Re: [VOTE] Apache OpenOffice Community Graduation Vote
On 8/26/12 7:44 PM, Joe Schaefer wrote: - Original Message - From: Dave Fisher dave2w...@comcast.net To: general@incubator.apache.org Cc: Sent: Sunday, August 26, 2012 1:08 PM Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote On Aug 26, 2012, at 7:46 AM, Joe Schaefer wrote: AOO doesn't need to change anything to their current release processes other than to stop pointing source downloads at svn (which is the sole reason I won't vote for AOO candidates). Well this is worth discussion. On this page [1]: The source downloads go through aoo-closer.cgi, but all of the hashes and signatures go through www.a.o/dist/. Is that your issue? No, but I'm tired of talking about it. If you try to build from source the build system will download packages from svn.apache.org instead of from elsewhere or the mirrors. That violates infra policy. this is already fixed and if you would have build AOO 3.4.1 on your own you would have noticed this. It was also discussed on ooo-dev. Juergen Or is it this page [2]? Please help me understand what is wrong and it will be fixed. Best Regards, Dave [1] http://incubator.apache.org/openofficeorg/downloads.html [2] http://www.openoffice.org/download/other.html#tested-sdk - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
On Sep 6, 2012, at 7:10 AM, Jürgen Schmidt wrote: On 8/26/12 7:44 PM, Joe Schaefer wrote: - Original Message - From: Dave Fisher dave2w...@comcast.net To: general@incubator.apache.org Cc: Sent: Sunday, August 26, 2012 1:08 PM Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote On Aug 26, 2012, at 7:46 AM, Joe Schaefer wrote: AOO doesn't need to change anything to their current release processes other than to stop pointing source downloads at svn (which is the sole reason I won't vote for AOO candidates). Well this is worth discussion. On this page [1]: The source downloads go through aoo-closer.cgi, but all of the hashes and signatures go through www.a.o/dist/. Is that your issue? No, but I'm tired of talking about it. If you try to build from source the build system will download packages from svn.apache.org instead of from elsewhere or the mirrors. That violates infra policy. this is already fixed and if you would have build AOO 3.4.1 on your own you would have noticed this. It was also discussed on ooo-dev. At the time that Joe wrote this email svn.apache.org was still a backup location for binary artifacts in the build. It is fixed now because I took this note as an action item, confirmed the policy on IRC, and removed those backups from the dependency list. Now read the rest of the thread and understand (I hope) why certain actions are being taken. Best Regards, Dave Juergen Or is it this page [2]? Please help me understand what is wrong and it will be fixed. Best Regards, Dave [1] http://incubator.apache.org/openofficeorg/downloads.html [2] http://www.openoffice.org/download/other.html#tested-sdk - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: end-user operating systems Re: [VOTE] Apache OpenOffice Community Graduation Vote
On 27.08.2012 23:11, Andreas Kuckartz wrote: Rob Weir: You probably don't see this on the server yet, but end-user operating systems, both desktop and devices, both at OS level as well as in browsers and with antivirus software, are shifting over to excluding non-signed executable by default. This is equally true of software distributed on CD's, via downloads, or listed in OS-vendor stores. That is the direction that the industry is going. Any desktop application that ignores this trend will become unusable by most users. Instead of detached digital signatures that Apache releases already carry, the OS vendors expect integrated signatures via code signing. Sorry for extending this thread, but I am curious: Which OS vendors and end-user operating systems are you talking about? For Windows 8 please see e.g. http://msdn.microsoft.com/en-us/library/windows/desktop/hh749939.aspx 6.1 All executable files (.exe, .dll, .ocx, .sys, .cpl, .drv, .scr) must be signed with an Authenticode certificate For Mac OSX 10.8 please see e.g. https://developer.apple.com/resources/developer-id/ Gatekeeper is a new feature in OS X Mountain Lion that helps protect users from downloading and installing malicious software. Signing your applications, plug-ins, and installer packages with a Developer ID certificate lets Gatekeeper verify that they are not known malware and have not been tampered with. and http://macperformanceguide.com/MountainLion-application-signing.html By default, Mac OS X Mountain Lion disables the ability to run applications which are not signed, the idea being to prevent hackers from persuading you to run a nefarious application. This is an excellent security precaution, but also a headache until all apps are signed The end-user operating system Debian does not require integrated signatures: http://wiki.debian.org/SecureApt Debian is a great end-user operating system and I'm using it for my main computing needs. Other contenders in the market for end-user operating systems like Microsoft and Apple are still relevant though so the requirements they impose on applications cannot be easily ignored. Herbert - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
On 26.08.2012 00:21, Greg Stein wrote: On Aug 25, 2012 9:46 AM, Benson Margulies bimargul...@gmail.com wrote: ... Of course, a discussion thread started here to solicit the IPMC's opinion on graduation would be another matter entirely. If Rob is representative of AOO, then no. They need more time to learn about the ASF. He is representative for some of us, among them me. -Andre - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Hi, I'm jumping in late to this discussion after returning from vacation. To summarize my understanding: * As Joe says, there's no problem with current OpenOffice releases. * The project is looking for ways to produce blessed binaries as a part of future releases, and has been working with the relevant parties (infra, legal, etc.) on the implications. * I trust that the project is capable of continuing that work and abiding with whatever conclusion also as after graduation. Thus I don't see this as a blocker for graduation. Also below my answer's to some of Dennis' questions: On Sun, Aug 26, 2012 at 9:11 PM, Dennis E. Hamilton orc...@apache.org wrote: 3. AVAILABILITY OF SOURCE FOR INSPECTION, AUDIT, AND PROVENANCE On this thread, the importance of having source code available has been stated as a strong requirement. As far as I can tell, this is a requirement for IP provenance more than anything else. It goes way deeper than IP provenance. If you don't release the source, you're not doing open source [1]. Of course, the good-faith reliance on upstream sources always comes to bear, even for source-code contributions. But having access to all source is reported by some as being essential for ASF releases and that is tied to the notion that the source code is the release. (This is despite specific provision in the treatment of licenses for distributing certain binary artifacts in order to avoid license confusion.) That confusion is nicely resolved by the recent clarification that such binary dependencies are to be separately downloaded and not included in our source releases. I don't have any clarity on this. I know that it would be a serious burden to some projects if there were restriction to authenticated builds for open-source platforms only and/or restriction to exclusively open-source libraries for other dependencies not satisfied by the platform itself. The software we (i.e. the ASF) release must be in source form (source materials needed to make changes to the software [2]), but building and using a release may well require differently licensed and possibly binary-only dependencies or a platform [3]. Distributing the result of building a source release is also fine as long as the licenses of all the included bits allow redistribution. To the extent that the requirement is for more than IP provenance and license reconciliation, I am not clear who is being held to account for any deeper scrutiny than that. Are the PMC votes for a release expected to establish some sort of serious attestation concerning the nature of the source? Yes. Instead, is the requirement of specific source-code availability instead a requirement for potential forensic requirements later in the lifecycle of a release? No, without source code there by definition can be no release. Can this be satisfied without the source be in the release, by whatever arrangement and assurance that could be made to ensure its availability whenever needed? No. Note that this does not mean that a binary artifact produced from the sources would need to include the source code, just that all the source code needed to produce the intended binary artifacts must be included in a release. [1] http://opensource.org/docs/OSD#include-source-code [2] http://www.apache.org/dev/release.html#what [3] http://www.apache.org/legal/ BR, Jukka Zitting - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
On Aug 27, 2012 6:15 AM, Jukka Zitting jukka.zitt...@gmail.com wrote: Hi, I'm jumping in late to this discussion after returning from vacation. To summarize my understanding: * As Joe says, there's no problem with current OpenOffice releases. Agreed. * The project is looking for ways to produce blessed binaries as a part of future releases, and has been working with the relevant parties (infra, legal, etc.) on the implications. I have not seen this, especially in regards to this thread. Argument is occurring on this list instead. * I trust that the project is capable of continuing that work and abiding with whatever conclusion also as after graduation. Fair enough, but I do not share that trust. I fear the project claiming unique difference, and damaging the Foundation, rather than an understanding of how we can solve our mission together. I believe AOO has unique characteristics and that the ASF needs to adapt, but I do not believe the community cares to properly see through those changes. I see self-righteous bullying instead. The ASF and the people that make us what we are, are not perfect. We don't know everything. But we *do* deserve consideration to make things Right. AOO is an awesome opportunity or us all, and we should do what we can for their success. It must happen with an old, and with a new, community working together. Cheers, -g
Re: [VOTE] Apache OpenOffice Community Graduation Vote
The ASF releases source code. We produce it, we develop it, we license it and we release it. We have also, as a courtesy to the community, released binaries (read: pre- compiled and built s/w) as well. The binaries MUST be based on the actual released code. But the s/w itself is what is produced and released by the PMC. This is not a new or unique question. Heck, httpd for *years* released pre-built binaries as a courtesy to the community (mostly the windows builds). At issue is whether or not binaries can fall under the same protection and authority as the source code. The question to answer is what exactly do you want. Do you want the builds done on ASF hardware to be deemed official to the exclusion of all other builds? What exactly does official mean anyway? IMO, what is important is that the end-user obtains a binary that he/she knows is (1) build from the actual, unadulterated office source code release and (2) was built by someone trustworthy. So having some sort of build release manager or takes these binaries, checks that they were built correctly, and then signing the binaries seems, to me, to be enough to cover what we, and the end-users, need. On Aug 24, 2012, at 2:49 PM, Joe Schaefer joe_schae...@yahoo.com wrote: Exactly- just work within the constraints and there is no practical problem whatsoever. From: Andrew Rist andrew.r...@oracle.com To: general@incubator.apache.org Sent: Friday, August 24, 2012 2:44 PM Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote On 8/24/2012 11:19 AM, Joe Schaefer wrote: Really, all this fuss over the LABELLING of a file being distributed does not add value to either the org, the podling, or the users of the software. Nowhere is it written that you CANNOT DISTRIBUTE BINARIES, however it has always been clear that they are provided for the convenience of our users, not as part of an official release. That however does not mean that things like release announcements cannot refer users to those binaries, it simply means those announcements need to reference the sources as the thing that was formally voted on and approved by the ASF. Thus... Binaries created /from /the Official Release? From: Dave Fisher dave2w...@comcast.net To: general@incubator.apache.org Sent: Friday, August 24, 2012 1:56 PM Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote On Aug 24, 2012, at 10:09 AM, Rob Weir wrote: On Fri, Aug 24, 2012 at 12:45 PM, Rob Weir robw...@apache.org wrote: On Fri, Aug 24, 2012 at 12:32 PM, Marvin Humphrey mar...@rectangular.com wrote: Returning to this topic after an intermission... On Tue, Aug 21, 2012 at 6:18 AM, Bertrand Delacretaz bdelacre...@apache.org wrote: On Tue, Aug 21, 2012 at 11:54 AM, Jürgen Schmidt jogischm...@gmail.com wrote: ...As one of the active developers I would have a serious problem if we as project couldn't provide binary releases for our users. And I thought the ASF is a serious enough institution that can ensure to deliver binaries of these very popular end user oriented software and can of course protect the very valuable brand OpenOffice that the ASF now owns as well... As has been repeatedly mentioned in this thread and elsewhere, at the moment ASF releases consist of source code, not binaries. My impression from this discussion is that many podling contributors are dismayed by this policy, and that there is an element within the PPMC which remains convinced that it is actually up to individual PMCs within the ASF to set policy as to whether binaries are official or not. If there actually is an ASF-wide Policy concerning binaries then I would expect that: 1) It would come from the ASF Board, or from a Legal Affairs, not as individual opinions on the IPMC list 2) It would be documented someplace, as other important ASF policies are documented And 2a) Actually state the constraints of the policy, i.e., what is allowed or disallowed by the policy. Merely inventing a label like convenience or unofficial gives absolutely zero direction to PMC's. It is just a label. Consider what the IPMC's Release Guide gives with regards to the source artifact. It is labeled canonical, but that level is backed up with requirements, e.g., that every release must include it, that it must be signed, etc. Similarly, podling releases are not merely labeled podling releases, but policy defines requirements, e.g., a disclaimer, a required IPMC vote, etc. I hope I am not being too pedantic here. But I would like to have a policy defined here so any PMC can determine whether they are in compliance. But so far I just hear strongly held opinions that amount to applying labels, but not mandating or forbidden any actions with regards to artifacts that bear these labels. Consider: If some IPMC members declared loudly that It is ASF
Re: [VOTE] Apache OpenOffice Community Graduation Vote
On Aug 26, 2012, at 10:26 AM, Joe Schaefer joe_schae...@yahoo.com wrote: No. There is NO WAY IN HELL the org can indemnify a volunteer who produces a binary build themselves. Please don't bother asking legal-discuss to tackle this. Here's an analogy: for a long, long time Bill Rowe has taken it upon himself to create binary builds of Apache httpd for the large Windows community. Netware binary builds are also occasionally released (see http://httpd.apache.org/download.cgi). These are available right from the official httpd download page and located right next to the official source code, yet they are artifacts NOT released (officially) by the ASF or the httpd PMC, but are available from a trusted source. Isn't that all the end-user cares about? And isn't that sufficient for AOO? - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Jim Jagielski j...@jagunet.com wrote on 08/27/2012 08:43:35 AM: From: Jim Jagielski j...@jagunet.com To: general@incubator.apache.org, Joe Schaefer joe_schae...@yahoo.com, Rob Weir robw...@apache.org, Cc: ooo-...@incubator.apache.org ooo-...@incubator.apache.org Date: 08/27/2012 08:44 AM Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote On Aug 26, 2012, at 10:26 AM, Joe Schaefer joe_schae...@yahoo.com wrote: No. There is NO WAY IN HELL the org can indemnify a volunteer who produces a binary build themselves. Please don't bother asking legal-discuss to tackle this. Here's an analogy: for a long, long time Bill Rowe has taken it upon himself to create binary builds of Apache httpd for the large Windows community. Netware binary builds are also occasionally released (see http://httpd.apache.org/download.cgi). These are available right from the official httpd download page and located right next to the official source code, yet they are artifacts NOT released (officially) by the ASF or the httpd PMC, but are available from a trusted source. Isn't that all the end-user cares about? And isn't that sufficient for AOO? Yes, that's what end users care about. But it's not sufficient for AOO since we are seeking alternative distribution channels. Effort to exponentially expand distribution channels require code signing. These discussions were started on legal@ with no resolution. Sorry I don't have the reference for that handy. - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
On Aug 27, 2012, at 8:56 AM, donald_harbi...@us.ibm.com wrote: Yes, that's what end users care about. But it's not sufficient for AOO since we are seeking alternative distribution channels. What does that mean? Can I grok alternative distribution channels as more mirrors or something else? - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Jim, Two points: 1: you skip over the liability question. Is Bill legally exposed? 2: You can't distribute a binary application to the Mac App store, or other places, without a signature. Some complex requirements for using an Apache signature have been posed; I don't know why Donald characterized them as 'unresolved.' But can't you drag this whole matter back to the AOO list, being a mentor and all? - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
On Aug 27, 2012, at 9:16 AM, Benson Margulies bimargul...@gmail.com wrote: But can't you drag this whole matter back to the AOO list, being a mentor and all? Trying to do that with ccing ooo-dev@ - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
On 27.08.2012 13:10, Greg Stein wrote: On Aug 27, 2012 6:15 AM, Jukka Zitting jukka.zitt...@gmail.com wrote: Hi, I'm jumping in late to this discussion after returning from vacation. To summarize my understanding: * As Joe says, there's no problem with current OpenOffice releases. Agreed. * The project is looking for ways to produce blessed binaries as a part of future releases, and has been working with the relevant parties (infra, legal, etc.) on the implications. I have not seen this, especially in regards to this thread. Argument is occurring on this list instead. * I trust that the project is capable of continuing that work and abiding with whatever conclusion also as after graduation. Fair enough, but I do not share that trust. I fear the project claiming unique difference, and damaging the Foundation, rather than an understanding of how we can solve our mission together. I believe AOO has unique characteristics and that the ASF needs to adapt, but I do not believe the community cares to properly see through those changes. It makes me sad that you think this way. I am part of the community and I do care about changes that will make AOO a well accepted TLP of the ASF. I am working very hard towards this goal and most of my work consists of exactly these changes. Things like downloading of external libraries and extensions, removing code that depends on external libraries with incompatible licenses, cleaning up code that depends on category-B licensed libraries or integrating the rat scan into the regular AOO build process. I am a software developer, not a lawyer. In order to make the appropriate code changes I need very clear guidelines of what is in policy and what is not. When it comes to coding there is no room for contradictory interpretations or unprecise wording. The clearer and more explicitly stated the ASF policies are the better I can clean-up and improve our code. I see self-righteous bullying instead. I don't. But maybe I got desensitized by a twelve year long exposition to feedback from end-users in mailing lists, forums, and bug comments, often enough in non too friendly words in all-uppercase letters. The ASF and the people that make us what we are, are not perfect. We don't know everything. But we *do* deserve consideration to make things Right. AOO is an awesome opportunity or us all, and we should do what we can for their success. It must happen with an old, and with a new, community working together. Thanks. The same is true in the other direction. -Andre - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
On Mon, Aug 27, 2012 at 8:59 AM, Jim Jagielski j...@jagunet.com wrote: On Aug 27, 2012, at 8:56 AM, donald_harbi...@us.ibm.com wrote: Yes, that's what end users care about. But it's not sufficient for AOO since we are seeking alternative distribution channels. What does that mean? Can I grok alternative distribution channels as more mirrors or something else? You probably don't see this on the server yet, but end-user operating systems, both desktop and devices, both at OS level as well as in browsers and with antivirus software, are shifting over to excluding non-signed executable by default. This is equally true of software distributed on CD's, via downloads, or listed in OS-vendor stores. That is the direction that the industry is going. Any desktop application that ignores this trend will become unusable by most users. Instead of detached digital signatures that Apache releases already carry, the OS vendors expect integrated signatures via code signing. Where I hear the churning is over whether the technological change - code signing rather than detached PGP/GPG signatures -- means anything different from a liability standpoint. One could argue that a signatures merely vouches for authentication, integrity and non-repudiation -- the classic guarantees of a digital signature. But I'm hearing others suggest that the move from one technology to another technology for signing suggests additional guarantees about the content of the signed artifact, above and beyond what the ASF normally offers. But of course, any additional liability is explicitly disclaimed by the Apache License. So given that other Apache projects distribute binaries that are 1) approved by the PMC's 2) distributed on Apache mirrors 3) linked to as ASF products by project websites 4) accompanied by PGP/GPG detached signatures ...what additional liability do we believe comes from the technological change from one signature mechanism to another? Or specifically, what liability is added that is not already explicitly disclaimed by ALv2? -Rob - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
