE- - To unsubscribe, e-mail: community-unsubscr...@apache.org For additional commands, e-mail: community-h...@apache.org
Sign The Birthday Post
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Add your comment to https://blogs.apache.org/foundation/entry/the_asf_is_ten_years -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAknRtt8ACgkQQ617goCdfgNMKQCeIQ/ByKZIy4FW0jHxLmJh9rFx UwsAn1zdtOPu5lXcjFb7YW3zgNKxoMfD =GuE6 -END PGP SIGNATURE- - To unsubscribe, e-mail: community-unsubscr...@apache.org For additional commands, e-mail: community-h...@apache.org
Re: Fw: Call for Participation for OpenExpo 2008 in Zürich, Switzerland (24./25. September 2008)
On Sun, 2008-04-20 at 09:24 +0200, berndf wrote: Jeremias Maerki wrote: I'm forwarding this CfP here as I've participated in the last OpenExpo in Berne, Switzerland. It was a huge success [1][2]. I hope you'll excuse that most of the information below is in German. There's some information in English on the OpenExpo website at: http://openexpo.ch/en [1] http://www.openexpo.ch/en/openexpo-2008-bern/press-release/ [2] http://www.jeremias-maerki.ch/blog/2008/03/14/openexpo-in-berne-was-great/ Matthias Stürmer, one of the organizers, has mentioned to me that they would be interested in having an Apache Track. In the last issue we were three people from three different Apache projects. Mine was the only presentation on an Apache project. I'm not sure we can come up with enough proposals for a full Apache track but we can certainly try. So I decided to forward the CfP here to reach a larger audience inside the ASF. It would be great to see more Apache projects represented there, either with a small booth or with a presentation. I'm sure it's also a good opportunity for potential sponsors operating in the D/A/CH area. Please spread the word! Thanks! I'd be interested in participating. Should we just throw CfPs at them or should we coordinate Apache CfPs beforehand? :-) Coincidently, I ran into the CfP of German openexpo.de (ends April 30th) some days ago. This event seems to be related to the swiss one. I think the ASF should represent there, too! (And if the organizers are hard/sym-linked with each other, we can test run for Winterthur (very nice city!). My intention was to submit a talk about the ASF in general there. BTW, what about an ASF booth at both events? The ASF should be more visible at events like these! This is a [EMAIL PROTECTED] thing, right? yes it's good to keep them informed but PRC is a closed list with limited subscription. IMHO subjects like this are best discussed in public. IMHO apache is now big enough to start creating a voluntary list of committers who are willing to represent apache on a per country basis. maybe people.apache.org could help... - robert signature.asc Description: This is a digitally signed message part
RE: Grassroots PR
On Fri, 2007-07-06 at 22:19 -0400, Noel J. Bergman wrote: Ted Husted wrote: [EMAIL PROTECTED] and [EMAIL PROTECTED] email drops -1 because the last thing we need are press and security e-mails getting dropped on the floor. If the PRC and Security teams, who actually care about the topic, can't get PMCs involved, what makes you think that leaving it to individual PMCs will be anything less than a failure? individual PMCs may have more domain knowledge and time i think that an private issue tracking system would work better - robert signature.asc Description: This is a digitally signed message part
Re: Apache license headers
On Fri, 2007-03-30 at 10:21 +0200, Henning Schmiedehausen wrote: Very nice! I love the compactness and readability of Ruby (no joke!). If you are interested in a more overengineered solution to that problem, there is CodeWrestler at http://henning.schmiedehausen.org/eyewiki/Wiki.jsp?page=CodeWrestler Especially the license.ReLicense and license.CheckLicense modules. I use this tool on the projects that I work on and e.g. the last Velocity Release got its license headers 'codewrestled'... :-) snip seems like there are number of people from different projects all working in this area :-) Matthieu Riou schrieb: Hi, I've just written a small Ruby script to check whether all your files have the Apache license headers and optionally add them where they're missing. this is the area RAT started out in the real problem isn't ensure that every file has the current license header but that each file has the appropriate license header. this turned out to be quite a complex little problem but i think i understand it now. i haven't really found the time to push RAT forward this year in the way that i would have hope to. if anyone wants to combine their efforts in this area or would be interested in analysis of the problem and possible solutions, that'd be great. - robert signature.asc Description: This is a digitally signed message part
tips for ApacheCon digs in dublin?
does anyone have any advice/opinions about (cheap) accommodation in dublin? (haven't been in that fine city for a decade) - robert signature.asc Description: This is a digitally signed message part
Re: tips for ApacheCon digs in dublin?
