Issue with releases / feedback from ASF board

[Justin Mclean <jm...@apache.org>]

Hi,

The incubator report had the following feedback:
     Incubator needs to address the software distribution issues
     regarding MXNet (not reporting this month). The PPMC is
     effectively bypassing our software release policies by creating
     distribution packages that are combined with non-open-source
     platform libraries and publishing them on dist.mxnet.io, where
     they are picked up and distributed using the PyPi channel to
     all Python users. The resulting pages on PyPi mislead users
     into thinking they are installing an Apache License 2.0 package
     even though it contains software that we are not allowed to
     distribute under our license.
     https://issues.apache.org/jira/browse/LEGAL-515
     https://dist.mxnet.io/python/cu102
     https://pypi.org/project/mxnet-cu102/

I can see you have been discussing this here [1] so some progress has been made. It would be a good idea to keep the Incubator PMC in the loop on what actions the PMC is going to take to resolve this.

Thanks,
Justin

1. https://s.apache.org/5102c 

Re: Issue with releases / feedback from ASF board

[Justin Mclean <ju...@classsoftware.com>]

Hi,

> Here are some examples using search:
> - Arrow https://arrow.apache.org/docs/python/cuda.html

"This functionality is optional and must have been enabled at build time. “

So you as a user needs to recompile the code, checking their downloads page this also seems to be the case and there’s no distribution of CUDA code.

The others links you provided look similar, but I’m not involved in those projects and it would be best if you asked them. If you think they are distributing CUDA code then bring it up with that project, legal or the board.

Thanks,
Justin


---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

Re: Issue with releases / feedback from ASF board

[Tianqi Chen <tq...@cs.washington.edu>]

>
> I’m not aware of any other project that uses CUDU code.
>

I want to point out that most machine learning and analytics related
projects will likely need to involve (and likely distribute) CUDA code,
this would include some of the current TLPs.

Here are some examples using search:
- Arrow https://arrow.apache.org/docs/python/cuda.html
- SystemML https://systemml.apache.org/docs/1.2.0/gpu
- Singa
https://svn.apache.org/repos/infra/websites/production/singa/content/docs/gpu.html

TQ



>
> 1. https://mxnet.apache.org/get_started/?
> 2. https://github.com/apache/incubator-mxnet/releases
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
>

Re: Issue with releases / feedback from ASF board

[Leonard Lausen <la...@apache.org>]

Thank you Betrand for the suggestion.

I have created a pull request to update the website. Anyone interested,
please take a look and leave feedback in the pull request or via
response to this mail. There is no preview of the resulting page
available, but we can also iterate via multiple pull requests in case of
any remaining problems.

https://github.com/apache/incubator-mxnet/pull/18487

The PR is quite large, thus my reluctance to first open a PR deleting
stuff and then adding things back. The effort for correcting the site in
a single step is significantly lower. I hope Incubator has understanding
for that.

Thanks
Leonard

Bertrand Delacretaz <bd...@codeconsult.ch> writes:
> Hi,
>
> On Thu, Jun 4, 2020 at 8:44 AM Leonard Lausen <la...@apache.org> wrote:
>> ...Does adding the following notice pior to any mentioning of a third-party
>> binary release work for clearly informing users?...
>
> I haven't followed all the details but IIUC what you are doing is
> linking to third-party packages that can help people get started with
> MXNet but are not provided by the ASF.
>
> If that's correct, I would phrase your disclaimer a bit differently.
>
>>
>> > WARNING: The following binary release is not provided by the Apache
>> > Software Foundation and third-party members of the MXNet community.
>> > They may contain closed-source components with restrictive licenses.
>> > You may want to download the official Apache MXNet (incubating) source
>> > release instead and build from source instead....
>
> WARNING: the following links are provided for your convenience but
> they point to packages that are *not* provided nor endorsed by the
> Apache Software Foundation.
> As such, they might contain software components with more restrictive
> licenses than the Apache License and you'll need to decide whether
> they are appropriate for your usage. Like all Apache Releases, the
> official Apache MXNet (incubating) releases consist of source code
> only and are found at <link>.
>
> -Bertrand

Re: Issue with releases / feedback from ASF board

[Leonard Lausen <la...@apache.org>]

Thank you Betrand for the suggestion.