On Mon, Aug 27, 2012 at 8:56 AM, donald_harbi...@us.ibm.com wrote: Jim Jagielski j...@jagunet.com wrote on 08/27/2012 08:43:35 AM: From: Jim Jagielski j...@jagunet.com To: general@incubator.apache.org, Joe Schaefer joe_schae...@yahoo.com, Rob Weir robw...@apache.org, Cc: ooo-...@incubator.apache.org ooo-...@incubator.apache.org Date: 08/27/2012 08:44 AM Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote On Aug 26, 2012, at 10:26 AM, Joe Schaefer joe_schae...@yahoo.com wrote: No. There is NO WAY IN HELL the org can indemnify a volunteer who produces a binary build themselves. Please don't bother asking legal-discuss to tackle this. Here's an analogy: for a long, long time Bill Rowe has taken it upon himself to create binary builds of Apache httpd for the large Windows community. Netware binary builds are also occasionally released (see http://httpd.apache.org/download.cgi). These are available right from the official httpd download page and located right next to the official source code, yet they are artifacts NOT released (officially) by the ASF or the httpd PMC, but are available from a trusted source. Isn't that all the end-user cares about? And isn't that sufficient for AOO? Yes, that's what end users care about. But it's not sufficient for AOO since we are seeking alternative distribution channels. Effort to exponentially expand distribution channels require code signing. These discussions were started on legal@ with no resolution. Sorry I don't have the reference for that handy. Can't we just get a signing certificate that says ASF unofficial convenience binary or similar language? This gives us (and more importantly our users) the desired authentication and integrity protections of a digital signature, without implying any additional status. -Rob - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
There are, as many have pointed out, two issues. The first is, can AOO do what it is doing - the answer to this one is yes and has been clearly expressed a number of times in this thread. The second is whether AOO can go a step further than what it is already doing. The answer to this is No, as has been expressed a number of times in this thread. If we separate these issues out then we can proceed. The first issue is resolved (the release vote passed with the original objection being withdrawn). The second issue remains open. It is for the AOO PPMC to find a solution to this. I can see two potential solutions to the problem. Which is right for the AOO project is not the concern of gernal@. So let's drop general@ from this discussion so we can focus on the actual problem rather than this never ending circular thread. On Aug 27, 2012 8:56 AM, donald_harbi...@us.ibm.com wrote: Jim Jagielski j...@jagunet.com wrote on 08/27/2012 08:43:35 AM: From: Jim Jagielski j...@jagunet.com To: general@incubator.apache.org, Joe Schaefer joe_schae...@yahoo.com, Rob Weir robw...@apache.org, Cc: ooo-...@incubator.apache.org ooo-...@incubator.apache.org Date: 08/27/2012 08:44 AM Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote On Aug 26, 2012, at 10:26 AM, Joe Schaefer joe_schae...@yahoo.com wrote: No. There is NO WAY IN HELL the org can indemnify a volunteer who produces a binary build themselves. Please don't bother asking legal-discuss to tackle this. Here's an analogy: for a long, long time Bill Rowe has taken it upon himself to create binary builds of Apache httpd for the large Windows community. Netware binary builds are also occasionally released (see http://httpd.apache.org/download.cgi). These are available right from the official httpd download page and located right next to the official source code, yet they are artifacts NOT released (officially) by the ASF or the httpd PMC, but are available from a trusted source. Isn't that all the end-user cares about? And isn't that sufficient for AOO? Yes, that's what end users care about. But it's not sufficient for AOO since we are seeking alternative distribution channels. Effort to exponentially expand distribution channels require code signing. These discussions were started on legal@ with no resolution. Sorry I don't have the reference for that handy. - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
On Mon, Aug 27, 2012 at 7:10 AM, Greg Stein gst...@gmail.com wrote: On Aug 27, 2012 6:15 AM, Jukka Zitting jukka.zitt...@gmail.com wrote: Hi, I'm jumping in late to this discussion after returning from vacation. To summarize my understanding: * As Joe says, there's no problem with current OpenOffice releases. Agreed. * The project is looking for ways to produce blessed binaries as a part of future releases, and has been working with the relevant parties (infra, legal, etc.) on the implications. I have not seen this, especially in regards to this thread. Argument is occurring on this list instead. You should take a look at infra-dev@ where Infra, AOO members as well as members of other Apache projects interested in digital signatures, have been discussing code signing requirements and ways of providing a code signing capability. * I trust that the project is capable of continuing that work and abiding with whatever conclusion also as after graduation. Fair enough, but I do not share that trust. I fear the project claiming unique difference, and damaging the Foundation, rather than an understanding of how we can solve our mission together. I believe AOO has unique characteristics and that the ASF needs to adapt, but I do not believe the community cares to properly see through those changes. I see self-righteous bullying instead. I agree that this thread has not been productive. But you really should check the discussions on infra-dev@ before making statements on whether we know how to work with other parts of the ASF. The ASF and the people that make us what we are, are not perfect. We don't know everything. But we *do* deserve consideration to make things Right. AOO is an awesome opportunity or us all, and we should do what we can for their success. It must happen with an old, and with a new, community working together. Again, look at the discussions on infra-dev. Your constructive input is most welcome on those threads. Ditto for any one else. -Rob Cheers, -g - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Re adding ooo-dev@ since this is STILL an AOO issue. On Aug 27, 2012, at 9:38 AM, Rob Weir robw...@apache.org wrote: On Mon, Aug 27, 2012 at 8:59 AM, Jim Jagielski j...@jagunet.com wrote: On Aug 27, 2012, at 8:56 AM, donald_harbi...@us.ibm.com wrote: Yes, that's what end users care about. But it's not sufficient for AOO since we are seeking alternative distribution channels. What does that mean? Can I grok alternative distribution channels as more mirrors or something else? You probably don't see this on the server yet, but end-user operating systems, both desktop and devices, both at OS level as well as in browsers and with antivirus software, are shifting over to excluding non-signed executable by default. Believe it or not, I actually use end-user OSs. I am right now! Wow! This is equally true of software distributed on CD's, via downloads, or listed in OS-vendor stores. That is the direction that the industry is going. Any desktop application that ignores this trend will become unusable by most users. Instead of detached digital signatures that Apache releases already carry, the OS vendors expect integrated signatures via code signing. Where I hear the churning is over whether the technological change - code signing rather than detached PGP/GPG signatures -- means anything different from a liability standpoint. One could argue that a signatures merely vouches for authentication, integrity and non-repudiation -- the classic guarantees of a digital signature. But I'm hearing others suggest that the move from one technology to another technology for signing suggests additional guarantees about the content of the signed artifact, above and beyond what the ASF normally offers. But of course, any additional liability is explicitly disclaimed by the Apache License. So given that other Apache projects distribute binaries that are 1) approved by the PMC's 2) distributed on Apache mirrors 3) linked to as ASF products by project websites 4) accompanied by PGP/GPG detached signatures ...what additional liability do we believe comes from the technological change from one signature mechanism to another? Or specifically, what liability is added that is not already explicitly disclaimed by ALv2? A signature does 2 things: 1. Ensures that no bits have been changed 2. That the bits come from a known (and trusted) entity. The fact that we've used GPG-signed artifacts is immaterial, imo. But recall in all this that even when the PMC releases code, it is signed by the individual RM, and not by the PMC itself. - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
On Mon, Aug 27, 2012 at 9:57 AM, Jim Jagielski j...@jagunet.com wrote: Re adding ooo-dev@ since this is STILL an AOO issue. On Aug 27, 2012, at 9:38 AM, Rob Weir robw...@apache.org wrote: On Mon, Aug 27, 2012 at 8:59 AM, Jim Jagielski j...@jagunet.com wrote: On Aug 27, 2012, at 8:56 AM, donald_harbi...@us.ibm.com wrote: Yes, that's what end users care about. But it's not sufficient for AOO since we are seeking alternative distribution channels. What does that mean? Can I grok alternative distribution channels as more mirrors or something else? You probably don't see this on the server yet, but end-user operating systems, both desktop and devices, both at OS level as well as in browsers and with antivirus software, are shifting over to excluding non-signed executable by default. Believe it or not, I actually use end-user OSs. I am right now! Wow! I did not mean to imply otherwise. But I am quite confident that few, if any other Apache projects are developing end-user software, so they might not be aware of this trend from the software development perspective. This is equally true of software distributed on CD's, via downloads, or listed in OS-vendor stores. That is the direction that the industry is going. Any desktop application that ignores this trend will become unusable by most users. Instead of detached digital signatures that Apache releases already carry, the OS vendors expect integrated signatures via code signing. Where I hear the churning is over whether the technological change - code signing rather than detached PGP/GPG signatures -- means anything different from a liability standpoint. One could argue that a signatures merely vouches for authentication, integrity and non-repudiation -- the classic guarantees of a digital signature. But I'm hearing others suggest that the move from one technology to another technology for signing suggests additional guarantees about the content of the signed artifact, above and beyond what the ASF normally offers. But of course, any additional liability is explicitly disclaimed by the Apache License. So given that other Apache projects distribute binaries that are 1) approved by the PMC's 2) distributed on Apache mirrors 3) linked to as ASF products by project websites 4) accompanied by PGP/GPG detached signatures ...what additional liability do we believe comes from the technological change from one signature mechanism to another? Or specifically, what liability is added that is not already explicitly disclaimed by ALv2? A signature does 2 things: 1. Ensures that no bits have been changed 2. That the bits come from a known (and trusted) entity. Almost. It doesn't guarantee trust. CA's don't require any specific level of software quality assurance before they issue a certificate. Any trust is implied by association with the identity of the signer. So it is a brand association. This is similar to the association that comes with association with a project's release announcement, or from distribution via Apache mirrors, or links from Apache websites. These all imply -- in one degree or another -- an association with Apache, and the trust that flows from that. But what code signing does do is help protect ASF reputation. By having the binaries signed we can distance ourselves from those who distribute versions of AOO with virus and malware attached. Again, this is something you probably don't see in the server world, but it is quite common with popular end-user open source software. So trust (reputation) is important. But we're already seeing that trust and reputation can be hurt by lack of code signing. The fact that we've used GPG-signed artifacts is immaterial, imo. To a savvy user the use of the detached digital signature can provide exactly the same assurances that code signing would do. Exactly the same thing. It just happens to be that the industry has moved toward a CA model rather than a web of trust model. But recall in all this that even when the PMC releases code, it is signed by the individual RM, and not by the PMC itself. Correct. But the concerns in the thread were about individual liability. Having an individual signature (whether GPG/PGP or Authenticode) certainly doesn't make the story any better. So I wonder if the best solution here is to make it clear in the language of the certificate that it is an unofficial, convenience binary? -Rob - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
After this, please drop general@ On Aug 27, 2012, at 10:16 AM, Rob Weir robw...@apache.org wrote: A signature does 2 things: 1. Ensures that no bits have been changed 2. That the bits come from a known (and trusted) entity. Almost. It doesn't guarantee trust. Sure it does. If something is signed by Bill or Ross, etc I trust that it came from them. Anything else is tangential to what a signature provides. CA's don't require any specific level of software quality assurance before they issue a certificate. Any trust is implied by association with the identity of the signer. So it is a brand association. This is similar to the association that comes with association with a project's release announcement, or from distribution via Apache mirrors, or links from Apache websites. These all imply -- in one degree or another -- an association with Apache, and the trust that flows from that. But what code signing does do is help protect ASF reputation. Huh? All it says is that these bits originated from this entity. If you trust that entity, then you can trust those bits. The reputation stuff is part of the release process, not the signing process. By having the binaries signed we can distance ourselves from those who distribute versions of AOO with virus and malware attached. Again, this is something you probably don't see in the server world, but it is quite common with popular end-user open source software. Again... Huh??? WTF do you think we sign code, esp stuff destined for the server? So the end-user is ensured that the bits came from a trusted source. Oh look, I found the Apache 2.4.3 source tarball on some warez site signed by 'Ben Dover' who has an unknown key. Looks good to me. Think I'll install it on my website So trust (reputation) is important. But we're already seeing that trust and reputation can be hurt by lack of code signing. We. Sign. Code. So I'm again unsure what the issue is... it sounds like we're talking in circles. Can we have a real-world example? From my understanding, Apple's App Store is likely the most onerous situation. So what, right now, is broken with the AOO release process as related to the App Store and what would need to be done to fix it? If that's the wrong example, I'll take any other one. - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
- Original Message - From: Benson Margulies bimargul...@gmail.com To: general@incubator.apache.org Cc: Sent: Monday, August 27, 2012 9:16 AM Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote Jim, Two points: 1: you skip over the liability question. Is Bill legally exposed? Short answer: yes he assumes some liability for those httpd windows builds, but it is probably limited to any negligence on his part in ensuring the build environment was properly secured. Going forward if the org wants to produce such production-quality builds itself it will need to invest in an audits produced by an Intrusion Detection System on such build hosts, and we'll need to have an auditable means of controlling 3rd party software involved in the builds (think maven repo, CPAN, etc). It's a serious change from the level of paranoia currently deployed in our existing build farms. HTH - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Jim Jagielski wrote on Mon, Aug 27, 2012 at 10:38:15 -0400: After this, please drop general@ On Aug 27, 2012, at 10:16 AM, Rob Weir robw...@apache.org wrote: A signature does 2 things: 1. Ensures that no bits have been changed 2. That the bits come from a known (and trusted) entity. Almost. It doesn't guarantee trust. Sure it does. If something is signed by Bill or Ross, etc I trust that it came from them. Anything else is tangential to what a signature provides. A signature ties a file to a public key, and then trusted? is an attribute of the public key. Signatures do not provide trust by themselves (i.e., without some means to establish trust in the public keys). - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
On Aug 27, 2012 9:57 AM, Jim Jagielski j...@jagunet.com wrote: ... But recall in all this that even when the PMC releases code, it is signed by the individual RM, and not by the PMC itself. Apache Subversion releases tend to have a half-dozen signatures. Thus, I'd say they are signed by the PMC. For example: https://dist.apache.org/repos/dist/release/subversion/subversion-1.7.6.tar.bz2.asc Cheers, -g
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Which better agrees with written policy anyway- the sigs are part of the release package to be voted on and voted on by the PMC, so even tho it constitutes individual sigs those sigs (well at least the RM's sig) are PMC-approved. - Original Message - From: Greg Stein gst...@gmail.com To: general@incubator.apache.org Cc: ooo-...@incubator.apache.org ooo-...@incubator.apache.org Sent: Monday, August 27, 2012 1:03 PM Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote On Aug 27, 2012 9:57 AM, Jim Jagielski j...@jagunet.com wrote: ... But recall in all this that even when the PMC releases code, it is signed by the individual RM, and not by the PMC itself. Apache Subversion releases tend to have a half-dozen signatures. Thus, I'd say they are signed by the PMC. For example: https://dist.apache.org/repos/dist/release/subversion/subversion-1.7.6.tar.bz2.asc Cheers, -g - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
+1. On Aug 27, 2012, at 1:07 PM, Joe Schaefer joe_schae...@yahoo.com wrote: Which better agrees with written policy anyway- the sigs are part of the release package to be voted on and voted on by the PMC, so even tho it constitutes individual sigs those sigs (well at least the RM's sig) are PMC-approved. - Original Message - From: Greg Stein gst...@gmail.com To: general@incubator.apache.org Cc: ooo-...@incubator.apache.org ooo-...@incubator.apache.org Sent: Monday, August 27, 2012 1:03 PM Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote On Aug 27, 2012 9:57 AM, Jim Jagielski j...@jagunet.com wrote: ... But recall in all this that even when the PMC releases code, it is signed by the individual RM, and not by the PMC itself. Apache Subversion releases tend to have a half-dozen signatures. Thus, I'd say they are signed by the PMC. For example: https://dist.apache.org/repos/dist/release/subversion/subversion-1.7.6.tar.bz2.asc Cheers, -g - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
end-user operating systems Re: [VOTE] Apache OpenOffice Community Graduation Vote
Rob Weir: You probably don't see this on the server yet, but end-user operating systems, both desktop and devices, both at OS level as well as in browsers and with antivirus software, are shifting over to excluding non-signed executable by default. This is equally true of software distributed on CD's, via downloads, or listed in OS-vendor stores. That is the direction that the industry is going. Any desktop application that ignores this trend will become unusable by most users. Instead of detached digital signatures that Apache releases already carry, the OS vendors expect integrated signatures via code signing. Sorry for extending this thread, but I am curious: Which OS vendors and end-user operating systems are you talking about? The end-user operating system Debian does not require integrated signatures: http://wiki.debian.org/SecureApt Cheers, Andreas - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
On Sat, Aug 25, 2012 at 10:53 PM, Rob Weir robw...@apache.org wrote: On Fri, Aug 24, 2012 at 4:35 PM, Greg Stein gst...@gmail.com wrote: On Fri, Aug 24, 2012 at 4:00 PM, Rob Weir robw...@apache.org wrote: snip I can give the IPMC a hand here, if my point is too obscure. A policy might look like this: Resolved: An Apache project's release consists of a canonical source artifact, voted on and approved by the PMC. A PMC can also distribute additional, non-source artifacts, including documentation, binaries, samples, etc., that are provided for the convenience of the user. These non-source artifacts must must be buildable from the canonical source artifact. Additional 3rd party libraries may be included solely in compliance with license policies defined by Apache Legal Affairs. Additionally the non-source artifacts (or the PMC) must and must not _. That's existing policy. As people keep saying (most recently, Joe, in no uncertain terms). Hi Greg, And Joe, as I'm sure you noticed, also said: THERE IS NO PROBLEM HERE, CURRENT POLICY FULLY COVERS WHAT AOO ACTUALLY DOES. END OF DISCUSSION. This is my understanding as well. In any case, you seem to agree with the wording that I gave above, since you say it represents existing policy. Since I can find no place on the IPMC or ASF website where this policy is actually stated (and please correct me if I missed it), it might be good if we took my summary from above and put it into the Podling Release Guide. I know there is an ongoing effort to clean up the IPMC website. I'd be happy to submit a patch. Marvin gave the link earlier in this thread. 4th para is the relevant bit. http://www.apache.org/dev/release.html#what --tim - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
On 26.08.2012 13:15, Tim Williams wrote: Marvin gave the link earlier in this thread. 4th para is the relevant bit. http://www.apache.org/dev/release.html#what The relevant part is in the last paragraph. However, that says convenience and defines version numbering requirements, but it does /not/ state that the binaries are not sanctioned by the ASF and are not part of the official ASF release. It would be very useful if that paragraph were amended to say so explicitly. I've had no end of trouble trying to explain to managers and customers that any binaries that come from the ASF are not official. Regardless of the policy stated numerous times in this thread and on this list, this is not clear anywhere in the bylaws or other online documentation (that I can find). -- Brane P.S.: I asked this same question on legal-discuss a week ago. My post has not even been moderated through as of today, so referring people to that list doesn't appear to be too helpful. - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