On Mon, 2006-05-01 at 20:32 +0100, Colm MacCarthaigh wrote: On Mon, May 01, 2006 at 08:05:40PM +0100, robert burrell donkin wrote: does anyone have any advice/opinions about (cheap) accommodation in dublin? snip Cheaper can be gotten of course, but mainly in the City Centre which is about a 20 minute walk away. One of the closest real budget hostels is Avalon House; http://www.avalon-house.ie/, and it's about a 15/20 minute walk away. looks more like my budget :) If you're searching online, try to keep to the Dublin 2 and Dublin 4 postcodes, and you can't be too far away. Some of Dublin 6 is very close by too. If you want to make sure that any particular place is close by, or on an easy bus/rail route, feel free to mail myself, or [EMAIL PROTECTED], and one of us can help you out. great - thanks for all the help - robert signature.asc Description: This is a digitally signed message part
RE: Question on sending email to PMCs ?
On Thu, 2006-04-06 at 14:17 -0400, Noel J. Bergman wrote: I'd like to mail an informal email to [EMAIL PROTECTED] that all PMC member know about that award Is this appropriate for all PMCs? What makes you believe that they'd care? who knows whether they'd care? not me... but IMHO the right test isn't whether they're likely to care (or not): it's just whether it's appropriate. as much business as possible such be conducted in the open on public mailing lists. the pmc lists should be used for confidential matters only. is there any reason why this information needs to be private? if not then IMHO it would be much better to use one of the many public channels (for example: this list; planet apache; the public lists). - robert - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: At what point do you unsubscribe/deny a misbehaving user?
On Thu, 2006-01-05 at 19:08 -0500, Ted Husted wrote: On 1/5/06, robert burrell donkin [EMAIL PROTECTED] wrote: i'm not sure that i'll find the time for an article but - if there unfortunately isn't anyone out there with a literary itch to scratch - i will create a basic document over in apache dev so that people can build it up. there's a bit of a tradition of using cool emails in documentation so ted: any objection to your email being used in such a page? Not in the least: Feel free to fold spindle and mutilate. grand :) i've created an outline page that needs some revision here: http://www.apache.org/dev/project-mailing-lists.html. i hope to be able to get back and make improvements (could be a few days, though) but at least it's a start. please feel free to dive in (i'm not particularly satisfied so there's no need to worry about my feelings ;) commmitters should be able to check out infrastructure site from subversion and create patches for it but site karma is required to commit changes. so, those without karma will need to add patches to the infrastructure project in JIRA. - robert signature.asc Description: This is a digitally signed message part
Re: At what point do you unsubscribe/deny a misbehaving user?
On Sat, 2005-12-17 at 09:07 -0800, Jean T. Anderson wrote: robert burrell donkin wrote: I'll look at the jakarta lists for how the OT FUD was handled. LOL! i hope you're going to be looking for anti-patterns :) IIRC jakarta didn't exactly have a good record for avoiding flamewars. back in the good old bad old days, [EMAIL PROTECTED] used to be a high octane list with an audience of thousands, scores of trolls and dozens of committers with huge egos where anything which didn't seem likely to start a flamewar was seemed to be considered off topic ;) so, i wasn't really trying to advocate adopting the same approaches, just proposing that it's possible to learn from our mistakes... i'll try to explain the substance (of my last point) a little better this time: if a flamewar is really necessary (which can sometimes be the case if someone aggressively starts posting FUD which the ASF needs to address) then it usually ends better if it's done by an outsider rather than a developer who's regularly on list. now that the ASF has moved to a flatter structure, it might be better for top level projects to raise matters like that on here community rather than tackling it themselves. - robert signature.asc Description: This is a digitally signed message part
Re: At what point do you unsubscribe/deny a misbehaving user?