I have created a pull request to update the website. Anyone interested,
please take a look and leave feedback in the pull request or via
response to this mail. There is no preview of the resulting page
available, but we can also iterate via multiple pull requests in case of
any remaining problems.

https://github.com/apache/incubator-mxnet/pull/18487

The PR is quite large, thus my reluctance to first open a PR deleting
stuff and then adding things back. The effort for correcting the site in
a single step is significantly lower. I hope Incubator has understanding
for that.

Thanks
Leonard

Bertrand Delacretaz <bd...@codeconsult.ch> writes:
> Hi,
>
> On Thu, Jun 4, 2020 at 8:44 AM Leonard Lausen <la...@apache.org> wrote:
>> ...Does adding the following notice pior to any mentioning of a third-party
>> binary release work for clearly informing users?...
>
> I haven't followed all the details but IIUC what you are doing is
> linking to third-party packages that can help people get started with
> MXNet but are not provided by the ASF.
>
> If that's correct, I would phrase your disclaimer a bit differently.
>
>>
>> > WARNING: The following binary release is not provided by the Apache
>> > Software Foundation and third-party members of the MXNet community.
>> > They may contain closed-source components with restrictive licenses.
>> > You may want to download the official Apache MXNet (incubating) source
>> > release instead and build from source instead....
>
> WARNING: the following links are provided for your convenience but
> they point to packages that are *not* provided nor endorsed by the
> Apache Software Foundation.
> As such, they might contain software components with more restrictive
> licenses than the Apache License and you'll need to decide whether
> they are appropriate for your usage. Like all Apache Releases, the
> official Apache MXNet (incubating) releases consist of source code
> only and are found at <link>.
>
> -Bertrand

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

Re: Issue with releases / feedback from ASF board

[Bertrand Delacretaz <bd...@codeconsult.ch>]

Hi,

On Thu, Jun 4, 2020 at 8:44 AM Leonard Lausen <la...@apache.org> wrote:
> ...Does adding the following notice pior to any mentioning of a third-party
> binary release work for clearly informing users?...

I haven't followed all the details but IIUC what you are doing is
linking to third-party packages that can help people get started with
MXNet but are not provided by the ASF.

If that's correct, I would phrase your disclaimer a bit differently.

>
> > WARNING: The following binary release is not provided by the Apache
> > Software Foundation and third-party members of the MXNet community.
> > They may contain closed-source components with restrictive licenses.
> > You may want to download the official Apache MXNet (incubating) source
> > release instead and build from source instead....

WARNING: the following links are provided for your convenience but
they point to packages that are *not* provided nor endorsed by the
Apache Software Foundation.
As such, they might contain software components with more restrictive
licenses than the Apache License and you'll need to decide whether
they are appropriate for your usage. Like all Apache Releases, the
official Apache MXNet (incubating) releases consist of source code
only and are found at <link>.

-Bertrand

Re: Issue with releases / feedback from ASF board

[Justin Mclean <ju...@classsoftware.com>]

Hi,

> On May 5th 2020 I have opened LEGAL-515 and asked (among other
> questions) how the MXNet PPMC can correctly reference third-party
> distributions on the website. Unfortunately that question was not answered.

It looks answered to me. Your question “Finally, I believe the MXNet project website would need to be updated to clarify that such binaries are provided by third parties and not associated with the ASF. Is that correct?” was answered as “correct" on the 5th May. 