On Sun, Aug 26, 2012 at 7:26 AM, Branko Čibej br...@apache.org wrote: On 26.08.2012 13:15, Tim Williams wrote: Marvin gave the link earlier in this thread. 4th para is the relevant bit. http://www.apache.org/dev/release.html#what The relevant part is in the last paragraph. However, that says convenience and defines version numbering requirements, but it does /not/ state that the binaries are not sanctioned by the ASF and are not part of the official ASF release. And again, as I and others have stated, this is merely a label with no content to it. What does sanctioned (or not sanctioned) by the ASF mean? Anything specific? Remember, the binaries (or Object form in the words of the license) are also covered by the Apache License 2.0, and sections 7 and 8 of that license already say that it is provided as-is, and disclaims warranty and liability. In other words, the same license and the same disclaimers apply to source (which we seem to agree is part of the ASF release) and to binaries. So again I urge the IPMC to mind the seductive appeal of mere labeling and instead consider whether there is any actual constraints on activities and behavior for Podlings (or TLP's for that matter) based on whether something is a source or binary, e.g.: 1) Is there some required (or forbidden) way in which a distinction must be acknowledged in a release vote? 2) Is there some required (or forbidden) language on the download webpage? 3) Any required (or forbidden) language on release announcements? 4) Is there some required (or forbidden) constraint with distribution? So far I have heard some on this list suggest the AOO podling is doing something incorrect, something against ASF policy. But dispute repeated queries, no one has stated what exactly this is. This is extremely unfair to the podling, to any podling. It denies us the opportunity of addressing issues. Is this really how the IPMC operates? It reminds me of tactics practiced by Microsoft against open source -- intimate that something is wrong, but never offer specifics. We call it FUD there. What do we call it at the ASF? It would be very useful if that paragraph were amended to say so explicitly. I've had no end of trouble trying to explain to managers and customers that any binaries that come from the ASF are not official. That may be true for your users, but for mine they would just come back with, What does that mean in practice? Regardless of the policy stated numerous times in this thread and on this list, this is not clear anywhere in the bylaws or other online documentation (that I can find). I agree. -- Brane P.S.: I asked this same question on legal-discuss a week ago. My post has not even been moderated through as of today, so referring people to that list doesn't appear to be too helpful. - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
On Sun, Aug 26, 2012 at 4:26 AM, Branko Čibej br...@apache.org wrote: On 26.08.2012 13:15, Tim Williams wrote: Marvin gave the link earlier in this thread. 4th para is the relevant bit. http://www.apache.org/dev/release.html#what The relevant part is in the last paragraph. However, that says convenience and defines version numbering requirements, but it does /not/ state that the binaries are not sanctioned by the ASF and are not part of the official ASF release. It would be very useful if that paragraph were amended to say so explicitly. I've had no end of trouble trying to explain to managers and customers that any binaries that come from the ASF are not official. Regardless of the policy stated numerous times in this thread and on this list, this is not clear anywhere in the bylaws or other online documentation (that I can find). The possibility exists that when the question is put to legal-discuss, we will find that Roy's missives have been misinterpreted, and that so long as the imperative of a clean source release (uncontaminated by e.g. embedded jar files) is satisfied, it is permissible for a PMC to sanction accompanying binary artifacts which are wholly derived from said clean source. It is also possible that the V.P. of Legal (who is a Board member) will kick the question up to the Board and that they will take up a full-blown resolution clarifying the policy. Perhaps they will impose restrictions going forward such as the requirement that binaries to be blessed must be created via automatic processes kicked off by Infra on sterile build machines. Or perhaps there won't be a resolution, but the discussion will produce a new common understanding that PMCs have so much autonomy they can release a peanut butter and jelly sandwich alongside the source code as an act of the corporation. And yet another possibility is that the Legal VP will issue a narrowly tailored rulying stating that AOO may release blessed binaries while incubating, but that after graduation only binaries produced on sterile build machines may be blessed. Who knows? We aren't going to resolve these questions on this list. In any case, I do not believe that it is in the best interests of either the ASF or the AOO podling (particularly those contributing towards the binary artifacts) for ambiguity to persist around issues of indemnification, and I don't think it's good for the ASF to walk backwards into a policy on binary releases accidentally. Apologies for keeping the zombie thread alive. If it were up to me, it would have hopped forums some time ago. Marvin Humphrey - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
No. There is NO WAY IN HELL the org can indemnify a volunteer who produces a binary build themselves. Please don't bother asking legal-discuss to tackle this. The way liability works in an incorporated volunteer charity is that you are not liable for club activities performed without negligence on your part. IANAL but this is the whole point of the law surrounding this area of human activity in the US. Building software on 3rd party hosts which are not operated by the org exposes you to the possibility that your system may be compromised beyond what is in source, and should you publish those artifacts to ASF mirrors you could be held liable for any damages your inattentiveness towards the system that produced those packages may have caused. Nothing the org can do other than adopt an insane indemnity policy will absolve a volunteer of that personal risk at this point. However, if the org decides on a method of producing production-quality builds itself and signs off on them itself as an org, then clearly only the ASF, and any malicious or negligent party, is exposed to any risks associated with widescale distribution. If the software is built by an ASF host using ASF-maintained software, you might be able to make the case before a judge that is was the ASF's fault for producing vulnerable builds on a compromised host. But you will have to plead that before a judge at this point should you be named in a suit, because we don't currently offer that level of management in our build farms. HTH From: Marvin Humphrey mar...@rectangular.com To: general@incubator.apache.org Sent: Sunday, August 26, 2012 10:09 AM Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote On Sun, Aug 26, 2012 at 4:26 AM, Branko Čibej br...@apache.org wrote: On 26.08.2012 13:15, Tim Williams wrote: Marvin gave the link earlier in this thread. 4th para is the relevant bit. http://www.apache.org/dev/release.html#what The relevant part is in the last paragraph. However, that says convenience and defines version numbering requirements, but it does /not/ state that the binaries are not sanctioned by the ASF and are not part of the official ASF release. It would be very useful if that paragraph were amended to say so explicitly. I've had no end of trouble trying to explain to managers and customers that any binaries that come from the ASF are not official. Regardless of the policy stated numerous times in this thread and on this list, this is not clear anywhere in the bylaws or other online documentation (that I can find). The possibility exists that when the question is put to legal-discuss, we will find that Roy's missives have been misinterpreted, and that so long as the imperative of a clean source release (uncontaminated by e.g. embedded jar files) is satisfied, it is permissible for a PMC to sanction accompanying binary artifacts which are wholly derived from said clean source. It is also possible that the V.P. of Legal (who is a Board member) will kick the question up to the Board and that they will take up a full-blown resolution clarifying the policy. Perhaps they will impose restrictions going forward such as the requirement that binaries to be blessed must be created via automatic processes kicked off by Infra on sterile build machines. Or perhaps there won't be a resolution, but the discussion will produce a new common understanding that PMCs have so much autonomy they can release a peanut butter and jelly sandwich alongside the source code as an act of the corporation. And yet another possibility is that the Legal VP will issue a narrowly tailored rulying stating that AOO may release blessed binaries while incubating, but that after graduation only binaries produced on sterile build machines may be blessed. Who knows? We aren't going to resolve these questions on this list. In any case, I do not believe that it is in the best interests of either the ASF or the AOO podling (particularly those contributing towards the binary artifacts) for ambiguity to persist around issues of indemnification, and I don't think it's good for the ASF to walk backwards into a policy on binary releases accidentally. Apologies for keeping the zombie thread alive. If it were up to me, it would have hopped forums some time ago. Marvin Humphrey - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
The point most people seem to make out of sanctioned or official builds revolves around indemnifying volunteers involved in the production of the release. I'm tired of rehashing release.html for the umpteenth time simply because Brane or you or some other newb lacks the experience to know the context behind the document, but as they say patches welcome (on site-...@apache.org). Every committer can alter the wording on that page and do something more productive than make clueless arguments on this ever devolving thread. AOO is mentored by some of the most experienced people in the org, please just ignore any further chaff from this thread and pay attention to the guidance you have been repeatedly given on this issue. AOO doesn't need to change anything to their current release processes other than to stop pointing source downloads at svn (which is the sole reason I won't vote for AOO candidates). - Original Message - From: Rob Weir robw...@apache.org To: general@incubator.apache.org Cc: Sent: Sunday, August 26, 2012 9:54 AM Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote On Sun, Aug 26, 2012 at 7:26 AM, Branko Čibej br...@apache.org wrote: On 26.08.2012 13:15, Tim Williams wrote: Marvin gave the link earlier in this thread. 4th para is the relevant bit. http://www.apache.org/dev/release.html#what The relevant part is in the last paragraph. However, that says convenience and defines version numbering requirements, but it does /not/ state that the binaries are not sanctioned by the ASF and are not part of the official ASF release. And again, as I and others have stated, this is merely a label with no content to it. What does sanctioned (or not sanctioned) by the ASF mean? Anything specific? Remember, the binaries (or Object form in the words of the license) are also covered by the Apache License 2.0, and sections 7 and 8 of that license already say that it is provided as-is, and disclaims warranty and liability. In other words, the same license and the same disclaimers apply to source (which we seem to agree is part of the ASF release) and to binaries. So again I urge the IPMC to mind the seductive appeal of mere labeling and instead consider whether there is any actual constraints on activities and behavior for Podlings (or TLP's for that matter) based on whether something is a source or binary, e.g.: 1) Is there some required (or forbidden) way in which a distinction must be acknowledged in a release vote? 2) Is there some required (or forbidden) language on the download webpage? 3) Any required (or forbidden) language on release announcements? 4) Is there some required (or forbidden) constraint with distribution? So far I have heard some on this list suggest the AOO podling is doing something incorrect, something against ASF policy. But dispute repeated queries, no one has stated what exactly this is. This is extremely unfair to the podling, to any podling. It denies us the opportunity of addressing issues. Is this really how the IPMC operates? It reminds me of tactics practiced by Microsoft against open source -- intimate that something is wrong, but never offer specifics. We call it FUD there. What do we call it at the ASF? It would be very useful if that paragraph were amended to say so explicitly. I've had no end of trouble trying to explain to managers and customers that any binaries that come from the ASF are not official. That may be true for your users, but for mine they would just come back with, What does that mean in practice? Regardless of the policy stated numerous times in this thread and on this list, this is not clear anywhere in the bylaws or other online documentation (that I can find). I agree. -- Brane P.S.: I asked this same question on legal-discuss a week ago. My post has not even been moderated through as of today, so referring people to that list doesn't appear to be too helpful. - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
On 26.08.2012 16:46, Joe Schaefer wrote: The point most people seem to make out of sanctioned or official builds revolves around indemnifying volunteers involved in the production of the release. I'm tired of rehashing release.html for the umpteenth time simply because Brane or you or some other newb lacks the experience to know the context behind the document, but as they say patches welcome (on site-...@apache.org). Every committer can alter the wording on that page and do something more productive than make clueless arguments on this ever devolving thread. That's very helpful, thanks. So if someone asks me about ASF releases and binaries I should refer them to the legal-discuss archives, or these general@ archives, or simply tell them to find a founding member to condescendingly explain the obvious. Because I sure can't give 'em a link to some page on our web site. I'll refrain from spelling out the epithets that come to mind. -- Brane - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Waah Brane- obviously you're not as community-oriented as you'd like to think. release.html is the byproduct of several years of writing oriented towards the lowest common denominator of the org, but if you think you know how to improve it you have all the requisite karma already. All that's missing is a clue. - Original Message - From: Branko Čibej br...@apache.org To: general@incubator.apache.org Cc: Sent: Sunday, August 26, 2012 10:53 AM Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote On 26.08.2012 16:46, Joe Schaefer wrote: The point most people seem to make out of sanctioned or official builds revolves around indemnifying volunteers involved in the production of the release. I'm tired of rehashing release.html for the umpteenth time simply because Brane or you or some other newb lacks the experience to know the context behind the document, but as they say patches welcome (on site-...@apache.org). Every committer can alter the wording on that page and do something more productive than make clueless arguments on this ever devolving thread. That's very helpful, thanks. So if someone asks me about ASF releases and binaries I should refer them to the legal-discuss archives, or these general@ archives, or simply tell them to find a founding member to condescendingly explain the obvious. Because I sure can't give 'em a link to some page on our web site. I'll refrain from spelling out the epithets that come to mind. -- Brane - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
On 26.08.2012 17:04, Joe Schaefer wrote: Waah Brane- obviously you're not as community-oriented as you'd like to think. release.html is the byproduct of several years of writing oriented towards the lowest common denominator of the org, but if you think you know how to improve it you have all the requisite karma already. All that's missing is a clue. Joe, I know very well (and you know that I know) that I can edit most of the things that appear on our web site. But if community-oriented means that anyone should just edit those docs to scratch an itch and to hell with consensus and the consequences, then you're right, I'm definitely a misfit here. -- Brane - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Better attitude, now all you need to do is subscribe to site-...@apache.org and join the rest of the people who care about the content of our site documentation. - Original Message - From: Branko Čibej br...@apache.org To: general@incubator.apache.org Cc: Sent: Sunday, August 26, 2012 11:13 AM Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote On 26.08.2012 17:04, Joe Schaefer wrote: Waah Brane- obviously you're not as community-oriented as you'd like to think. release.html is the byproduct of several years of writing oriented towards the lowest common denominator of the org, but if you think you know how to improve it you have all the requisite karma already. All that's missing is a clue. Joe, I know very well (and you know that I know) that I can edit most of the things that appear on our web site. But if community-oriented means that anyone should just edit those docs to scratch an itch and to hell with consensus and the consequences, then you're right, I'm definitely a misfit here. -- Brane - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Sigh. Apache is a volunteer organization with a history and a culture. As a volunteer organization, it cannot possibly create and maintain a set of documents that describe every bit of cultural norm and historical context. New committers on existing projects learn from their communities. Podling members learn from their mentors. Even out here on general@, I've seen several iterations of some AOO people asking about signed builds and binary releases and experienced Apache members offering answers. This is how it works. Legal-discuss@ and board@ are *not* the normal way to answer these questions. Writing for myself, I see how the AOO situation differs from just about any previous project, and why AOO people would want a different answer to the question. And, over time and a whole lot of effort, a different answer may be forthcoming. However, until then, it is what it is, and a thread here is not going to change it. - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Joe, I know very well (and you know that I know) that I can edit most of the things that appear on our web site. But if community-oriented means that anyone should just edit those docs to scratch an itch and to hell with consensus and the consequences, then you're right, I'm definitely a misfit here. Brane, editing the docs to do a better job of explaining is not 'to hell with consensus and consequences.' If you feel clear that you can see a way to improve without changing the semantics, all you'll get for your trouble is applause. 'Misfit' would be the label for someone who tried to change the policy by editing the document. - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
On Aug 26, 2012, at 7:46 AM, Joe Schaefer wrote: AOO doesn't need to change anything to their current release processes other than to stop pointing source downloads at svn (which is the sole reason I won't vote for AOO candidates). Well this is worth discussion. On this page [1]: The source downloads go through aoo-closer.cgi, but all of the hashes and signatures go through www.a.o/dist/. Is that your issue? Or is it this page [2]? Please help me understand what is wrong and it will be fixed. Best Regards, Dave [1] http://incubator.apache.org/openofficeorg/downloads.html [2] http://www.openoffice.org/download/other.html#tested-sdk - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
- Original Message - From: Dave Fisher dave2w...@comcast.net To: general@incubator.apache.org Cc: Sent: Sunday, August 26, 2012 1:08 PM Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote On Aug 26, 2012, at 7:46 AM, Joe Schaefer wrote: AOO doesn't need to change anything to their current release processes other than to stop pointing source downloads at svn (which is the sole reason I won't vote for AOO candidates). Well this is worth discussion. On this page [1]: The source downloads go through aoo-closer.cgi, but all of the hashes and signatures go through www.a.o/dist/. Is that your issue? No, but I'm tired of talking about it. If you try to build from source the build system will download packages from svn.apache.org instead of from elsewhere or the mirrors. That violates infra policy. Or is it this page [2]? Please help me understand what is wrong and it will be fixed. Best Regards, Dave [1] http://incubator.apache.org/openofficeorg/downloads.html [2] http://www.openoffice.org/download/other.html#tested-sdk - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
On Sun, Aug 26, 2012 at 1:08 PM, Dave Fisher dave2w...@comcast.net wrote: On Aug 26, 2012, at 7:46 AM, Joe Schaefer wrote: AOO doesn't need to change anything to their current release processes other than to stop pointing source downloads at svn (which is the sole reason I won't vote for AOO candidates). Well this is worth discussion. On this page [1]: The source downloads go through aoo-closer.cgi, but all of the hashes and signatures go through www.a.o/dist/. Is that your issue? Or is it this page [2]? Please help me understand what is wrong and it will be fixed. This is the old bootstrap.sh issue, where build dependencies where being downloaded from svn, from out ext-sources directory. This is a superset of the issues Pedro had with the cat-b dependencies. We need to make it so the dependencies are all downloaded from somewhere else. Otherwise we're sucking ASF bandwidth. Best Regards, Dave [1] http://incubator.apache.org/openofficeorg/downloads.html [2] http://www.openoffice.org/download/other.html#tested-sdk - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
RE: [VOTE] Apache OpenOffice Community Graduation Vote