On Fri, 2005-12-16 at 19:22 -0800, Roy T. Fielding wrote: On Dec 16, 2005, at 6:28 PM, Jean T. Anderson wrote: For crying out loud, would you please supply links to the exact posts you consider to be in poor taste and the person's name? I just wasted 10 minutes trying to follow the bread crumbs. You have to make it easier on reviewers -- everyone seems to be painfully avoiding a pointer to an actual message. sorry -- I'm not trying to frustrate folks. I considered posting specific links, but withdrew them at the end, even though they are links to public archives. The name at the core is Michael Segel. Below are links to public responses to some of his posts (which are numerous enough that they alone would be frustrating to wade through): Well, yes, but what I asked for was the posts that you consider to be in poor taste, not responses to those posts. But now that I know who you are talking about I could use the view-by-author and see that this person is better than the typical troll with diarrhea of the fingers. He is usually right, even when though he would fail miserably as a strategist, and most of his posts in October were both useful and normal. In others, he slides into troll mode on responses. +1 he's actually seems well behaved for a troll. he does a reasonable job of signalling when he thinks he's sliding into troll mode and does answer user questions. not only has banning been generally very ineffectual for trolls (it only draws attention to them, gives them a grievance to use against you at some later time and prevents worries about their reputation from limiting their negative behaviour) but the presence of a manageable troll prevents other, nastier trolls from invading you list. IIRC the few times that banning has worked is against cross-marketing trolls (typically these need to post under their actual names). The answer is to ask your community not to feed the troll when it gets grumpy and just ignore him, and to limit discussion to the topic of the list. Yes, he is an annoying troll, but on balance he hasn't done anything truly disruptive or offensive that I could find. +1 AFAICT when he gets grumpy, he starts going off topic for the user list. faced with a similar situation, i'd probably rename the troll part of each thread to [OT] and ask him politely to continue the issue on the dev list. Personally, if I had been on the list when he started inventing big words about GPL and IBM, I would have flamed him to a crisp so badly that he would have unsubscribed (and I probably would have been banned outright). hehehe all the flame retarding tags in the world wouldn't have saved him ;) Your calls for politeness will only restrain those who care. i think perhaps that this is an issues of strategic aims verses effective tactics. a good atmosphere on the user list is vital and IMO jean is right to be concerned that those who could be contributing to the community are being scared away by the troll. IMHO this atmosphere is fostered best by the attitude of those developers who regularly answer questions on the user list. asking (or demanding) politeness will therefore probably be less effective than the developers demonstrating politeness even in the face of provocation. so, it's probably better to stop feeding the troll and to pointedly stick on topic (for a user list which is helping users solve their problems and not a critical debate about design). the energy saved can be more effectively used reassuring users. but there is some OT FUD that does really need addressing. it may be necessary to tolerate some grumpiness in order to be able to effectively draw a line in the sand which is unacceptable to cross. however, some users can start to feel intimidated and insecure if someone who answers a lot of user questions engages in a flame war. so, it can often more effective for a relative outsider to handle an OT flamewar. (a little like good cop, bad cop.) before jakarta was flattened, there were a number of people who were pretty good at spotting and tackling OT FUD. perhaps (as apache tries to scale) we need to start highlighting more OT FUD issues on this list... - robert signature.asc Description: This is a digitally signed message part
legal FAQ for committers and contributors?
IIRC when the legal-discuss mailing list was first created, the idea of a legal FAQ for committers was floated preferably written by someone with legal training. AFAIK this hasn't happened yet. i agree with danny (http://mail-archives.apache.org/mod_mbox/jakarta-general/200507.mbox/% [EMAIL PROTECTED] 3e) that it's better to have content that can be corrected than no legal FAQ at all. there have been a number of discussions recently involving legal issues (for example http://mail-archives.apache.org/mod_mbox/incubator-general/200507.mbox/% [EMAIL PROTECTED]) and i think that this is something the foundation is going to need. i'd be willing to help write up content for such a FAQ. opinions? - robert signature.asc Description: This is a digitally signed message part
[invitation] work on jakarta and ASF websites
over in jakartaland, we're trying to tidy up the website. as a result of this, some documents will be removed from the jakarta site. many of these do or should have replacements at the ASF level. so, it's become a bit of an initiative to improve the general ASF documentation as well (including new documentation not covered at jakarta). redirects will be added for any pages removed from the jakarta site (so links to those pages shouldn't break completely) but other ASF projects may want to update any links to pages which are removed (which justifies this post). please post any following ups to this message elsewhere: those interested in contributing to, discussing or checking the work being done on the jakarta site should subscribe to general at jakarta. those interested in contributing to, discussing or checking the improvements being made to the ASF site should subscribe to infrastructure. - robert - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Is ASL2.0 not GPL-compatible ??