reliance on upstream sources always comes to bear, even for source-code contributions. But having access to all source is reported by some as being essential for ASF releases and that is tied to the notion that the source code is the release. (This is despite specific provision in the treatment of licenses for distributing certain binary artifacts in order to avoid license confusion.) I don't have any clarity on this. I know that it would be a serious burden to some projects if there were restriction to authenticated builds for open-source platforms only and/or restriction to exclusively open-source libraries for other dependencies not satisfied by the platform itself. To the extent that the requirement is for more than IP provenance and license reconciliation, I am not clear who is being held to account for any deeper scrutiny than that. Are the PMC votes for a release expected to establish some sort of serious attestation concerning the nature of the source? Instead, is the requirement of specific source-code availability instead a requirement for potential forensic requirements later in the lifecycle of a release? Can this be satisfied without the source be in the release, by whatever arrangement and assurance that could be made to ensure its availability whenever needed? I have only question in this area. I believe there is a definite concern, but I am not sure where it has teeth beyond a ritual requirement. - Dennis -Original Message- From: Dennis E. Hamilton [mailto:orc...@apache.org] Sent: Monday, August 20, 2012 18:50 To: general@incubator.apache.org Subject: RE: [VOTE] Apache OpenOffice Community Graduation Vote I do not dispute the existence of other reliable creators of binary distributions. The *nix packagings and installation in consumer desktops are notable for the value that they provide. I think that experience teaches us that there absolutely needs to be a way to obtain and install *authentic* binary distributions made using the release sources with a proper set of options for a given platform. It is near impossible to provide end-user support and bug confirmation without agreement on the authentic bindist that is being use and that it is a bindist made from known sources. And there are enough fraudulent distributions out there that this is critical as a way to safeguard users. For that reason alone, there needs to be an authenticated bindist, especially for Windows, the 80% that garners the focused attention of miscreants and opportunists. That is also the reason for wanting signed binaries that pass verification on Windows and OS X. There needs to be a way for everyday users to receive every assurance that they are installing an authentic bindist and that it is verifiable who the origin is. I suspect that reliable packagers of unique distributions (including any from IBM) will provide their own verifiable authenticity. - Dennis -Original Message- From: drew [mailto:d...@baseanswers.com] Sent: Monday, August 20, 2012 18:00 To: general@incubator.apache.org Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote [ ... ] - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
On Fri, Aug 24, 2012 at 7:42 PM, Marvin Humphrey mar...@rectangular.com wrote: On Fri, Aug 24, 2012 at 1:00 PM, Rob Weir robw...@apache.org wrote: Or if someone who cared sufficiently about this policy area took ownership and proposed a wording of the policy, either as a Board resolution, or on legal-discuss, and had that policy approved and recorded via the ordinary means. As a member of the Incubator PMC, I am willing to submit the following question via https://issues.apache.org/jira/browse/LEGAL: AOO official binary artifacts May the Apache Open Office podling consider binary artifacts prepared as described in this passage official, in the sense that their sense that their release is an act of the corporation and their contributors are indemnified? The correct reference is to Bylaws 12.1. That clause does not use the undefined term official or unofficial or binary or source or or act of the corporation indeed any mention of releases at all. It refers to all acts done by covered persons , ...in good faith and in a manner that such person reasonably believed to be in or not be opposed to the best interests of the corporation. This would be a question not only of AOO, but of any project that currently distributes binaries. Are PMC's when distributing binaries acting ...in good faith and in a manner that such person reasonably believed to be in or not be opposed to the best interests of the corporation ? IMHO, the best interests of the corporation is best determined by the Board, not Legal Affairs. Of course, they could choose to punt the question to anywhere, including Legal Affairs. But it should start with them. At that point we could also ask about all other non-source things that PMCs do, including maintaining website, where there is always risk of copyright infringements, data privacy laws, etc, or charges of discrimination in selection or rating of student performance in Google Summer of Code, or any of a number of risks that occur in the operation of any corporate entity. I think once we start poking we find that there are many things a PMC does today, beyond the direct distribution of source code, that brings risk.I don't think the Board has ever enumerated which of these other activities are covered by 12.1 and which are not. I have no opinion on whether doing this is a good use of their time. It seems doing so would tie their arms somewhat, and it might be better to leave these questions unanswered until such time as they arise in context. That preserves flexibility. -Rob http://www.apache.org/dev/release.html#what The Apache Software Foundation produces open source software. All releases are in the form of the source materials needed to make changes to the software being released. In some cases, binary/bytecode packages are also produced as a convenience to users that might not have the appropriate tools to build a compiled version of the source. In all such cases, the binary/bytecode package must have the same version number as the source release and may only add binary/bytecode files that are the result of compiling that version of the source code release. My preference would be to have someone more invested in AOO serve as advocate, but I will do it if no one else steps forward. Marvin Humphrey - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
I submit that this sub-thread has reached the end of its useful lifetime. The IPMC's view of binaries is clear, and the IPMC believes that its views reflect the will of the board. 'Official' binaries, like binaries signed with a certificate with the Foundation's name on it, are not currently permissible. Roughly, the same questions of how the voting members of a PMC could meaningfully check a release before voting apply to both questions. If you want to engage with the board on this, by all means, there is board@. It's a complete waste of time to argue on this list and this thread about the Foundation's governance. In the mean time, AOO releases can continue to have 'convenience binaries', sans signatures. Since this is a community vote thread (!) and not an IPMC vote thread, I further submit that all of us IPMC members should get out of the way and leave it to the mentors to sort out the disconnect between Foundation policy and AOO needs/wants. To quote the mentors from a previous conversation, if people want to join in the process, they should become mentors and fully engage. Of course, a discussion thread started here to solicit the IPMC's opinion on graduation would be another matter entirely. - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
On Sat, 2012-08-25 at 06:45 -0700, Benson Margulies wrote: I submit that this sub-thread has reached the end of its useful lifetime. Howdy, After a re-read of this thread, along with similar on the AOO dev/priv list and referenced ASF policy, or best practices, docs., I fully agree. Honestly, after this review my thinking has changed somewhat and there seems value still to be had in assuring that everyone is chasing the same ends. I'd like to address this in a context of project goals and best way to attain them, as an ASF project, so will move the general discussion back to AOO dev. I think the group can come to a reasonable consensus from that approach quickly. Then, _if_ (or which) specific changes to current ASF norms truly are needed, to best attain those goals, can go through the proper steps - which isn't this thread ;) Also - It may very well be that what needs addressing is already in the pipeline, IMO. Thanks, //drew The IPMC's view of binaries is clear, and the IPMC believes that its views reflect the will of the board. 'Official' binaries, like binaries signed with a certificate with the Foundation's name on it, are not currently permissible. Roughly, the same questions of how the voting members of a PMC could meaningfully check a release before voting apply to both questions. If you want to engage with the board on this, by all means, there is board@. It's a complete waste of time to argue on this list and this thread about the Foundation's governance. In the mean time, AOO releases can continue to have 'convenience binaries', sans signatures. Since this is a community vote thread (!) and not an IPMC vote thread, I further submit that all of us IPMC members should get out of the way and leave it to the mentors to sort out the disconnect between Foundation policy and AOO needs/wants. To quote the mentors from a previous conversation, if people want to join in the process, they should become mentors and fully engage. Of course, a discussion thread started here to solicit the IPMC's opinion on graduation would be another matter entirely. - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Convenience signatures Re: [VOTE] Apache OpenOffice Community Graduation Vote
Benson Margulies: In the mean time, AOO releases can continue to have 'convenience binaries', sans signatures. If they can have 'convenience binaries' they should also be able to provide 'convenience signatures. Cheers, Andreas - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
On Aug 25, 2012 9:46 AM, Benson Margulies bimargul...@gmail.com wrote: ... Of course, a discussion thread started here to solicit the IPMC's opinion on graduation would be another matter entirely. If Rob is representative of AOO, then no. They need more time to learn about the ASF. -g
Re: [VOTE] Apache OpenOffice Community Graduation Vote
On Fri, Aug 24, 2012 at 4:35 PM, Greg Stein gst...@gmail.com wrote: On Fri, Aug 24, 2012 at 4:00 PM, Rob Weir robw...@apache.org wrote: snip I can give the IPMC a hand here, if my point is too obscure. A policy might look like this: Resolved: An Apache project's release consists of a canonical source artifact, voted on and approved by the PMC. A PMC can also distribute additional, non-source artifacts, including documentation, binaries, samples, etc., that are provided for the convenience of the user. These non-source artifacts must must be buildable from the canonical source artifact. Additional 3rd party libraries may be included solely in compliance with license policies defined by Apache Legal Affairs. Additionally the non-source artifacts (or the PMC) must and must not _. That's existing policy. As people keep saying (most recently, Joe, in no uncertain terms). Hi Greg, And Joe, as I'm sure you noticed, also said: THERE IS NO PROBLEM HERE, CURRENT POLICY FULLY COVERS WHAT AOO ACTUALLY DOES. END OF DISCUSSION. This is my understanding as well. In any case, you seem to agree with the wording that I gave above, since you say it represents existing policy. Since I can find no place on the IPMC or ASF website where this policy is actually stated (and please correct me if I missed it), it might be good if we took my summary from above and put it into the Podling Release Guide. I know there is an ongoing effort to clean up the IPMC website. I'd be happy to submit a patch. Regards, -Rob -g - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Returning to this topic after an intermission... On Tue, Aug 21, 2012 at 6:18 AM, Bertrand Delacretaz bdelacre...@apache.org wrote: On Tue, Aug 21, 2012 at 11:54 AM, Jürgen Schmidt jogischm...@gmail.com wrote: ...As one of the active developers I would have a serious problem if we as project couldn't provide binary releases for our users. And I thought the ASF is a serious enough institution that can ensure to deliver binaries of these very popular end user oriented software and can of course protect the very valuable brand OpenOffice that the ASF now owns as well... As has been repeatedly mentioned in this thread and elsewhere, at the moment ASF releases consist of source code, not binaries. My impression from this discussion is that many podling contributors are dismayed by this policy, and that there is an element within the PPMC which remains convinced that it is actually up to individual PMCs within the ASF to set policy as to whether binaries are official or not. OTOH I don't think anybody said the ASF will never allow projects to distribute binaries - but people who want to do that need to get together (*) and come up with a proposal that's compatible with the ASF's goals and constraints, so that a clear policy can be set. I'm concerned that such an effort may not be completed, and that once the podling graduates, AOO binaries will once again be advertised as official, placing the project in conflict with ASF-wide policy. It may be that some within the newly formed PMC will speak out in favor of the ASF status quo, but as their position will likely be inexpedient and unpopular, it may be difficult to prevail. Of course I don't know how things will play out, but it seems to me that reactions from podling contributors have ranged from discouraged to skeptical to antagonistic and that there is limited enthusisasm for working within the ASF on this matter. Gaming out this pessimistic scenario, what would it look like if the Board were forced to clamp down on a rebellious AOO PMC to enforce ASF policy regarding binary releases? If we believe that we are adequately prepared for such circumstances, then I think that's good enough and that fully resolving the issue of binary releases prior to AOO's graduation is not required. Marvin Humphrey - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
On Fri, Aug 24, 2012 at 12:32 PM, Marvin Humphrey mar...@rectangular.com wrote: Returning to this topic after an intermission... On Tue, Aug 21, 2012 at 6:18 AM, Bertrand Delacretaz bdelacre...@apache.org wrote: On Tue, Aug 21, 2012 at 11:54 AM, Jürgen Schmidt jogischm...@gmail.com wrote: ...As one of the active developers I would have a serious problem if we as project couldn't provide binary releases for our users. And I thought the ASF is a serious enough institution that can ensure to deliver binaries of these very popular end user oriented software and can of course protect the very valuable brand OpenOffice that the ASF now owns as well... As has been repeatedly mentioned in this thread and elsewhere, at the moment ASF releases consist of source code, not binaries. My impression from this discussion is that many podling contributors are dismayed by this policy, and that there is an element within the PPMC which remains convinced that it is actually up to individual PMCs within the ASF to set policy as to whether binaries are official or not. If there actually is an ASF-wide Policy concerning binaries then I would expect that: 1) It would come from the ASF Board, or from a Legal Affairs, not as individual opinions on the IPMC list 2) It would be documented someplace, as other important ASF policies are documented 3) That the policies is applied not only to AOO, but to other podlings and to TLP's as well. Until that happens, I hear only opinions. But opinions, even widely held opinions, even Roy opinions, are not the same as policy. -Rob OTOH I don't think anybody said the ASF will never allow projects to distribute binaries - but people who want to do that need to get together (*) and come up with a proposal that's compatible with the ASF's goals and constraints, so that a clear policy can be set. I'm concerned that such an effort may not be completed, and that once the podling graduates, AOO binaries will once again be advertised as official, placing the project in conflict with ASF-wide policy. It may be that some within the newly formed PMC will speak out in favor of the ASF status quo, but as their position will likely be inexpedient and unpopular, it may be difficult to prevail. Of course I don't know how things will play out, but it seems to me that reactions from podling contributors have ranged from discouraged to skeptical to antagonistic and that there is limited enthusisasm for working within the ASF on this matter. Gaming out this pessimistic scenario, what would it look like if the Board were forced to clamp down on a rebellious AOO PMC to enforce ASF policy regarding binary releases? If we believe that we are adequately prepared for such circumstances, then I think that's good enough and that fully resolving the issue of binary releases prior to AOO's graduation is not required. Marvin Humphrey - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
On Fri, Aug 24, 2012 at 12:45 PM, Rob Weir robw...@apache.org wrote: On Fri, Aug 24, 2012 at 12:32 PM, Marvin Humphrey mar...@rectangular.com wrote: Returning to this topic after an intermission... On Tue, Aug 21, 2012 at 6:18 AM, Bertrand Delacretaz bdelacre...@apache.org wrote: On Tue, Aug 21, 2012 at 11:54 AM, Jürgen Schmidt jogischm...@gmail.com wrote: ...As one of the active developers I would have a serious problem if we as project couldn't provide binary releases for our users. And I thought the ASF is a serious enough institution that can ensure to deliver binaries of these very popular end user oriented software and can of course protect the very valuable brand OpenOffice that the ASF now owns as well... As has been repeatedly mentioned in this thread and elsewhere, at the moment ASF releases consist of source code, not binaries. My impression from this discussion is that many podling contributors are dismayed by this policy, and that there is an element within the PPMC which remains convinced that it is actually up to individual PMCs within the ASF to set policy as to whether binaries are official or not. If there actually is an ASF-wide Policy concerning binaries then I would expect that: 1) It would come from the ASF Board, or from a Legal Affairs, not as individual opinions on the IPMC list 2) It would be documented someplace, as other important ASF policies are documented And 2a) Actually state the constraints of the policy, i.e., what is allowed or disallowed by the policy. Merely inventing a label like convenience or unofficial gives absolutely zero direction to PMC's. It is just a label. Consider what the IPMC's Release Guide gives with regards to the source artifact. It is labeled canonical, but that level is backed up with requirements, e.g., that every release must include it, that it must be signed, etc. Similarly, podling releases are not merely labeled podling releases, but policy defines requirements, e.g., a disclaimer, a required IPMC vote, etc. I hope I am not being too pedantic here. But I would like to have a policy defined here so any PMC can determine whether they are in compliance. But so far I just hear strongly held opinions that amount to applying labels, but not mandating or forbidden any actions with regards to artifacts that bear these labels. Consider: If some IPMC members declared loudly that It is ASF policy that binary artifacts are 'Umbabuga', what exactly would you expect a Podling to do, given that Umbabuga is an undefined term with no policy mandated or forbidden actions? There is a seductive appeal to reaching consensus on a label. But it avoids the hard part of policy development, the useful part: reaching consensus on constraints to actions. 3) That the policies is applied not only to AOO, but to other podlings and to TLP's as well. Until that happens, I hear only opinions. But opinions, even widely held opinions, even Roy opinions, are not the same as policy. -Rob OTOH I don't think anybody said the ASF will never allow projects to distribute binaries - but people who want to do that need to get together (*) and come up with a proposal that's compatible with the ASF's goals and constraints, so that a clear policy can be set. I'm concerned that such an effort may not be completed, and that once the podling graduates, AOO binaries will once again be advertised as official, placing the project in conflict with ASF-wide policy. It may be that some within the newly formed PMC will speak out in favor of the ASF status quo, but as their position will likely be inexpedient and unpopular, it may be difficult to prevail. Of course I don't know how things will play out, but it seems to me that reactions from podling contributors have ranged from discouraged to skeptical to antagonistic and that there is limited enthusisasm for working within the ASF on this matter. Gaming out this pessimistic scenario, what would it look like if the Board were forced to clamp down on a rebellious AOO PMC to enforce ASF policy regarding binary releases? If we believe that we are adequately prepared for such circumstances, then I think that's good enough and that fully resolving the issue of binary releases prior to AOO's graduation is not required. Marvin Humphrey - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
On Aug 24, 2012, at 10:09 AM, Rob Weir wrote: On Fri, Aug 24, 2012 at 12:45 PM, Rob Weir robw...@apache.org wrote: On Fri, Aug 24, 2012 at 12:32 PM, Marvin Humphrey mar...@rectangular.com wrote: Returning to this topic after an intermission... On Tue, Aug 21, 2012 at 6:18 AM, Bertrand Delacretaz bdelacre...@apache.org wrote: On Tue, Aug 21, 2012 at 11:54 AM, Jürgen Schmidt jogischm...@gmail.com wrote: ...As one of the active developers I would have a serious problem if we as project couldn't provide binary releases for our users. And I thought the ASF is a serious enough institution that can ensure to deliver binaries of these very popular end user oriented software and can of course protect the very valuable brand OpenOffice that the ASF now owns as well... As has been repeatedly mentioned in this thread and elsewhere, at the moment ASF releases consist of source code, not binaries. My impression from this discussion is that many podling contributors are dismayed by this policy, and that there is an element within the PPMC which remains convinced that it is actually up to individual PMCs within the ASF to set policy as to whether binaries are official or not. If there actually is an ASF-wide Policy concerning binaries then I would expect that: 1) It would come from the ASF Board, or from a Legal Affairs, not as individual opinions on the IPMC list 2) It would be documented someplace, as other important ASF policies are documented And 2a) Actually state the constraints of the policy, i.e., what is allowed or disallowed by the policy. Merely inventing a label like convenience or unofficial gives absolutely zero direction to PMC's. It is just a label. Consider what the IPMC's Release Guide gives with regards to the source artifact. It is labeled canonical, but that level is backed up with requirements, e.g., that every release must include it, that it must be signed, etc. Similarly, podling releases are not merely labeled podling releases, but policy defines requirements, e.g., a disclaimer, a required IPMC vote, etc. I hope I am not being too pedantic here. But I would like to have a policy defined here so any PMC can determine whether they are in compliance. But so far I just hear strongly held opinions that amount to applying labels, but not mandating or forbidden any actions with regards to artifacts that bear these labels. Consider: If some IPMC members declared loudly that It is ASF policy that binary artifacts are 'Umbabuga', what exactly would you expect a Podling to do, given that Umbabuga is an undefined term with no policy mandated or forbidden actions? There is a seductive appeal to reaching consensus on a label. But it avoids the hard part of policy development, the useful part: reaching consensus on constraints to actions. The AOO PPMC was asked to take this discussion along with digital signature issue to legal-discuss to get advice. Whether or not this becomes guidance for AOO or official foundation wide policy is ultimately up to the Board and the Membership. Regards, Dave 3) That the policies is applied not only to AOO, but to other podlings and to TLP's as well. Until that happens, I hear only opinions. But opinions, even widely held opinions, even Roy opinions, are not the same as policy. -Rob OTOH I don't think anybody said the ASF will never allow projects to distribute binaries - but people who want to do that need to get together (*) and come up with a proposal that's compatible with the ASF's goals and constraints, so that a clear policy can be set. I'm concerned that such an effort may not be completed, and that once the podling graduates, AOO binaries will once again be advertised as official, placing the project in conflict with ASF-wide policy. It may be that some within the newly formed PMC will speak out in favor of the ASF status quo, but as their position will likely be inexpedient and unpopular, it may be difficult to prevail. Of course I don't know how things will play out, but it seems to me that reactions from podling contributors have ranged from discouraged to skeptical to antagonistic and that there is limited enthusisasm for working within the ASF on this matter. Gaming out this pessimistic scenario, what would it look like if the Board were forced to clamp down on a rebellious AOO PMC to enforce ASF policy regarding binary releases? If we believe that we are adequately prepared for such circumstances, then I think that's good enough and that fully resolving the issue of binary releases prior to AOO's graduation is not required. Marvin Humphrey - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org -