On 21 Dec 2004, at 19:52, Niclas Hedhman wrote: On Tuesday 21 December 2004 00:02, Nicola Ken Barozzi wrote: snip Furthermore, it was explained to me that the patent right disclaimers in the ASL2.0 can be circumvented in nasty ways by a truly malicious company/individual if that is the intent, SO the GPL compatibility had higher value than the patent right issue. in europe at least, it's very likely that this won't really matter. by this time next year, software patent violations are most likely to be enforceable by criminal sanction. any company wanted to maliciously damage an open source project would only have to target individual european release managers using the most pliant european legal system (UK law, for example). i don't see any way in which the ASF could act to help release managers faced with the criminal law in europe and (against this particular patent threat) neither the GPL nor the ASL could offer any protection at all. IMO the chilling effect of only one open source release manager facing a long prison sentence together with total sequestration of assets would be tremendous. happy christmas, one and all! - robert - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
PRC [WAS Re: ASF Board Summary for June 23, 2004]
On 27 Jun 2004, at 12:23, Greg Stein wrote: snip * The Board approved the formation of the Public Relations Committee (PRC). This new committee replaces the Fundraising Committee and also rolls in the responsibility and management of our press activities, public relations, and management of our web sites. The intent is to present a coherent message to the press, our sponsors, and all interested parties. This new committee is chaired by Brian Fitzpatrick. how's this going to work in practice (with regard to the websites)? does this mean that the right place to post patches for the federation website will change from infrastructure to PRC? what about the websites for projects and sub-projects: is there going to be any changes in the way that these are managed? - robert - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [HEADS-UP] Migrating to SVN, history files and old repos...
On 30 May 2004, at 05:58, Berin Lautenbach wrote: smip Personally I'm a big believer in no such thing as a dumb question. : there's no such thing a dumb question, only a dumb answer : - robert - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Microsoft patents XML based script automation?
On 13 Feb 2004, at 07:28, Conor MacNeill wrote: On Fri, 13 Feb 2004 01:19:40 -0500, Noel J. Bergman [EMAIL PROTECTED] wrote: See: http://www.internetnews.com/dev-news/article.php/3312091 Patent: http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO2Sect2=HITOFFu=/ netahtm l/search-adv.htmr=9p=1f=Gl=50d=ptxtS1=Microsoft.ASNM.OS=AN/ Microsoft RS=AN/Microsoft Does anyone have any idea how this would effect Ant, Maven, Jelly, JSP and other technologies that use XML to describe scripting? For that matter, would James' use of XML to configure matchers and mailets into a mail application be considered scripting? We have posted examples of using Sieve scripts within an XML CDATA block. It is hard to see Ant being affected as its publication precedes the filing date for the patent, if that is relevant. Not sure about the other projects. here's the patent: http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO2Sect2=HITOFFu=/ netahtml/search- adv.htmr=9p=1f=Gl=50d=ptxtS1=Microsoft.ASNM.OS=AN/ MicrosoftRS=AN/Microsoft ant is not really immune. patent law is stacked towards the patent holder. even if ant does not infringe, FUD about ant's file format would be enough to send shivers through a lot of companies using ant. the only way to stop the FUD would be to find a way to challenge the patent. IMHO (with the usual i'm not a lawyer stuff) it seems to me to be a patent about a particular file format (a class of xml documents). it's ant builds scripts which include calls to scripting languages which may become patent encumbered. if this is the case, then it's the date that ant introduced the particular tasks that would be important. could we think asking the US patent office to reconsider the patent application on the following basis: 1. prior art (ant - so long as ant supported scripting in other languages before 2000) 2. it's very, very, very obvious (using an attribute to describe which scripting language should be executed? that's something that even an absolute novice would have thought up when presented with the problem!) this is the tactic being used by the W3C and appears to be having a good degree of success at raising awareness of the problem. there is a (growing) chance that the US legislature may well look at addressing this issue so long that enough good example of harm can be provided. software patents encourage innovation? don't make me laugh! bitter-laughterhahaha/bitter-laughter - robert - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Farewell to Martin Pöschl
On 12 Feb 2004, at 22:35, Thom May wrote: snip just use (or link to) and update what's already on www.apache.org/foundation/martin.html ? There's some sample text on www.apache.org too, courtesy of StevenN i've added links from the jakarta site to the foundation page. (i'll leave the jakarta there but unlinked since my theory for jakarta is what goes up shouldn't come down.) i have a few cosmetic changes which (i think) improve the look of the page. i've attached a patch. if anyone likes the changes, they might like to check them in. - robert martin.patch Description: Binary data - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Farewell to Martin Pöschl
On 11 Feb 2004, at 17:29, Lars Eilebrecht wrote: According to Jim Jagielski: I think it would be most appropriate for the ASF to send some sort of condolences to the Pöschl family (eg: flowers). ++1 definitely +1 this is certainly a big shock. martin's seems to have been around jakarta forever doing great work in a softly spoken way. i'm a bit torn at the moment. in some ways i feel that really something should be said about this on the jakarta website but i'm a little unsure about whether this would be the right. i'm tempted to simple add 'Farewell to Martin Pöschl' linking to a page containing daniel's eloquent announcement but i'd feel happier knowing other people thoughts before taking any acting. - robert - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
ISO may charge developers to use language and country codes
see http://lists.w3.org/Archives/Public/www-international/2003JulSep/0213. if ISO decides to charge, then will this have an impact on apache products? if so, is there any action that the ASF can take to influence ISO's decision? - robert - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [m17n] mailinglist (Re: [i18n] Internationalization project)
On Friday, July 18, 2003, at 11:40 AM, Tetsuya Kitahata wrote: snip Very good points I think. 1. Legal risk 2. where to start as a first step snip 1. Sure, I think if the ASF hosts the translated websites, we (sorry: I prefer to use *WE* when indicationg the ASF) have to think about the QUALITY of translations. If *non-preferable* words for each languages are there, it will be very risky (e.g. secret language, erotic). However, at the same time, this goes for the English documents, too. (By the way, really the jakarta PMC is reviewing whole jakarta subprojects' websites even written in english?) this is one of the reasons why subprojects are being encouraged to move out and why the size of the jakarta pmc has been increased. between the pmc members there's hopefully enough supervision of commit emails. the other safe guard is that only a few people are trusted with rights to daedelus and most of these are in the jakarta pmc. the real problem is that these methods of supervision (watching commit emails and guarding updates of the live site) only work when the supervisor can read what's said. So, we do not have to be nervous so much. A Patchy spirits can solve the problems. I can not see precise statistics, however, Japan is the third country of the page views of apache.org websites, IIRC. (I saw the statistics of Jakarta-Cactus the other day, but I forgot the URL .. if anyone can give us the precise statistics, please let me know) This means that there are many *reviewer*s who have good eyes. as well as many good eyes, an efficient system for feedback is also need so that problems can quickly be fixed. 2. As Noel has pointed out, I also agree with setting up mailing list for it as a first step. +1 snip I am thinking of the would-be-mailing-list: 1. each projects' committers can post to the list 2. each projects' committers can ask to the list with english file, Hi, I prepared the resource of the translation. Can anyone translate this and perform the native2ascii? this would also be very, very useful for requests to pmcs which are not in english. 3. the subscriber of the list directly (or non-directly) post to the correspond lists or post to the list. 4. The main topic will be the issues of i18n, l10n, m17n 5. more to come (docs translation etc.) sounds good. how can we make this happen? - robert - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Jakarta Newsletter Issue 9 -- May-June 2003
On Thursday, July 10, 2003, at 03:00 PM, Thom May wrote: * Nicola Ken Barozzi ([EMAIL PROTECTED]) wrote : Thom May wrote, On 10/07/2003 15.24: Jakarta has an announcement list. Guess what, most, if not all announcements go also to [EMAIL PROTECTED] Go figure. MHO is that a mail a month is not a big deal in any case. straw. camel's back. there's no reason for the newsletter to be coming here that i can see. one of the consequences of encouraging the breaking up of jakarta is that there are a lot more apache projects (whether they started in jakarta or not) who are feel interested in contributing to the newsletter. posting to community (rather than - say - to the general and announcement lists of every project that contributed) therefore seemed pretty reasonable when it was proposed. now that there's been such a mixed reaction, it'll probably be an experiment that won't be repeated. if we do manage to get some momentum for an apache-wide newsletter, would those people who are upset feel as hostile about an announcement about this together with a link being posted to community? - robert - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Jakarta Newsletter Issue 9 -- May-June 2003