Re: [VOTE] Apache OpenOffice Community Graduation Vote
On Aug 24, 2012, at 9:32 AM, Marvin Humphrey wrote: Returning to this topic after an intermission... On Tue, Aug 21, 2012 at 6:18 AM, Bertrand Delacretaz bdelacre...@apache.org wrote: On Tue, Aug 21, 2012 at 11:54 AM, Jürgen Schmidt jogischm...@gmail.com wrote: ...As one of the active developers I would have a serious problem if we as project couldn't provide binary releases for our users. And I thought the ASF is a serious enough institution that can ensure to deliver binaries of these very popular end user oriented software and can of course protect the very valuable brand OpenOffice that the ASF now owns as well... As has been repeatedly mentioned in this thread and elsewhere, at the moment ASF releases consist of source code, not binaries. My impression from this discussion is that many podling contributors are dismayed by this policy, and that there is an element within the PPMC which remains convinced that it is actually up to individual PMCs within the ASF to set policy as to whether binaries are official or not. It is a consequence of 10 years of official openoffice.org binary releases from both Sun and Oracle. It is a consequence of a large market share. OTOH I don't think anybody said the ASF will never allow projects to distribute binaries - but people who want to do that need to get together (*) and come up with a proposal that's compatible with the ASF's goals and constraints, so that a clear policy can be set. I'm concerned that such an effort may not be completed, and that once the podling graduates, AOO binaries will once again be advertised as official, placing the project in conflict with ASF-wide policy. It may be that some within the newly formed PMC will speak out in favor of the ASF status quo, but as their position will likely be inexpedient and unpopular, it may be difficult to prevail. Of course I don't know how things will play out, but it seems to me that reactions from podling contributors have ranged from discouraged to skeptical to antagonistic and that there is limited enthusisasm for working within the ASF on this matter. Gaming out this pessimistic scenario, what would it look like if the Board were forced to clamp down on a rebellious AOO PMC to enforce ASF policy regarding binary releases? If we believe that we are adequately prepared for such circumstances, then I think that's good enough and that fully resolving the issue of binary releases prior to AOO's graduation is not required. One way to help assure proper policy would be to insist that there are several Apache Members on the future PMC. As of now it looks like Jim and I are the only ones on the prospective PMC. That's not enough. I'm going to need a vacation from AOO soon. Regards, Dave Marvin Humphrey - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Really, all this fuss over the LABELLING of a file being distributed does not add value to either the org, the podling, or the users of the software. Nowhere is it written that you CANNOT DISTRIBUTE BINARIES, however it has always been clear that they are provided for the convenience of our users, not as part of an official release. That however does not mean that things like release announcements cannot refer users to those binaries, it simply means those announcements need to reference the sources as the thing that was formally voted on and approved by the ASF. From: Dave Fisher dave2w...@comcast.net To: general@incubator.apache.org Sent: Friday, August 24, 2012 1:56 PM Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote On Aug 24, 2012, at 10:09 AM, Rob Weir wrote: On Fri, Aug 24, 2012 at 12:45 PM, Rob Weir robw...@apache.org wrote: On Fri, Aug 24, 2012 at 12:32 PM, Marvin Humphrey mar...@rectangular.com wrote: Returning to this topic after an intermission... On Tue, Aug 21, 2012 at 6:18 AM, Bertrand Delacretaz bdelacre...@apache.org wrote: On Tue, Aug 21, 2012 at 11:54 AM, Jürgen Schmidt jogischm...@gmail.com wrote: ...As one of the active developers I would have a serious problem if we as project couldn't provide binary releases for our users. And I thought the ASF is a serious enough institution that can ensure to deliver binaries of these very popular end user oriented software and can of course protect the very valuable brand OpenOffice that the ASF now owns as well... As has been repeatedly mentioned in this thread and elsewhere, at the moment ASF releases consist of source code, not binaries. My impression from this discussion is that many podling contributors are dismayed by this policy, and that there is an element within the PPMC which remains convinced that it is actually up to individual PMCs within the ASF to set policy as to whether binaries are official or not. If there actually is an ASF-wide Policy concerning binaries then I would expect that: 1) It would come from the ASF Board, or from a Legal Affairs, not as individual opinions on the IPMC list 2) It would be documented someplace, as other important ASF policies are documented And 2a) Actually state the constraints of the policy, i.e., what is allowed or disallowed by the policy. Merely inventing a label like convenience or unofficial gives absolutely zero direction to PMC's. It is just a label. Consider what the IPMC's Release Guide gives with regards to the source artifact. It is labeled canonical, but that level is backed up with requirements, e.g., that every release must include it, that it must be signed, etc. Similarly, podling releases are not merely labeled podling releases, but policy defines requirements, e.g., a disclaimer, a required IPMC vote, etc. I hope I am not being too pedantic here. But I would like to have a policy defined here so any PMC can determine whether they are in compliance. But so far I just hear strongly held opinions that amount to applying labels, but not mandating or forbidden any actions with regards to artifacts that bear these labels. Consider: If some IPMC members declared loudly that It is ASF policy that binary artifacts are 'Umbabuga', what exactly would you expect a Podling to do, given that Umbabuga is an undefined term with no policy mandated or forbidden actions? There is a seductive appeal to reaching consensus on a label. But it avoids the hard part of policy development, the useful part: reaching consensus on constraints to actions. The AOO PPMC was asked to take this discussion along with digital signature issue to legal-discuss to get advice. Whether or not this becomes guidance for AOO or official foundation wide policy is ultimately up to the Board and the Membership. Regards, Dave 3) That the policies is applied not only to AOO, but to other podlings and to TLP's as well. Until that happens, I hear only opinions. But opinions, even widely held opinions, even Roy opinions, are not the same as policy. -Rob OTOH I don't think anybody said the ASF will never allow projects to distribute binaries - but people who want to do that need to get together (*) and come up with a proposal that's compatible with the ASF's goals and constraints, so that a clear policy can be set. I'm concerned that such an effort may not be completed, and that once the podling graduates, AOO binaries will once again be advertised as official, placing the project in conflict with ASF-wide policy. It may be that some within the newly formed PMC will speak out in favor of the ASF status quo, but as their position will likely be inexpedient and unpopular, it may be difficult to prevail. Of course I don't know how things will play out, but it seems to me that reactions from podling contributors have ranged from discouraged
Re: [VOTE] Apache OpenOffice Community Graduation Vote
On 8/24/2012 11:19 AM, Joe Schaefer wrote: Really, all this fuss over the LABELLING of a file being distributed does not add value to either the org, the podling, or the users of the software. Nowhere is it written that you CANNOT DISTRIBUTE BINARIES, however it has always been clear that they are provided for the convenience of our users, not as part of an official release. That however does not mean that things like release announcements cannot refer users to those binaries, it simply means those announcements need to reference the sources as the thing that was formally voted on and approved by the ASF. Thus... Binaries created /from /the Official Release? From: Dave Fisher dave2w...@comcast.net To: general@incubator.apache.org Sent: Friday, August 24, 2012 1:56 PM Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote On Aug 24, 2012, at 10:09 AM, Rob Weir wrote: On Fri, Aug 24, 2012 at 12:45 PM, Rob Weir robw...@apache.org wrote: On Fri, Aug 24, 2012 at 12:32 PM, Marvin Humphrey mar...@rectangular.com wrote: Returning to this topic after an intermission... On Tue, Aug 21, 2012 at 6:18 AM, Bertrand Delacretaz bdelacre...@apache.org wrote: On Tue, Aug 21, 2012 at 11:54 AM, Jürgen Schmidt jogischm...@gmail.com wrote: ...As one of the active developers I would have a serious problem if we as project couldn't provide binary releases for our users. And I thought the ASF is a serious enough institution that can ensure to deliver binaries of these very popular end user oriented software and can of course protect the very valuable brand OpenOffice that the ASF now owns as well... As has been repeatedly mentioned in this thread and elsewhere, at the moment ASF releases consist of source code, not binaries. My impression from this discussion is that many podling contributors are dismayed by this policy, and that there is an element within the PPMC which remains convinced that it is actually up to individual PMCs within the ASF to set policy as to whether binaries are official or not. If there actually is an ASF-wide Policy concerning binaries then I would expect that: 1) It would come from the ASF Board, or from a Legal Affairs, not as individual opinions on the IPMC list 2) It would be documented someplace, as other important ASF policies are documented And 2a) Actually state the constraints of the policy, i.e., what is allowed or disallowed by the policy. Merely inventing a label like convenience or unofficial gives absolutely zero direction to PMC's. It is just a label. Consider what the IPMC's Release Guide gives with regards to the source artifact. It is labeled canonical, but that level is backed up with requirements, e.g., that every release must include it, that it must be signed, etc. Similarly, podling releases are not merely labeled podling releases, but policy defines requirements, e.g., a disclaimer, a required IPMC vote, etc. I hope I am not being too pedantic here. But I would like to have a policy defined here so any PMC can determine whether they are in compliance. But so far I just hear strongly held opinions that amount to applying labels, but not mandating or forbidden any actions with regards to artifacts that bear these labels. Consider: If some IPMC members declared loudly that It is ASF policy that binary artifacts are 'Umbabuga', what exactly would you expect a Podling to do, given that Umbabuga is an undefined term with no policy mandated or forbidden actions? There is a seductive appeal to reaching consensus on a label. But it avoids the hard part of policy development, the useful part: reaching consensus on constraints to actions. The AOO PPMC was asked to take this discussion along with digital signature issue to legal-discuss to get advice. Whether or not this becomes guidance for AOO or official foundation wide policy is ultimately up to the Board and the Membership. Regards, Dave 3) That the policies is applied not only to AOO, but to other podlings and to TLP's as well. Until that happens, I hear only opinions. But opinions, even widely held opinions, even Roy opinions, are not the same as policy. -Rob OTOH I don't think anybody said the ASF will never allow projects to distribute binaries - but people who want to do that need to get together (*) and come up with a proposal that's compatible with the ASF's goals and constraints, so that a clear policy can be set. I'm concerned that such an effort may not be completed, and that once the podling graduates, AOO binaries will once again be advertised as official, placing the project in conflict with ASF-wide policy. It may be that some within the newly formed PMC will speak out in favor of the ASF status quo, but as their position will likely be inexpedient and unpopular, it may be difficult to prevail. Of course I don't know how things will play out, but it seems to me that reactions from podling contributors have ranged from
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Exactly- just work within the constraints and there is no practical problem whatsoever. From: Andrew Rist andrew.r...@oracle.com To: general@incubator.apache.org Sent: Friday, August 24, 2012 2:44 PM Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote On 8/24/2012 11:19 AM, Joe Schaefer wrote: Really, all this fuss over the LABELLING of a file being distributed does not add value to either the org, the podling, or the users of the software. Nowhere is it written that you CANNOT DISTRIBUTE BINARIES, however it has always been clear that they are provided for the convenience of our users, not as part of an official release. That however does not mean that things like release announcements cannot refer users to those binaries, it simply means those announcements need to reference the sources as the thing that was formally voted on and approved by the ASF. Thus... Binaries created /from /the Official Release? From: Dave Fisher dave2w...@comcast.net To: general@incubator.apache.org Sent: Friday, August 24, 2012 1:56 PM Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote On Aug 24, 2012, at 10:09 AM, Rob Weir wrote: On Fri, Aug 24, 2012 at 12:45 PM, Rob Weir robw...@apache.org wrote: On Fri, Aug 24, 2012 at 12:32 PM, Marvin Humphrey mar...@rectangular.com wrote: Returning to this topic after an intermission... On Tue, Aug 21, 2012 at 6:18 AM, Bertrand Delacretaz bdelacre...@apache.org wrote: On Tue, Aug 21, 2012 at 11:54 AM, Jürgen Schmidt jogischm...@gmail.com wrote: ...As one of the active developers I would have a serious problem if we as project couldn't provide binary releases for our users. And I thought the ASF is a serious enough institution that can ensure to deliver binaries of these very popular end user oriented software and can of course protect the very valuable brand OpenOffice that the ASF now owns as well... As has been repeatedly mentioned in this thread and elsewhere, at the moment ASF releases consist of source code, not binaries. My impression from this discussion is that many podling contributors are dismayed by this policy, and that there is an element within the PPMC which remains convinced that it is actually up to individual PMCs within the ASF to set policy as to whether binaries are official or not. If there actually is an ASF-wide Policy concerning binaries then I would expect that: 1) It would come from the ASF Board, or from a Legal Affairs, not as individual opinions on the IPMC list 2) It would be documented someplace, as other important ASF policies are documented And 2a) Actually state the constraints of the policy, i.e., what is allowed or disallowed by the policy. Merely inventing a label like convenience or unofficial gives absolutely zero direction to PMC's. It is just a label. Consider what the IPMC's Release Guide gives with regards to the source artifact. It is labeled canonical, but that level is backed up with requirements, e.g., that every release must include it, that it must be signed, etc. Similarly, podling releases are not merely labeled podling releases, but policy defines requirements, e.g., a disclaimer, a required IPMC vote, etc. I hope I am not being too pedantic here. But I would like to have a policy defined here so any PMC can determine whether they are in compliance. But so far I just hear strongly held opinions that amount to applying labels, but not mandating or forbidden any actions with regards to artifacts that bear these labels. Consider: If some IPMC members declared loudly that It is ASF policy that binary artifacts are 'Umbabuga', what exactly would you expect a Podling to do, given that Umbabuga is an undefined term with no policy mandated or forbidden actions? There is a seductive appeal to reaching consensus on a label. But it avoids the hard part of policy development, the useful part: reaching consensus on constraints to actions. The AOO PPMC was asked to take this discussion along with digital signature issue to legal-discuss to get advice. Whether or not this becomes guidance for AOO or official foundation wide policy is ultimately up to the Board and the Membership. Regards, Dave 3) That the policies is applied not only to AOO, but to other podlings and to TLP's as well. Until that happens, I hear only opinions. But opinions, even widely held opinions, even Roy opinions, are not the same as policy. -Rob OTOH I don't think anybody said the ASF will never allow projects to distribute binaries - but people who want to do that need to get together (*) and come up with a proposal that's compatible with the ASF's goals and constraints, so that a clear policy can be set. I'm concerned that such an effort may not be completed, and that once the podling graduates, AOO binaries will once again be advertised
Re: [VOTE] Apache OpenOffice Community Graduation Vote
This policy is enshrined in the original foundation articles of incorporation, and has been restated, over and over, by board members. Most colorfully by Roy T. Fielding, who was 'present at the birth.' Many are sympathetic to the AOO situation, and this is why the suggestion from the VP legal was to start a discussion about how to evolve to accomodate AOO rather than simply a flat refusal to consider the problem. - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
WHAT PROBLEM? THERE IS NO PROBLEM HERE, CURRENT POLICY FULLY COVERS WHAT AOO ACTUALLY DOES. END OF DISCUSSION. A discussion about blessing binaries with cryptographic signatures supplied by the org is totally out ofscope for this thread. From: Benson Margulies bimargul...@gmail.com To: general@incubator.apache.org Sent: Friday, August 24, 2012 3:08 PM Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote This policy is enshrined in the original foundation articles of incorporation, and has been restated, over and over, by board members. Most colorfully by Roy T. Fielding, who was 'present at the birth.' Many are sympathetic to the AOO situation, and this is why the suggestion from the VP legal was to start a discussion about how to evolve to accomodate AOO rather than simply a flat refusal to consider the problem. - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Joe: that is what is being discussed. Blessed binaries. Go back to Dennis' email for the need for these. On Fri, Aug 24, 2012 at 3:11 PM, Joe Schaefer joe_schae...@yahoo.com wrote: WHAT PROBLEM? THERE IS NO PROBLEM HERE, CURRENT POLICY FULLY COVERS WHAT AOO ACTUALLY DOES. END OF DISCUSSION. A discussion about blessing binaries with cryptographic signatures supplied by the org is totally out ofscope for this thread. From: Benson Margulies bimargul...@gmail.com To: general@incubator.apache.org Sent: Friday, August 24, 2012 3:08 PM Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote This policy is enshrined in the original foundation articles of incorporation, and has been restated, over and over, by board members. Most colorfully by Roy T. Fielding, who was 'present at the birth.' Many are sympathetic to the AOO situation, and this is why the suggestion from the VP legal was to start a discussion about how to evolve to accomodate AOO rather than simply a flat refusal to consider the problem. - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
From: Greg Stein gst...@gmail.com To: general@incubator.apache.org; Joe Schaefer joe_schae...@yahoo.com Sent: Friday, August 24, 2012 3:40 PM Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote Joe: that is what is being discussed. Blessed binaries. Go back to Dennis' email for the need for these. See that yes, but this thread is all over the map and that element only appears in a fraction of the actual posts. I will agree with you tho that the way forward with org-signed binaries (as opposed to committer-PGP signed binaries constituting existing policy) goes through legal-discuss and involves infrastructure participation. Being caustic and accusatory is no way to make progress. In any case this thread should just die now. - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
On Fri, Aug 24, 2012 at 2:11 PM, Dave Fisher dave2w...@comcast.net wrote: On Aug 24, 2012, at 9:32 AM, Marvin Humphrey wrote: Returning to this topic after an intermission... On Tue, Aug 21, 2012 at 6:18 AM, Bertrand Delacretaz bdelacre...@apache.org wrote: On Tue, Aug 21, 2012 at 11:54 AM, Jürgen Schmidt jogischm...@gmail.com wrote: ...As one of the active developers I would have a serious problem if we as project couldn't provide binary releases for our users. And I thought the ASF is a serious enough institution that can ensure to deliver binaries of these very popular end user oriented software and can of course protect the very valuable brand OpenOffice that the ASF now owns as well... As has been repeatedly mentioned in this thread and elsewhere, at the moment ASF releases consist of source code, not binaries. My impression from this discussion is that many podling contributors are dismayed by this policy, and that there is an element within the PPMC which remains convinced that it is actually up to individual PMCs within the ASF to set policy as to whether binaries are official or not. It is a consequence of 10 years of official openoffice.org binary releases from both Sun and Oracle. It is a consequence of a large market share. Or stated in less commercial terms, the vast amount of public good that comes from this project. See: http://incubator.apache.org/openofficeorg/mission.html OTOH I don't think anybody said the ASF will never allow projects to distribute binaries - but people who want to do that need to get together (*) and come up with a proposal that's compatible with the ASF's goals and constraints, so that a clear policy can be set. I'm concerned that such an effort may not be completed, and that once the podling graduates, AOO binaries will once again be advertised as official, placing the project in conflict with ASF-wide policy. It may be that some within the newly formed PMC will speak out in favor of the ASF status quo, but as their position will likely be inexpedient and unpopular, it may be difficult to prevail. Of course I don't know how things will play out, but it seems to me that reactions from podling contributors have ranged from discouraged to skeptical to antagonistic and that there is limited enthusisasm for working within the ASF on this matter. Gaming out this pessimistic scenario, what would it look like if the Board were forced to clamp down on a rebellious AOO PMC to enforce ASF policy regarding binary releases? If we believe that we are adequately prepared for such circumstances, then I think that's good enough and that fully resolving the issue of binary releases prior to AOO's graduation is not required. One way to help assure proper policy would be to insist that there are several Apache Members on the future PMC. Or if someone who cared sufficiently about this policy area took ownership and proposed a wording of the policy, either as a Board resolution, or on legal-discuss, and had that policy approved and recorded via the ordinary means. Right now is is unfair to say that I, or anyone else in the podling, is rebellious or opposes ASF Policy in this area, since no one seems to be able to say what the policy actually is, in specific and actionable terms, and why they think AOO podling is or is not in compliance. I can give the IPMC a hand here, if my point is too obscure. A policy might look like this: Resolved: An Apache project's release consists of a canonical source artifact, voted on and approved by the PMC. A PMC can also distribute additional, non-source artifacts, including documentation, binaries, samples, etc., that are provided for the convenience of the user. These non-source artifacts must must be buildable from the canonical source artifact. Additional 3rd party libraries may be included solely in compliance with license policies defined by Apache Legal Affairs. Additionally the non-source artifacts (or the PMC) must and must not _. Fill in the blanks, get approval via normal procedures, and you have something resembling a policy. Regards, -Rob As of now it looks like Jim and I are the only ones on the prospective PMC. That's not enough. I'm going to need a vacation from AOO soon. Regards, Dave Marvin Humphrey - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
On Fri, Aug 24, 2012 at 4:00 PM, Rob Weir robw...@apache.org wrote: ... Or if someone who cared sufficiently about this policy area took ownership and proposed a wording of the policy, either as a Board resolution, or on legal-discuss, and had that policy approved and recorded via the ordinary means. That's why people keep saying: go to legal-discuss. Stop worrying about it here. And to be clear: we're talked about authenticated/blessed binaries. Not convenience artifacts. I think you're well aware of this, yet you keep conflating the two. I don't know why, except maybe to aggravate people. It certainly isn't engendering good will. Right now is is unfair to say that I, or anyone else in the podling, is rebellious or opposes ASF Policy in this area, since no one seems to be able to say what the policy actually is, in specific and actionable terms, and why they think AOO podling is or is not in compliance. It is totally fair when everybody keeps telling you: no blessed binaries, and you refuse to listen. I can give the IPMC a hand here, if my point is too obscure. A policy might look like this: Resolved: An Apache project's release consists of a canonical source artifact, voted on and approved by the PMC. A PMC can also distribute additional, non-source artifacts, including documentation, binaries, samples, etc., that are provided for the convenience of the user. These non-source artifacts must must be buildable from the canonical source artifact. Additional 3rd party libraries may be included solely in compliance with license policies defined by Apache Legal Affairs. Additionally the non-source artifacts (or the PMC) must and must not _. That's existing policy. As people keep saying (most recently, Joe, in no uncertain terms). -g - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
On Fri, Aug 24, 2012 at 1:00 PM, Rob Weir robw...@apache.org wrote: Or if someone who cared sufficiently about this policy area took ownership and proposed a wording of the policy, either as a Board resolution, or on legal-discuss, and had that policy approved and recorded via the ordinary means. As a member of the Incubator PMC, I am willing to submit the following question via https://issues.apache.org/jira/browse/LEGAL: AOO official binary artifacts May the Apache Open Office podling consider binary artifacts prepared as described in this passage official, in the sense that their sense that their release is an act of the corporation and their contributors are indemnified? http://www.apache.org/dev/release.html#what The Apache Software Foundation produces open source software. All releases are in the form of the source materials needed to make changes to the software being released. In some cases, binary/bytecode packages are also produced as a convenience to users that might not have the appropriate tools to build a compiled version of the source. In all such cases, the binary/bytecode package must have the same version number as the source release and may only add binary/bytecode files that are the result of compiling that version of the source code release. My preference would be to have someone more invested in AOO serve as advocate, but I will do it if no one else steps forward. Marvin Humphrey - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
On Tue, Aug 21, 2012 at 5:30 AM, Benson Margulies bimargul...@gmail.com wrote: Officially, no Apache project has ever, ever, released a binary. Apache projects have published convenience binaries to accompany their releases, which have been, by definition, source Agreed - for the Flex podling the mentors have asked for a distinct binaries folder, see http://apache.org/dist/incubator/flex/4.8.0-incubating/ I think that's a good step, and it would be even better to add a README in there which points to an URL that explains the source/binary release thing. The best way to clarify that is to probably to create an issue at https://issues.apache.org/jira/browse/LEGAL and discuss on the legal-discuss list, where people from multiple projects that are affected by this can join. It's an ASF-wide issue, not an Incubator issue. -Bertrand (not volunteering - busy enough) - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
On 8/21/12 12:03 AM, drew wrote: On Mon, 2012-08-20 at 13:32 -0700, Marvin Humphrey wrote: On Sun, Aug 19, 2012 at 8:53 AM, Rob Weir robw...@apache.org wrote: Per the IPMC's Guide to Successful Graduation [1] this is the optional, but recommended, community vote for us to express our willingness/readiness to govern ourselves. If this vote passes then we continue by drafting a charter, submitting it for IPMC endorsement, and then to the ASF Board for final approval. Details can be found in the Guide to Successful Graduation. Everyone in the community is encouraged to vote. Votes from PPMC members and Mentors are binding. This vote will run 72-hours. [ ] +1 Apache OpenOffice community is ready to graduate from the Apache Incubator. [ ] +0 Don't care. [ ] -1 Apache OpenOffice community is not ready to graduate from the Apache Incubator because... In my opinion, the issue of binary releases ought to be resolved before graduation. If the podling believes that ASF-endorsed binaries are a hard requirement, then it seems to me that the ASF is not yet ready for AOO and will not be until suitable infrastructure and legal institutions to support binary releases (sterile build machines, artifact signing, etc) have been created and a policy has been endorsed by the Board. One possibility discussed in the past was to have downstream commercial vendors release binaries a la Subversion's example, which would obviate the need for all the effort and risk associated with providing support for ASF-endorsed binaries. For whatever reason, the AOO podling seems not to have gone this direction, though. Marvin Humphrey Hi Marvin, Well, for myself, I don't have a problem with the AOO project not having official binary releases - in such a circumstance I would strongly prefer no binary release at all. As one of the active developers I would have a serious problem if we as project couldn't provide binary releases for our users. And I thought the ASF is a serious enough institution that can ensure to deliver binaries of these very popular end user oriented software and can of course protect the very valuable brand OpenOffice that the ASF now owns as well. The satisfaction of developers (at least my personal) is the fact that I work on a piece of software used by millions of users worldwide and these users require a binary version. And one of a trusted source and that is allowed to name it OpenOffice. I thought also that the ASF could leverage the brand in a way to generate more donations for the ASF and benefit even more from the overall success of the project. I know people who didn't know Apache before but now because of OpenOffice. Maybe worth to think about it! But I get ones more the impression that I am probably wrong. If the day should come that I will leave this project it will have nothing to do with the project itself. Juergen On the other hand if there is a binary release from the AOO project then I believe it should be treated as a fully endorsed action. One guys opinion. Thanks Drew Jensen AOO PPMC member - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
On Tue, Aug 21, 2012 at 11:54 AM, Jürgen Schmidt jogischm...@gmail.com wrote: ...As one of the active developers I would have a serious problem if we as project couldn't provide binary releases for our users. And I thought the ASF is a serious enough institution that can ensure to deliver binaries of these very popular end user oriented software and can of course protect the very valuable brand OpenOffice that the ASF now owns as well... As has been repeatedly mentioned in this thread and elsewhere, at the moment ASF releases consist of source code, not binaries. OTOH I don't think anybody said the ASF will never allow projects to distribute binaries - but people who want to do that need to get together (*) and come up with a proposal that's compatible with the ASF's goals and constraints, so that a clear policy can be set. A related discussion is ongoing on infra-dev [1] about signing artifacts, where we also have suggested that people get together and express their requirements in a constructive way instead of complaining. -Bertrand (*) Earlier in this thread, I have suggested using legal-discuss + LEGAL jira issues to manage this cross-project discussion. The pmcs@ alias + this list can be used to invite all projects and podlings to join such a discussion. [1] http://s.apache.org/signing_reqs - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
I would like to offer a very loud +1 to Bertrand's email. Here we are on a community graduation vote thread. This sub-discussion would seem to lead to one of three outcomes: 1) No place new. AOO proceeds out of the incubator operating under the current regime, and those AOO community members who are already engaged in discussions with infra and others about the preconditions for formal binary releases continue -- taking Bertrand's suggestion. 2) The community votes to stay in the incubator until a binary release plan exists. I can't see why this has any attraction for the community. 3) The community, or a subset thereof, takes their marbles and sets up shop in some other environment where binary releases are well-established. Before people start throwing things at me, I want to emphasize that (3) is offered only for completeness. If (1) is the order of the day, and an IPMC vote comes around soon, I'll be voting in favor of graduation. - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
On Sun, Aug 19, 2012 at 8:53 AM, Rob Weir robw...@apache.org wrote: Per the IPMC's Guide to Successful Graduation [1] this is the optional, but recommended, community vote for us to express our willingness/readiness to govern ourselves. If this vote passes then we continue by drafting a charter, submitting it for IPMC endorsement, and then to the ASF Board for final approval. Details can be found in the Guide to Successful Graduation. Everyone in the community is encouraged to vote. Votes from PPMC members and Mentors are binding. This vote will run 72-hours. [ ] +1 Apache OpenOffice community is ready to graduate from the Apache Incubator. [ ] +0 Don't care. [ ] -1 Apache OpenOffice community is not ready to graduate from the Apache Incubator because... In my opinion, the issue of binary releases ought to be resolved before graduation. If the podling believes that ASF-endorsed binaries are a hard requirement, then it seems to me that the ASF is not yet ready for AOO and will not be until suitable infrastructure and legal institutions to support binary releases (sterile build machines, artifact signing, etc) have been created and a policy has been endorsed by the Board. One possibility discussed in the past was to have downstream commercial vendors release binaries a la Subversion's example, which would obviate the need for all the effort and risk associated with providing support for ASF-endorsed binaries. For whatever reason, the AOO podling seems not to have gone this direction, though. Marvin Humphrey - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
On Mon, Aug 20, 2012 at 4:32 PM, Marvin Humphrey mar...@rectangular.com wrote: On Sun, Aug 19, 2012 at 8:53 AM, Rob Weir robw...@apache.org wrote: Per the IPMC's Guide to Successful Graduation [1] this is the optional, but recommended, community vote for us to express our willingness/readiness to govern ourselves. If this vote passes then we continue by drafting a charter, submitting it for IPMC endorsement, and then to the ASF Board for final approval. Details can be found in the Guide to Successful Graduation. Everyone in the community is encouraged to vote. Votes from PPMC members and Mentors are binding. This vote will run 72-hours. [ ] +1 Apache OpenOffice community is ready to graduate from the Apache Incubator. [ ] +0 Don't care. [ ] -1 Apache OpenOffice community is not ready to graduate from the Apache Incubator because... In my opinion, the issue of binary releases ought to be resolved before graduation. If the podling believes that ASF-endorsed binaries are a hard requirement, then it seems to me that the ASF is not yet ready for AOO and will not be until suitable infrastructure and legal institutions to support binary releases (sterile build machines, artifact signing, etc) have been created and a policy has been endorsed by the Board. One possibility discussed in the past was to have downstream commercial vendors release binaries a la Subversion's example, which would obviate the need for all the effort and risk associated with providing support for ASF-endorsed binaries. For whatever reason, the AOO podling seems not to have gone this direction, though. Let's look at the the TLP's that the IPMC has recommended, and the ASF Board has approved in recent months. Notice that a fair number of them releae source and binaries, as does the OpenOffice podling: Apache Lucene.Net -- releases source and binaries Apache DirectMemory -- releases source only Apache VCL -- releases source only Apache Hama -- releases source and binaries Apache MRUnit -- releases source only Apache Giraph -- releases source only Apache ManifoldCF -- releases source and binaries So I'm not quite sure in what way the ASF is not ready for a TLP that releases binaries, or what additional legal or procedural work needs to be done to enable this. As far as I can tell ASF projects release binaries today. I agree, sterile buildbots and code signing are good things to have, and we are working with Infra on this today, and would continue to peruse these avenues as a TLP. In any case, shouldn't the question be whether the podling is ready for the ASF rather than whether the ASF is ready for the poding? ;-) -Rob Marvin Humphrey - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
On Mon, 2012-08-20 at 13:32 -0700, Marvin Humphrey wrote: On Sun, Aug 19, 2012 at 8:53 AM, Rob Weir robw...@apache.org wrote: Per the IPMC's Guide to Successful Graduation [1] this is the optional, but recommended, community vote for us to express our willingness/readiness to govern ourselves. If this vote passes then we continue by drafting a charter, submitting it for IPMC endorsement, and then to the ASF Board for final approval. Details can be found in the Guide to Successful Graduation. Everyone in the community is encouraged to vote. Votes from PPMC members and Mentors are binding. This vote will run 72-hours. [ ] +1 Apache OpenOffice community is ready to graduate from the Apache Incubator. [ ] +0 Don't care. [ ] -1 Apache OpenOffice community is not ready to graduate from the Apache Incubator because... In my opinion, the issue of binary releases ought to be resolved before graduation. If the podling believes that ASF-endorsed binaries are a hard requirement, then it seems to me that the ASF is not yet ready for AOO and will not be until suitable infrastructure and legal institutions to support binary releases (sterile build machines, artifact signing, etc) have been created and a policy has been endorsed by the Board. One possibility discussed in the past was to have downstream commercial vendors release binaries a la Subversion's example, which would obviate the need for all the effort and risk associated with providing support for ASF-endorsed binaries. For whatever reason, the AOO podling seems not to have gone this direction, though. Marvin Humphrey Hi Marvin, Well, for myself, I don't have a problem with the AOO project not having official binary releases - in such a circumstance I would strongly prefer no binary release at all. On the other hand if there is a binary release from the AOO project then I believe it should be treated as a fully endorsed action. One guys opinion. Thanks Drew Jensen AOO PPMC member - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
On Mon, Aug 20, 2012 at 5:04 PM, Rob Weir robw...@apache.org wrote: On Mon, Aug 20, 2012 at 4:32 PM, Marvin Humphrey mar...@rectangular.com wrote: On Sun, Aug 19, 2012 at 8:53 AM, Rob Weir robw...@apache.org wrote: Per the IPMC's Guide to Successful Graduation [1] this is the optional, but recommended, community vote for us to express our willingness/readiness to govern ourselves. If this vote passes then we continue by drafting a charter, submitting it for IPMC endorsement, and then to the ASF Board for final approval. Details can be found in the Guide to Successful Graduation. Everyone in the community is encouraged to vote. Votes from PPMC members and Mentors are binding. This vote will run 72-hours. [ ] +1 Apache OpenOffice community is ready to graduate from the Apache Incubator. [ ] +0 Don't care. [ ] -1 Apache OpenOffice community is not ready to graduate from the Apache Incubator because... In my opinion, the issue of binary releases ought to be resolved before graduation. If the podling believes that ASF-endorsed binaries are a hard requirement, then it seems to me that the ASF is not yet ready for AOO and will not be until suitable infrastructure and legal institutions to support binary releases (sterile build machines, artifact signing, etc) have been created and a policy has been endorsed by the Board. One possibility discussed in the past was to have downstream commercial vendors release binaries a la Subversion's example, which would obviate the need for all the effort and risk associated with providing support for ASF-endorsed binaries. For whatever reason, the AOO podling seems not to have gone this direction, though. Let's look at the the TLP's that the IPMC has recommended, and the ASF Board has approved in recent months. Notice that a fair number of them releae source and binaries, as does the OpenOffice podling: Some further documentation of IPMC practice in this regard: Apache Lucene.Net -- releases source and binaries IPMC voted to approve release, and vote post pointed to both source and binary artifacts: http://markmail.org/message/mt3xthcqqng7ftnw Apache DirectMemory -- releases source only Apache VCL -- releases source only Apache Hama -- releases source and binaries The people.a.o directory that was voted on by the IPMC is gone now. I suspect it included binaries as well. Certainly now that the podling has graduated their release candidates include binaries: http://people.apache.org/~edwardyoon/dist/0.5-RC4/ Apache MRUnit -- releases source only Apache Giraph -- releases source only Apache ManifoldCF -- releases source and binaries Their most recent vote was withdrawn because they graduated before the vote completed, but that IPMC vote post also pointed to both source and binary artifacts: http://markmail.org/message/op7ofi2gudwfov3z So the recent practice of the IPMC has been to approve releases with source and binaries, but also to graduate podlings that do so. Regards, -Rob So I'm not quite sure in what way the ASF is not ready for a TLP that releases binaries, or what additional legal or procedural work needs to be done to enable this. As far as I can tell ASF projects release binaries today. I agree, sterile buildbots and code signing are good things to have, and we are working with Infra on this today, and would continue to peruse these avenues as a TLP. In any case, shouldn't the question be whether the podling is ready for the ASF rather than whether the ASF is ready for the poding? ;-) -Rob Marvin Humphrey - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