hi Tetsuya thanks again for all the hard work in the limited time available for newsletter 9. i'd you like to volunteer to create an xml newsletter as well as a jakarta one then i'm sure it'd be a great success. - robert On Wednesday, July 9, 2003, at 05:41 PM, Tetsuya Kitahata wrote: Thank you for the comment!! Well, I think Jakarta-Newsletter will keep in touch with the 'jakarta-related-projects'.. projects graduated from jakarta. 'XML Project' and 'WS-Project' are different from jakarta, I think. However, in my mind, it might be wonderful if we can prepare the 'XML-Newsletter' which contains the news from apache-xml, apache-ws, and apache-cocoon. e.g. odd-numbered month: Jakarta-News-Letter (bi-monthly newsletter) even-numbered month: XML-News-Letter (bi-monthly newsletter) These will gratify most of the people interested in XML and java. Sincerely, -- Tetsuya ([EMAIL PROTECTED]) - On Wed, 9 Jul 2003 08:17:44 +0200 (CEST) (Subject: Re: Jakarta Newsletter Issue 9 -- May-June 2003) Dirk-Willem van Gulik [EMAIL PROTECTED] wrote: On Wed, 9 Jul 2003, Tetsuya Kitahata wrote: ... cut ... most wonderful newletter ... Wow -you guys rocks ! Keep up the good work. And I really do hope that this will keep its 'all things java and xml' scope; despite ant and avalong becoming a PMC of their own! Thanks! Dw - Tetsuya Kitahata -- Terra-International, Inc. E-mail: [EMAIL PROTECTED] : [EMAIL PROTECTED] http://www.terra-intl.com/ (Apache Jakarta Translation, Japanese) http://jakarta.terra-intl.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How ASF membership works and what it means
On Monday, June 23, 2003, at 06:59 PM, Ted Leung wrote: Dirk-Willem van Gulik wrote: snip - the java world seems to need amazing number of indians (or committers) relative to lines of codes or bugs fixed. And seems to see more isolated pockets of people than the xml and other parts of the ASF. My impression on this is that the folks at jakarta have been more free (at least compared to projects in XML) with commit rights. I don't know if this is actually the case, but it is my perception. i'm not sure that you can generalize like that. different communities within jakarta seem to require different levels of commitment. some (for example velocity) seem to require extensive development activity for months or even years. others are much more liberal. it can be a fine line to run since there has been quite a lot of public criticism about there being too few committers on several jakarta lists i'm subscribed to. one interesting consequence of a general move within jakarta towards extensive unit testing is that the time required to commit patches has significantly increased. my experience now is that creating good unit tests takes more than the time it takes to write the code. i'm also now more aware that good documentation is crucial and spend more time creating documentation. this increases the time required to review and approve patches from developers. as code bases become more mature, more and more care also has to be taken when committing patches. it's rare that i can review and commit any patch in less than an hour. i only have a certain amount of time available for work on apache projects and so the rate of improvement either slows or more bodies are required. i'd be interested to discover how other, longer established projects solve similar problems. - robert - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Common documents across the ASF
On Thursday, June 19, 2003, at 05:31 AM, Glen Stampoultzis wrote: At 01:09 PM 19/06/2003, you wrote: Why NOT have shared documents? I've heard it said that the CVS organization is the barrier. OK, so why not look at what reasonable steps could relieve that barrier? What would happen if we had an Incubator module open to all ASF Committers? Would that lower the barrier and increase reuse? The reason why it hasn't been done is simple... because no one has actually stepped up to find all the redundant information and send patches to the various projects to fix it up. CVS access isn't the problem. Finding someone with the itch, time and motivation is. it's not as simple as that. the proposal is not only to create common documentation (which would be cool) but also to remove all existing documentation on subjects which should be common. this means removing most of the pages on the jakarta website. - robert - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: FW: Chinese version for jakarta project webs