On Mon, Aug 20, 2012 at 3:03 PM, drew d...@baseanswers.com wrote: Well, for myself, I don't have a problem with the AOO project not having official binary releases - in such a circumstance I would strongly prefer no binary release at all. I wonder who might step into the breach to provide binaries for such a package... On the other hand if there is a binary release from the AOO project then I believe it should be treated as a fully endorsed action. At the ASF, the source release is canonical. I have never seen anyone assert that the source release is not offical and endorsed by the ASF. There has been disagreement about whether binaries should be official or not. To the best of my knowledge, every time the matter has come up, the debate has been resolved with a compromise: that while binary releases are not endorsed by the ASF, they may be provided in addition to the source release for the convenience of users. What is different with AOO is that the compromise does not seem to satisfy an element within the PPMC and thus the matter is being forced. It would be a lot of hard, time-consuming work for the ASF to build the institutions necessary to provide binary releases that approach the standards our source releases set. (As illustrated by e.g. the challenges of setting up the code signing service.) Not all of us are convinced that it is for the best, either. Marvin Humphrey - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Just because some other podlings have released binary artifacts does not mean AOO can base their entire release strategy on binaries. As Marvin has said: source releases are the primary release mechanism. Binaries are and should be a distant second. I would also state that continuing to argue is symptomatic of a failure to understand and integrate with the Foundation's thoughts on the matter. Or to at least politely discuss the situation on legal-discuss. Cheers, -g On Mon, Aug 20, 2012 at 7:33 PM, Rob Weir robw...@apache.org wrote: On Mon, Aug 20, 2012 at 5:04 PM, Rob Weir robw...@apache.org wrote: On Mon, Aug 20, 2012 at 4:32 PM, Marvin Humphrey mar...@rectangular.com wrote: On Sun, Aug 19, 2012 at 8:53 AM, Rob Weir robw...@apache.org wrote: Per the IPMC's Guide to Successful Graduation [1] this is the optional, but recommended, community vote for us to express our willingness/readiness to govern ourselves. If this vote passes then we continue by drafting a charter, submitting it for IPMC endorsement, and then to the ASF Board for final approval. Details can be found in the Guide to Successful Graduation. Everyone in the community is encouraged to vote. Votes from PPMC members and Mentors are binding. This vote will run 72-hours. [ ] +1 Apache OpenOffice community is ready to graduate from the Apache Incubator. [ ] +0 Don't care. [ ] -1 Apache OpenOffice community is not ready to graduate from the Apache Incubator because... In my opinion, the issue of binary releases ought to be resolved before graduation. If the podling believes that ASF-endorsed binaries are a hard requirement, then it seems to me that the ASF is not yet ready for AOO and will not be until suitable infrastructure and legal institutions to support binary releases (sterile build machines, artifact signing, etc) have been created and a policy has been endorsed by the Board. One possibility discussed in the past was to have downstream commercial vendors release binaries a la Subversion's example, which would obviate the need for all the effort and risk associated with providing support for ASF-endorsed binaries. For whatever reason, the AOO podling seems not to have gone this direction, though. Let's look at the the TLP's that the IPMC has recommended, and the ASF Board has approved in recent months. Notice that a fair number of them releae source and binaries, as does the OpenOffice podling: Some further documentation of IPMC practice in this regard: Apache Lucene.Net -- releases source and binaries IPMC voted to approve release, and vote post pointed to both source and binary artifacts: http://markmail.org/message/mt3xthcqqng7ftnw Apache DirectMemory -- releases source only Apache VCL -- releases source only Apache Hama -- releases source and binaries The people.a.o directory that was voted on by the IPMC is gone now. I suspect it included binaries as well. Certainly now that the podling has graduated their release candidates include binaries: http://people.apache.org/~edwardyoon/dist/0.5-RC4/ Apache MRUnit -- releases source only Apache Giraph -- releases source only Apache ManifoldCF -- releases source and binaries Their most recent vote was withdrawn because they graduated before the vote completed, but that IPMC vote post also pointed to both source and binary artifacts: http://markmail.org/message/op7ofi2gudwfov3z So the recent practice of the IPMC has been to approve releases with source and binaries, but also to graduate podlings that do so. Regards, -Rob So I'm not quite sure in what way the ASF is not ready for a TLP that releases binaries, or what additional legal or procedural work needs to be done to enable this. As far as I can tell ASF projects release binaries today. I agree, sterile buildbots and code signing are good things to have, and we are working with Infra on this today, and would continue to peruse these avenues as a TLP. In any case, shouldn't the question be whether the podling is ready for the ASF rather than whether the ASF is ready for the poding? ;-) -Rob Marvin Humphrey - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
On Mon, Aug 20, 2012 at 8:01 PM, Marvin Humphrey mar...@rectangular.com wrote: On Mon, Aug 20, 2012 at 3:03 PM, drew d...@baseanswers.com wrote: Well, for myself, I don't have a problem with the AOO project not having official binary releases - in such a circumstance I would strongly prefer no binary release at all. I wonder who might step into the breach to provide binaries for such a package... On the other hand if there is a binary release from the AOO project then I believe it should be treated as a fully endorsed action. At the ASF, the source release is canonical. I have never seen anyone assert that the source release is not offical and endorsed by the ASF. What would suggest is the concrete distinction between an official binary and an unofficial' binary? I'd assert all binaries that I've seen a project release have these qualities: 1) Have LICENSE and NOTICE 2) Are build from the canonical source 3) Can use other 3rd party components per policy 4) Are voted on by the PMC's 5) Have hashes and detached digital signatures 6) Are distributed via the Apache mirrors 7) Are linked to on websites and announcements 8) Are used by and appreciated by users 9) Are for the public good Which of these do would you say are not qualities of an unofficial binary? Or would you suggest another? Unless ASF or IPMC policy defines a distinction here, I think we're just arguing about what color the bike shed is for angels dancing on a head of pin. It is a distinction without a difference, or at least not one that has been stated, -Rob There has been disagreement about whether binaries should be official or not. To the best of my knowledge, every time the matter has come up, the debate has been resolved with a compromise: that while binary releases are not endorsed by the ASF, they may be provided in addition to the source release for the convenience of users. What is different with AOO is that the compromise does not seem to satisfy an element within the PPMC and thus the matter is being forced. It would be a lot of hard, time-consuming work for the ASF to build the institutions necessary to provide binary releases that approach the standards our source releases set. (As illustrated by e.g. the challenges of setting up the code signing service.) Not all of us are convinced that it is for the best, either. Marvin Humphrey - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
On Mon, Aug 20, 2012 at 8:11 PM, Greg Stein gst...@gmail.com wrote: Just because some other podlings have released binary artifacts does not mean AOO can base their entire release strategy on binaries. True, But we have not based our entire release strategy on binaries. If you recall we spent a great deal of time preparing the AOO 3.4.0 release, with the vast majority of the work dedicated entirely to the source code aspects of the release. There were very few feature enhancements in that initial release. Our work was highly centered on meeting ASF requirements with respect to pedigree review, license headers, treatment of 3rd party components, LICENSE and NOTICE requirements, etc. As Marvin has said: source releases are the primary release mechanism. Binaries are and should be a distant second. And that is why we put so much effort ensuring that the source code for OpenOffice met ASF requirements. But we are also releasing binaries, as we did for Apache OpenOffice 3.4.0, and as this project has done for the past 10 years. If you look at our release artifacts, you see that the source tar balls are listed first, followed by binaries: https://cwiki.apache.org/confluence/display/OOOUSERS/Development+Snapshot+Builds Is there some specific method by which the IPMC wishes podlings to make this distinction between the canonical source release and binaries more clear? I've looked at recent podling release approved by the IPMC and I can discern no such distinction. I would also state that continuing to argue is symptomatic of a failure to understand and integrate with the Foundation's thoughts on the matter. Or to at least politely discuss the situation on legal-discuss. I would say the lack of understanding could be in both directions, and some greater tolerance would be mutually beneficial. Remember, OpenOffice is unlike anything else previously at Apache. It is an end user product. and a very famous and well adopted one. This does not diminish the importance of the source code artifacts. But it does increase the importance of the binary ones. This is something the PPMC is generally happy with and matches our decade plus experience with the project and the ecosystem. Note also that although we take pride in the 12 million downloads of the binaries, we take even more pride in seeing successful reuses of the code, as we are seeing with non-Apache ports for BSD, OS/2 and Solaris, and work on other non-ASF products based on Apache OpenOffice, including portableApps and WinPenpack. We have PPMC members employed in producing products based on our source code, by three different companies. So we understand the value of the source to the overall ecosystem. But it still remains true that this is an end user application, used by millions of users, and as a project we will need to (and desire) to give it the attention it deserves as well. These two work together, of course, as additional interest in the source drives more investment into the ecosyste, Regards, -Rob Regards, -Rob Cheers, -g On Mon, Aug 20, 2012 at 7:33 PM, Rob Weir robw...@apache.org wrote: On Mon, Aug 20, 2012 at 5:04 PM, Rob Weir robw...@apache.org wrote: On Mon, Aug 20, 2012 at 4:32 PM, Marvin Humphrey mar...@rectangular.com wrote: On Sun, Aug 19, 2012 at 8:53 AM, Rob Weir robw...@apache.org wrote: Per the IPMC's Guide to Successful Graduation [1] this is the optional, but recommended, community vote for us to express our willingness/readiness to govern ourselves. If this vote passes then we continue by drafting a charter, submitting it for IPMC endorsement, and then to the ASF Board for final approval. Details can be found in the Guide to Successful Graduation. Everyone in the community is encouraged to vote. Votes from PPMC members and Mentors are binding. This vote will run 72-hours. [ ] +1 Apache OpenOffice community is ready to graduate from the Apache Incubator. [ ] +0 Don't care. [ ] -1 Apache OpenOffice community is not ready to graduate from the Apache Incubator because... In my opinion, the issue of binary releases ought to be resolved before graduation. If the podling believes that ASF-endorsed binaries are a hard requirement, then it seems to me that the ASF is not yet ready for AOO and will not be until suitable infrastructure and legal institutions to support binary releases (sterile build machines, artifact signing, etc) have been created and a policy has been endorsed by the Board. One possibility discussed in the past was to have downstream commercial vendors release binaries a la Subversion's example, which would obviate the need for all the effort and risk associated with providing support for ASF-endorsed binaries. For whatever reason, the AOO podling seems not to have gone this direction, though. Let's look at the the TLP's that the IPMC has recommended, and the ASF Board has approved in recent months. Notice that a fair number of them
Re: [VOTE] Apache OpenOffice Community Graduation Vote
On Mon, 2012-08-20 at 17:01 -0700, Marvin Humphrey wrote: On Mon, Aug 20, 2012 at 3:03 PM, drew d...@baseanswers.com wrote: Well, for myself, I don't have a problem with the AOO project not having official binary releases - in such a circumstance I would strongly prefer no binary release at all. I wonder who might step into the breach to provide binaries for such a package... Hi, Well, for a start: IBM stated it will release a free binary version at some point, after shutting down the Symphony product. CS2C, a Chinese firm working in cooperation with Ernest and Young IIRC, releases a binary based on the source code - in fact I'm not even sure AOO supplied binaries are available to most folks in China. Multiracio releases a closed source version of the application for sale in Europe and the US. In the past quite a few Linux distributors included binary releases in their offerings, they consume source not binaries. The current BSD, OS/2 and Solaris ports will go out as source only from AOO, but come to end users from a third party repository, unless I totally missed what was happening there (and I might off ;) There are currently two groups which offer binary versions packaged to run off USB drives, as far as I understand it, they work from source and don't require binaries. Finally this is a well known brand now, it would be hard to believe that if AOO did not release binaries the void would not be filled by others. //drew ps - sorry if this double posts... On the other hand if there is a binary release from the AOO project then I believe it should be treated as a fully endorsed action. At the ASF, the source release is canonical. I have never seen anyone assert that the source release is not offical and endorsed by the ASF. There has been disagreement about whether binaries should be official or not. To the best of my knowledge, every time the matter has come up, the debate has been resolved with a compromise: that while binary releases are not endorsed by the ASF, they may be provided in addition to the source release for the convenience of users. What is different with AOO is that the compromise does not seem to satisfy an element within the PPMC and thus the matter is being forced. It would be a lot of hard, time-consuming work for the ASF to build the institutions necessary to provide binary releases that approach the standards our source releases set. (As illustrated by e.g. the challenges of setting up the code signing service.) Not all of us are convinced that it is for the best, either. Marvin Humphrey - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
RE: [VOTE] Apache OpenOffice Community Graduation Vote
I do not dispute the existence of other reliable creators of binary distributions. The *nix packagings and installation in consumer desktops are notable for the value that they provide. I think that experience teaches us that there absolutely needs to be a way to obtain and install *authentic* binary distributions made using the release sources with a proper set of options for a given platform. It is near impossible to provide end-user support and bug confirmation without agreement on the authentic bindist that is being use and that it is a bindist made from known sources. And there are enough fraudulent distributions out there that this is critical as a way to safeguard users. For that reason alone, there needs to be an authenticated bindist, especially for Windows, the 80% that garners the focused attention of miscreants and opportunists. That is also the reason for wanting signed binaries that pass verification on Windows and OS X. There needs to be a way for everyday users to receive every assurance that they are installing an authentic bindist and that it is verifiable who the origin is. I suspect that reliable packagers of unique distributions (including any from IBM) will provide their own verifiable authenticity. - Dennis -Original Message- From: drew [mailto:d...@baseanswers.com] Sent: Monday, August 20, 2012 18:00 To: general@incubator.apache.org Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote On Mon, 2012-08-20 at 17:01 -0700, Marvin Humphrey wrote: On Mon, Aug 20, 2012 at 3:03 PM, drew d...@baseanswers.com wrote: Well, for myself, I don't have a problem with the AOO project not having official binary releases - in such a circumstance I would strongly prefer no binary release at all. I wonder who might step into the breach to provide binaries for such a package... Hi, Well, for a start: IBM stated it will release a free binary version at some point, after shutting down the Symphony product. CS2C, a Chinese firm working in cooperation with Ernest and Young IIRC, releases a binary based on the source code - in fact I'm not even sure AOO supplied binaries are available to most folks in China. Multiracio releases a closed source version of the application for sale in Europe and the US. In the past quite a few Linux distributors included binary releases in their offerings, they consume source not binaries. The current BSD, OS/2 and Solaris ports will go out as source only from AOO, but come to end users from a third party repository, unless I totally missed what was happening there (and I might off ;) There are currently two groups which offer binary versions packaged to run off USB drives, as far as I understand it, they work from source and don't require binaries. Finally this is a well known brand now, it would be hard to believe that if AOO did not release binaries the void would not be filled by others. //drew ps - sorry if this double posts... On the other hand if there is a binary release from the AOO project then I believe it should be treated as a fully endorsed action. At the ASF, the source release is canonical. I have never seen anyone assert that the source release is not offical and endorsed by the ASF. There has been disagreement about whether binaries should be official or not. To the best of my knowledge, every time the matter has come up, the debate has been resolved with a compromise: that while binary releases are not endorsed by the ASF, they may be provided in addition to the source release for the convenience of users. What is different with AOO is that the compromise does not seem to satisfy an element within the PPMC and thus the matter is being forced. It would be a lot of hard, time-consuming work for the ASF to build the institutions necessary to provide binary releases that approach the standards our source releases set. (As illustrated by e.g. the challenges of setting up the code signing service.) Not all of us are convinced that it is for the best, either. Marvin Humphrey - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
On Mon, Aug 20, 2012 at 8:59 PM, drew d...@baseanswers.com wrote: On Mon, 2012-08-20 at 17:01 -0700, Marvin Humphrey wrote: On Mon, Aug 20, 2012 at 3:03 PM, drew d...@baseanswers.com wrote: Well, for myself, I don't have a problem with the AOO project not having official binary releases - in such a circumstance I would strongly prefer no binary release at all. I wonder who might step into the breach to provide binaries for such a package... Hi, Well, for a start: IBM stated it will release a free binary version at some point, after shutting down the Symphony product. This is incorrect. Wearing my IBM hat I can say that our plan is not to ship our own binary version at all, but to ship the Apache version bundled with some proprietary extension modules that would help our customers work with our server stack. I don't think we've ever said otherwise. CS2C, a Chinese firm working in cooperation with Ernest and Young IIRC, releases a binary based on the source code - in fact I'm not even sure AOO supplied binaries are available to most folks in China. Multiracio releases a closed source version of the application for sale in Europe and the US. In the past quite a few Linux distributors included binary releases in their offerings, they consume source not binaries. The current BSD, OS/2 and Solaris ports will go out as source only from AOO, but come to end users from a third party repository, unless I totally missed what was happening there (and I might off ;) There are currently two groups which offer binary versions packaged to run off USB drives, as far as I understand it, they work from source and don't require binaries. My understanding is the portable versions work from the binaries, not the source. They rebuild the install portions only. This is similar to a variety of distributions (not ports) in the ecosystem. There is a lot you can do by taking the OpenOffice binaries and rebuilding the install set with different extensions, templates, etc. This is far easier than rebuilding from source. Finally this is a well known brand now, it would be hard to believe that if AOO did not release binaries the void would not be filled by others. Indeed. Also, if we didn't release source either then someone else would fill the void, probably Microsoft. -Rob //drew ps - sorry if this double posts... On the other hand if there is a binary release from the AOO project then I believe it should be treated as a fully endorsed action. At the ASF, the source release is canonical. I have never seen anyone assert that the source release is not offical and endorsed by the ASF. There has been disagreement about whether binaries should be official or not. To the best of my knowledge, every time the matter has come up, the debate has been resolved with a compromise: that while binary releases are not endorsed by the ASF, they may be provided in addition to the source release for the convenience of users. What is different with AOO is that the compromise does not seem to satisfy an element within the PPMC and thus the matter is being forced. It would be a lot of hard, time-consuming work for the ASF to build the institutions necessary to provide binary releases that approach the standards our source releases set. (As illustrated by e.g. the challenges of setting up the code signing service.) Not all of us are convinced that it is for the best, either. Marvin Humphrey - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
On Aug 20, 2012 8:33 PM, Rob Weir robw...@apache.org wrote: On Mon, Aug 20, 2012 at 8:11 PM, Greg Stein gst...@gmail.com wrote: ... I would also state that continuing to argue is symptomatic of a failure to understand and integrate with the Foundation's thoughts on the matter. Or to at least politely discuss the situation on legal-discuss. I would say the lack of understanding could be in both directions, and some greater tolerance would be mutually beneficial. I *am* being tolerant (you should see my intolerant emails). And what makes you believe that I don't understand? I get to offer my thoughts, and you do not get to say that I have a lack of understanding simply because you disagree. Remember, OpenOffice is unlike anything else previously at Apache. Duh. Don't be so patronizing. Again: I suggest the discussion about making authorized/authenticated binaries be moved to legal-discuss. Not here. Infrastructure may need to provide some input, too. I might also point you to Sam's recommendation to avoid over-posting to a thread as a way to dominate / get your way. How many emails are you up to so far? -g
RE: [VOTE] Apache OpenOffice Community Graduation Vote
I'm sorry, I'm playing catch-up and I'm a bit unclear on the argument - Marvin said: If the podling believes that ASF-endorsed binaries are a hard requirement, then it seems to me that the ASF is not yet ready for AOO and will not be until suitable infrastructure and legal institutions to support binary releases (sterile build machines, artifact signing, etc) have been created and a policy has been endorsed by the Board. Is AOO not able to determine that for them a binary is a hard requirement for their releases (along with source code)? I would think that ASF puts a minimum requirement on what an official release is, not a limit. Why is there a requirement for special infrustructure? (perhaps that is due to the size of AOO?) Speaking just from the Lucene.Net persective, I would consider our binaries (and nuget packages) as official - even if ASF does not specifically allow for official releases or officially endourced binaries - what else would they be? They were built and put up by the same guys releasing the source code. I apologize if I misunderstand or mischaracterized anything ~P Date: Mon, 20 Aug 2012 22:33:43 -0400 Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote From: gst...@gmail.com To: general@incubator.apache.org On Aug 20, 2012 8:33 PM, Rob Weir robw...@apache.org wrote: On Mon, Aug 20, 2012 at 8:11 PM, Greg Stein gst...@gmail.com wrote: ... I would also state that continuing to argue is symptomatic of a failure to understand and integrate with the Foundation's thoughts on the matter. Or to at least politely discuss the situation on legal-discuss. I would say the lack of understanding could be in both directions, and some greater tolerance would be mutually beneficial. I *am* being tolerant (you should see my intolerant emails). And what makes you believe that I don't understand? I get to offer my thoughts, and you do not get to say that I have a lack of understanding simply because you disagree. Remember, OpenOffice is unlike anything else previously at Apache. Duh. Don't be so patronizing. Again: I suggest the discussion about making authorized/authenticated binaries be moved to legal-discuss. Not here. Infrastructure may need to provide some input, too. I might also point you to Sam's recommendation to avoid over-posting to a thread as a way to dominate / get your way. How many emails are you up to so far? -g
Re: [VOTE] Apache OpenOffice Community Graduation Vote
On Mon, Aug 20, 2012 at 10:33 PM, Greg Stein gst...@gmail.com wrote: On Aug 20, 2012 8:33 PM, Rob Weir robw...@apache.org wrote: On Mon, Aug 20, 2012 at 8:11 PM, Greg Stein gst...@gmail.com wrote: ... I would also state that continuing to argue is symptomatic of a failure to understand and integrate with the Foundation's thoughts on the matter. Or to at least politely discuss the situation on legal-discuss. I would say the lack of understanding could be in both directions, and some greater tolerance would be mutually beneficial. I *am* being tolerant (you should see my intolerant emails). And what makes you believe that I don't understand? I get to offer my thoughts, and you do not get to say that I have a lack of understanding simply because you disagree. Remember, OpenOffice is unlike anything else previously at Apache. Duh. Don't be so patronizing. Greg, I am certain that you are well-informed of the details about OpenOffice and its history. But for the benefit of IPMC members and observers who may have followed this less closely I thought that a brief summary would be welcome. I apologize if you thought it was unnecessary. Again: I suggest the discussion about making authorized/authenticated binaries be moved to legal-discuss. Not here. Infrastructure may need to provide some input, too. Do you have a specific question we should be asking legal affairs and/or infrastructure? We have already had extensive discussions on legal-discuss, including discussions about specific dependencies that are only included in binary form in our binary artifacts, per ASF policy. These discussions were in the context of releases that included source and binaries. I don't recall hearing any concerns raised in principle about releasing binaries along with source. The guidance from Legal Affairs was focused more on the permissible dependencies and required form for LICENSE and NOTICE and copyright statement in the binaries. But if you have a specific license-related question we should resolve with them, please let me know what it is. I'd be more than happy to check with them. As for Infrastructure, we've also had extensive discussions with them on the specific topic of distributing the binaries. There was an initial sizing, a poll of the mirror operators and a determination that the storage and bandwidth would be too great for many of the mirror operators. So a separate list of mirror operators was created who could handle our dist, and this subset rsync's with the OpenOffice dist. Also, SourceForge volunteered to provide us access to their distribution network. This was approved by VP, Infrastructure. As of our AOO 3.4.0 release the majority of the downloads for the binaries does not involve Apache Infra at all, but goes through SourceForge. But the source downloads, as well as the downloads of the hashes and detached signatures does go through the normal ASF mirror network. Again, I'm not aware of an open question we have for Infra related to the proposed AOO 3.4.1 podling release. If they had an issue I know they would not be shy about raising it with us. But if you have something specific that you think we should ask them, please let me know. I would be delighted to check with them. I might also point you to Sam's recommendation to avoid over-posting to a thread as a way to dominate / get your way. How many emails are you up to so far? I'm trying to determine what your substantive issues are and to resolve them to your satisfaction. If you want to hear less of me, then please get to the point and say what your concerns are and what exactly would resolve it. Regards, -Rob -g - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
On Mon, Aug 20, 2012 at 10:55 PM, Prescott Nasser geobmx...@hotmail.com wrote: I'm sorry, I'm playing catch-up and I'm a bit unclear on the argument - Marvin said: If the podling believes that ASF-endorsed binaries are a hard requirement, then it seems to me that the ASF is not yet ready for AOO and will not be until suitable infrastructure and legal institutions to support binary releases (sterile build machines, artifact signing, etc) have been created and a policy has been endorsed by the Board. Is AOO not able to determine that for them a binary is a hard requirement for their releases (along with source code)? I would think that ASF puts a minimum requirement on what an official release is, not a limit. Why is there a requirement for special infrustructure? (perhaps that is due to the size of AOO?) Speaking just from the Lucene.Net persective, I would consider our binaries (and nuget packages) as official - even if ASF does not specifically allow for official releases or officially endourced binaries - what else would they be? They were built and put up by the same guys releasing the source code. The simplest response is that source releases can be audited by (P)PMC members. Binary releases cannot. If they cannot be audited, then how can the ASF stand behind those releases? How can they state that the releases are free of viruses/trojans/etc, and that the binary precisely matches the compiled/built output of the audited source release? That is the first and hardest issue about having the ASF provide authenticated binaries. Cheers, -g - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
On Mon, Aug 20, 2012 at 10:58 PM, Rob Weir robw...@apache.org wrote: On Mon, Aug 20, 2012 at 10:33 PM, Greg Stein gst...@gmail.com wrote: On Aug 20, 2012 8:33 PM, Rob Weir robw...@apache.org wrote: On Mon, Aug 20, 2012 at 8:11 PM, Greg Stein gst...@gmail.com wrote: ... I would also state that continuing to argue is symptomatic of a failure to understand and integrate with the Foundation's thoughts on the matter. Or to at least politely discuss the situation on legal-discuss. I would say the lack of understanding could be in both directions, and some greater tolerance would be mutually beneficial. I *am* being tolerant (you should see my intolerant emails). And what makes you believe that I don't understand? I get to offer my thoughts, and you do not get to say that I have a lack of understanding simply because you disagree. Remember, OpenOffice is unlike anything else previously at Apache. Duh. Don't be so patronizing. Greg, I am certain that you are well-informed of the details about OpenOffice and its history. But for the benefit of IPMC members and observers who may have followed this less closely I thought that a brief summary would be welcome. I apologize if you thought it was unnecessary. Again: I suggest the discussion about making authorized/authenticated binaries be moved to legal-discuss. Not here. Infrastructure may need to provide some input, too. Do you have a specific question we should be asking legal affairs and/or infrastructure? We have already had extensive discussions on legal-discuss, including discussions about specific dependencies that are only included in binary form in our binary artifacts, per ASF policy. These discussions were in the context of releases that included source and binaries. I don't recall hearing any concerns raised in principle about releasing binaries along with source. The guidance from Legal Affairs was focused more on the permissible dependencies and required form for LICENSE and NOTICE and copyright statement in the binaries. But if you have a specific license-related question we should resolve with them, please let me know what it is. I'd be more than happy to check with them. As for Infrastructure, we've also had extensive discussions with them on the specific topic of distributing the binaries. There was an initial sizing, a poll of the mirror operators and a determination that the storage and bandwidth would be too great for many of the mirror operators. So a separate list of mirror operators was created who could handle our dist, and this subset rsync's with the OpenOffice dist. Also, SourceForge volunteered to provide us access to their distribution network. This was approved by VP, Infrastructure. As of A slight correction. We collaborated with SourceForge on two projects: hosting the extensions and templates websites as well as mirror the distributions. The records show that Sam OK'ed handing over the templates and extensions to SourceForge [1], but for the mirroring this go-head we received was from Joe. [1] http://markmail.org/message/oveyethdmsxnykfj [2] http://markmail.org/message/ioxowodlwsqoba5i our AOO 3.4.0 release the majority of the downloads for the binaries does not involve Apache Infra at all, but goes through SourceForge. But the source downloads, as well as the downloads of the hashes and detached signatures does go through the normal ASF mirror network. Again, I'm not aware of an open question we have for Infra related to the proposed AOO 3.4.1 podling release. If they had an issue I know they would not be shy about raising it with us. But if you have something specific that you think we should ask them, please let me know. I would be delighted to check with them. I might also point you to Sam's recommendation to avoid over-posting to a thread as a way to dominate / get your way. How many emails are you up to so far? I'm trying to determine what your substantive issues are and to resolve them to your satisfaction. If you want to hear less of me, then please get to the point and say what your concerns are and what exactly would resolve it. Regards, -Rob -g - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
RE: [VOTE] Apache OpenOffice Community Graduation Vote
Simple enough - thanks. Date: Mon, 20 Aug 2012 23:05:00 -0400 Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote From: gst...@gmail.com To: general@incubator.apache.org On Mon, Aug 20, 2012 at 10:55 PM, Prescott Nasser geobmx...@hotmail.com wrote: I'm sorry, I'm playing catch-up and I'm a bit unclear on the argument - Marvin said: If the podling believes that ASF-endorsed binaries are a hard requirement, then it seems to me that the ASF is not yet ready for AOO and will not be until suitable infrastructure and legal institutions to support binary releases (sterile build machines, artifact signing, etc) have been created and a policy has been endorsed by the Board. Is AOO not able to determine that for them a binary is a hard requirement for their releases (along with source code)? I would think that ASF puts a minimum requirement on what an official release is, not a limit. Why is there a requirement for special infrustructure? (perhaps that is due to the size of AOO?) Speaking just from the Lucene.Net persective, I would consider our binaries (and nuget packages) as official - even if ASF does not specifically allow for official releases or officially endourced binaries - what else would they be? They were built and put up by the same guys releasing the source code. The simplest response is that source releases can be audited by (P)PMC members. Binary releases cannot. If they cannot be audited, then how can the ASF stand behind those releases? How can they state that the releases are free of viruses/trojans/etc, and that the binary precisely matches the compiled/built output of the audited source release? That is the first and hardest issue about having the ASF provide authenticated binaries. Cheers, -g - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
RE: [VOTE] Apache OpenOffice Community Graduation Vote
Actually one more question - so we can release binaries, but we can't call them official? Do we have wording for this? Official source code release with accompanying binaries for convenience or some such? From: geobmx...@hotmail.com To: general@incubator.apache.org Subject: RE: [VOTE] Apache OpenOffice Community Graduation Vote Date: Mon, 20 Aug 2012 20:11:23 -0700 Simple enough - thanks. Date: Mon, 20 Aug 2012 23:05:00 -0400 Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote From: gst...@gmail.com To: general@incubator.apache.org On Mon, Aug 20, 2012 at 10:55 PM, Prescott Nasser geobmx...@hotmail.com wrote: I'm sorry, I'm playing catch-up and I'm a bit unclear on the argument - Marvin said: If the podling believes that ASF-endorsed binaries are a hard requirement, then it seems to me that the ASF is not yet ready for AOO and will not be until suitable infrastructure and legal institutions to support binary releases (sterile build machines, artifact signing, etc) have been created and a policy has been endorsed by the Board. Is AOO not able to determine that for them a binary is a hard requirement for their releases (along with source code)? I would think that ASF puts a minimum requirement on what an official release is, not a limit. Why is there a requirement for special infrustructure? (perhaps that is due to the size of AOO?) Speaking just from the Lucene.Net persective, I would consider our binaries (and nuget packages) as official - even if ASF does not specifically allow for official releases or officially endourced binaries - what else would they be? They were built and put up by the same guys releasing the source code. The simplest response is that source releases can be audited by (P)PMC members. Binary releases cannot. If they cannot be audited, then how can the ASF stand behind those releases? How can they state that the releases are free of viruses/trojans/etc, and that the binary precisely matches the compiled/built output of the audited source release? That is the first and hardest issue about having the ASF provide authenticated binaries. Cheers, -g - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
On Mon, Aug 20, 2012 at 11:05 PM, Greg Stein gst...@gmail.com wrote: On Mon, Aug 20, 2012 at 10:55 PM, Prescott Nasser geobmx...@hotmail.com wrote: I'm sorry, I'm playing catch-up and I'm a bit unclear on the argument - Marvin said: If the podling believes that ASF-endorsed binaries are a hard requirement, then it seems to me that the ASF is not yet ready for AOO and will not be until suitable infrastructure and legal institutions to support binary releases (sterile build machines, artifact signing, etc) have been created and a policy has been endorsed by the Board. Is AOO not able to determine that for them a binary is a hard requirement for their releases (along with source code)? I would think that ASF puts a minimum requirement on what an official release is, not a limit. Why is there a requirement for special infrustructure? (perhaps that is due to the size of AOO?) Speaking just from the Lucene.Net persective, I would consider our binaries (and nuget packages) as official - even if ASF does not specifically allow for official releases or officially endourced binaries - what else would they be? They were built and put up by the same guys releasing the source code. The simplest response is that source releases can be audited by (P)PMC members. Binary releases cannot. If they cannot be audited, then how can the ASF stand behind those releases? How can they state that the releases are free of viruses/trojans/etc, and that the binary precisely matches the compiled/built output of the audited source release? You ask a serious question it deserves a serious answer. This issue faces every software distributor, not just Apache. We verify binaries releases in several ways: 1) As part of the release approval process project members ensure that they can build from the source artifact. 2) I install the RC on an isolated system and check for viruses and other malware, and then wait for a few days, refresh the virus signatures, and test again before releasing, to ensure that we're not caught by a zero-day attack. 3) We would like to do code signing, as do several other projects. The discussions with Infra on how this could be accomplished are ongoing. Of course, the same questions could be asked of each of the large number of ASF projects that release binaries today. I wonder how many of them even take the precautions of #2? Maybe my turn for a question? How many Apache projects have released a binary in the past 10 years? And how many have released a binary containing a virus or a trojan? And how many users have downloaded Apache source and built it? And how many of those users then found that their servers were compromised due to a security flaw in the Apache source? In theory source code can be inspected. In practice, stuff happens. Ditto for binaries. -Rob That is the first and hardest issue about having the ASF provide authenticated binaries. Cheers, -g - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Officially, no Apache project has ever, ever, released a binary. Apache projects have published convenience binaries to accompany their releases, which have been, by definition, source. - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
On Mon, Aug 20, 2012 at 11:30 PM, Benson Margulies bimargul...@gmail.com wrote: Officially, no Apache project has ever, ever, released a binary. Apache projects have published convenience binaries to accompany their releases, which have been, by definition, source. Maybe you can help clarify this for me then. What exactly about the proposed AOO 3.4.1 ballot suggests that the AOO binaries are any different than published convenience binaries to accompany their releases that you believe are permitted? Or equivalently, can you point to something, say, in the Lucerne.Net ballot that distinguishes their binaries as different from ours in status? I'm honestly trying to find out what, if anything, we need to change. Or whether we're just arguing semantics rather than code and bits. -Rob - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
On Mon, 2012-08-20 at 17:01 -0700, Marvin Humphrey wrote: On Mon, Aug 20, 2012 at 3:03 PM, drew d...@baseanswers.com wrote: Well, for myself, I don't have a problem with the AOO project not having official binary releases - in such a circumstance I would strongly prefer no binary release at all. I wonder who might step into the breach to provide binaries for such a package... Hi, Well, for a start: IBM stated it will release a free binary version at some point, after shutting down the Symphony product. CS2C, a Chinese firm working in cooperation with Ernest and Young IIRC, releases a binary based on the source code - in fact I'm not even sure AOO supplied binaries are available to most folks in China. Multiracio releases a closed source version of the application for sale in Europe and the US. In the past quite a few Linux distributors included binary releases in their offerings, they consume source not binaries. The current BSD, OS/2 and Solaris ports will go out as source only from AOO, but come to end users from a third party repository, unless I totally missed what was happening there (and I might off ;) There are currently two groups which offer binary versions packaged to run off USB drives, as far as I understand it, they work from source and don't require binaries. Finally this is a well known brand now, it would be hard to believe that if AOO did not release binaries the void would not be filled by others. //drew On the other hand if there is a binary release from the AOO project then I believe it should be treated as a fully endorsed action. At the ASF, the source release is canonical. I have never seen anyone assert that the source release is not offical and endorsed by the ASF. There has been disagreement about whether binaries should be official or not. To the best of my knowledge, every time the matter has come up, the debate has been resolved with a compromise: that while binary releases are not endorsed by the ASF, they may be provided in addition to the source release for the convenience of users. What is different with AOO is that the compromise does not seem to satisfy an element within the PPMC and thus the matter is being forced. It would be a lot of hard, time-consuming work for the ASF to build the institutions necessary to provide binary releases that approach the standards our source releases set. (As illustrated by e.g. the challenges of setting up the code signing service.) Not all of us are convinced that it is for the best, either. Marvin Humphrey - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Fwd: [VOTE] Apache OpenOffice Community Graduation Vote
-- Forwarded message -- From: Rob Weir robw...@apache.org Date: Sun, Aug 19, 2012 at 11:52 AM Subject: [VOTE] Apache OpenOffice Community Graduation Vote To: ooo-...@incubator.apache.org Per the IPMC's Guide to Successful Graduation [1] this is the optional, but recommended, community vote for us to express our willingness/readiness to govern ourselves. If this vote passes then we continue by drafting a charter, submitting it for IPMC endorsement, and then to the ASF Board for final approval. Details can be found in the Guide to Successful Graduation. Everyone in the community is encouraged to vote. Votes from PPMC members and Mentors are binding. This vote will run 72-hours. [ ] +1 Apache OpenOffice community is ready to graduate from the Apache Incubator. [ ] +0 Don't care. [ ] -1 Apache OpenOffice community is not ready to graduate from the Apache Incubator because... Regards, -Rob [1] http://incubator.apache.org/guides/graduation.html#tlp-community-vote - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org