we received this a little while ago on jakarta pmc. i'd like to send them some kind of response. i'm posting this on community since it seems likely to me that this might also be of interest to a number of ex-jakarta projects and also that it'd be good to have a broader set of opinions. (i'll post mine in a separate post.) - robert On Wednesday, May 7, 2003, at 11:32 AM, Pier Fumagalli wrote: Not acked... Pier -- Forwarded Message From: Jemmee Yung [EMAIL PROTECTED] Date: Wed, 7 May 2003 18:27:10 +0800 To: [EMAIL PROTECTED] Subject: Chinese version for jakarta project webs Hello webmaster, I'm writing on behalf of my company to say thanks for all your project members in offering so many decent toolkits that enable us to deliver bulletproof projects with price tags that are always competitive. We saw that there are foreign language versions of some jakarta projects and there are actually many developers in the greater china region who would have been benefited from jakarta projects if there are websites in their own language. We're a HK based company who knows well the language set difference between the different regions and the technical aspects of the language set they're accustomed, our team heavily relies on jakarta products and we have technical writers used to prepare product guidelines and documentations for our own products, not to mention some of our teammates (incl myself) are column writers for local computer magazines on java and object-oriented topics: we do have good connections with local publishers and companies in china. please feel free to contact me if there is a chance of collaboration between us, just in case jakarta would like to have mirror sites in our region (we host websites as well :) translation of project webs or other coordinatin/marketing work that would help growing the jakarta community in our homeland. Thanks for your kind attention and looking forward to seeing upcoming works with your team. Best Regards, Jemmee Yung My Domain Consultant Limited http://my-domain.com.hk/ -- End of Forwarded Message - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: ASF repository URI syntax
i think that maybe organization / project would be better that /project/[subproject/..]. i think that including organization would a good idea for a couple of reasons. first, it would make it pretty clear that it's an URI is for an ASF jar. secondly, it would allow expansion later for non-ASF jars within the system. (even if they are hosted elsewhere.) the project should simply include as much detail as it required to identify a unique releasable unit. so (for example) ant would be (something like) apache/ant whereas the commons logging api could be apache/jakarta-commons-logging-api (or something like that). this idea also has the advantage of being much simpler :) maybe the organization should be a domain name ie apache.org rather than apache. - robert On Saturday, March 1, 2003, at 06:56 PM, Nick Chalko wrote: [EMAIL PROTECTED] wrote: Nick, can you explain why there is a need for a subproject and not a sub-subproject etc? Good question. This also releates to what is a project . Jakarta , avalon, turbine. poi, poi-contrib. On the one hand we could allow unlimited subprojects. specify that projects must start with a letter, and version must start with a number. Or the other aproach is only one level of projects then you have jakarta-avalon-fulcrum. This is a namespace problem, how do we avoid naming collitions at Apache I suppose we could say that a project=cvs module My preference would be for /project/[subproject/..]/version/artifact. -- dIon Gillard, Multitask Consulting Blog: http://www.freeroller.net/page/dion/Weblog Work: http://www.multitask.com.au -Nick Chalko [EMAIL PROTECTED] wrote: - To: community@apache.org From: Nick Chalko [EMAIL PROTECTED] Date: 03/01/2003 09:38AM Subject: ASF repository URI syntax I think in general ./ or ./index.html should return a human readable form and ./index.xml should give machine readable form of the following * / o list of projects in the repository * /project o list of subprojects o list of versions available if there is no subprojects * /project/[subproject]/ o list of versions available * /project/[subproject]/version/ o list of artifacts available. * /project/[subproject]/version/artifact. o downloads the actual artifact. I think this a reasonable base set that support both a simple filesystem or an smart server. These are just ideas to get the discussion of the protocol started. Comments. R, Nick - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [digester] site generated via Maven b8
On Wednesday, February 26, 2003, at 10:22 PM, O'brien, Tim wrote: Added Clover reports as well. Although, I can't figure out what it means that Digester has a 0.7% coverage. It is more than possible that I have configured something incorrectly here. I'm assuming that all ASF projects have permission to use Clover based on Maven and Tapestry use, if this isn't the case, let me know. that's possible a dangerous assumption to make :) on the clover web site, it says that free licenses are available for open source projects on application. i seem to remember talk about clover being made available for free for all apache projects but i don't know whether the ASF as a body possesses such a license or whether individual projects and sub-projects have applied for them separately. i'm going to comment out the clover line until we can get some kind of official confirmation from the ASF one way or another. - robert - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
db.apache.org url is missing
(i'm not really sure where comments about the main foundation site should be posted or how to submit patches. hopefully someone will correct me if this isn't the right place.) i noticed that http://www.apache.org/foundation/projects.html has an entry for db.apache.org which is missing a website url. (from what i can see) db now has a website at http://db.apache.org/. - robert - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Clear the air Re: ATTN: Maven developers [was: primary distribution location]
On Wednesday, February 5, 2003, at 09:29 PM, Rodent of Unusual Size wrote: snip so we must not distribute any 3p (third-party) packages from asf systems if it is not permitted by their licences. nor may any of our code automatically go off and fetch such packages and start using them on the user's system if the packages' licences require *any* sort of acknowledgement by the user. that is, if the licence for package 'x' says the user must stand on its head and send a paypal donation before using 'x', none of our code may automatically download 'x' to the user's system. if it's *already* on the user's system, we can use it -- but we can't get into any position in which we are essentially responsible for transmitting someone else's licence terms to the user, and assuming they've agreed to comply with them. (i.e., for now i'm ruling click-through licences as not permissible for our stuff to present.) what would be allowed (though) in these cases (i suppose) is *not* downloading the package but instead presenting the user with a nice message saying that 3rd party package XXX is required by function YYY - and giving an official url where it can be obtained. this would be a *big* improvement over the situation (without automated download) where the user has to find out where a copy of the necessary package can be downloaded from. - robert - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Where to place Agora?
On Monday, February 3, 2003, at 05:09 PM, Sam Ruby wrote: Stefano Mazzocchi wrote: so, I wonder, should I go down the path of 'incubation'?, should I move it under the committers/ CVS? or in the community CVS? move it on sourceforge? should we clutter this mail list or should we ask for another one? Since you are an established member of the community and there likely isn' t any IP issues, I don't see the point of incubation in this case. +1 I'd say use committers CVS and community mailing list for now. If/when it become a full fledged project, simply present a resolution to the board. wouldn't this be a great project for apache common? - robert - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: ASF Member/Committer AUP
communities can only grow so fast and so large by using osmosis to transfer ideas. the incubator will need to be able to tell incubatees the apache resources at their disposal and the limits beyond which use of these resources becomes abuse. i'd like to this kind of information provided to all new committers and also be made available for existing committers. for example, given the recent community anti-Beanie Babies hatefest, then the incubatees need to be told that under no circumstances should they post up web pages detailing their oh-so-interesting collections in their apache home directories ;) - robert On Monday, December 2, 2002, at 02:30 PM, Andrew C. Oliver wrote: Personally I prefer late-refactoring. Has it been a problem yet? Glenn Nielsen wrote: I have been following the discussion about publicizing ASF Member/Committer home pages. The contentious issue seems to be what is appropriate use of a home page hosted on apache, or even if there should be home pages at all. A major concern of those against the proposal is that pages hosted at apache.org will be seen as represensting the ASF. They are concerned about protecting the Apache brand. Throughout the discussion no one pointed to any ASF documentation on what acceptable use is. With the ASF developer community growing to over 500 committers perhaps what is needed is an AUP which addresses appropriate use of their email account, home page, and commit privs. Nothing draconian, but something that can set expectations of what is acceptable use and give the ASF Board/PMC a foundation for making decisions when someone crosses the line. Regards, Glenn - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]