> In response I have asked you, if it wouldn't be possible to first decide
> how to properly disclaim links to third-parties on the website, 

It quite straight forward put a big disclaimer there saying these are not Apache releases. This as it has been discussed before here and examples easily found. e.g [1] 

>> WARNING: The following binary release is not provided by the Apache
>> Software Foundation and third-party members of the MXNet community.
>> They may contain closed-source components with restrictive licenses.
>> You may want to download the official Apache MXNet (incubating) source
>> release instead and build from source instead.

Why say “may" when you know it to be incompatible with the Apache license? Be clear about the situation, your users deserve that.

But something like this would be a good start. Making the source download more prominent would be another. Addressing any naming and trademark issues (also needed) can come later.

> And in either case, if the Incubator prefers the route of updating the
> website multiple times

It's not hard to update the text on a website (or shouldn’t be). The incubator would prefer that the podlings follow ASF policy and when something serious is pointed out correct it in a reasonable amount of time. Yes some things may take time to discuss but you can still act in the meantime. In this case the right course of action should have been to clearly inform your users of the issue(s) while you were working out what to do. Adding a disclaimer is a good first step and could have been done before now.

> But given your response, I now believe you may be referring to git tags
> that were made prior to MXNet joining the incubator on 2017-01-23 / on
> which no vote by the PPMC took place?

Correct. Be sure to clearly label these are not ASF releases. Also be clear to clearly label any release that is not compatible with the Apache license.

Basically a user should not be surprised to find out what they have been using is not an Apache release or is not compatible with the Apache license.

Thanks,
Justin

1. https://nuttx.apache.org/download/
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

Re: Issue with releases / feedback from ASF board

[Bertrand Delacretaz <bd...@codeconsult.ch>]

Hi,

On Thu, Jun 4, 2020 at 8:44 AM Leonard Lausen <la...@apache.org> wrote:
> ...Does adding the following notice pior to any mentioning of a third-party
> binary release work for clearly informing users?...

I haven't followed all the details but IIUC what you are doing is
linking to third-party packages that can help people get started with
MXNet but are not provided by the ASF.

If that's correct, I would phrase your disclaimer a bit differently.

>
> > WARNING: The following binary release is not provided by the Apache
> > Software Foundation and third-party members of the MXNet community.
> > They may contain closed-source components with restrictive licenses.
> > You may want to download the official Apache MXNet (incubating) source
> > release instead and build from source instead....

WARNING: the following links are provided for your convenience but
they point to packages that are *not* provided nor endorsed by the
Apache Software Foundation.
As such, they might contain software components with more restrictive
licenses than the Apache License and you'll need to decide whether
they are appropriate for your usage. Like all Apache Releases, the
official Apache MXNet (incubating) releases consist of source code
only and are found at <link>.

-Bertrand

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

Re: Issue with releases / feedback from ASF board

[Leonard Lausen <la...@apache.org>]

Hi Justin,

as there have been a couple of mails on the dev@ list prior to your mail
to general@ list and your mail contains a dramatic opening, I'd like to
provide some context here.

The problem in the current focus is how to ensure the
http://mxnet.apache.org/get_started page is compliant with ASF policies.
The page currently provides names of third-party binary distributions
not controlled by the PPMC which may confuse some users.

Let's take a look at the timeline first:

On May 5th 2020 I have opened LEGAL-515 and asked (among other
questions) how the MXNet PPMC can correctly reference third-party
distributions on the website. Unfortunately that question was not
answered. In fact the majority of questions in LEGAL-515 remained
unanswered throughout May (starting May 8th).

Note that prior to my question in LEGAL-515, the MXNet website has been
mentioning the names of third-party distributions already.

You just now stated:

> You were asked to do something about this a few weeks ago and as far
> as I can see have not done so. Please do so as soon as you can.

That's not entirely correct. I note that there a two different requests.
On May 24th you have contacted the PPMC, requesting the PPMC to (among
other things) improve the clarity of the Getting Started page:

> It also needs to be clear what a user is installed from this install
> page [http://mxnet.incubator.apache.org/get_started]

PPMC has been working on resolving this question in LEGAL-515 since May
5th and has also requested guidance from the trademark@ team. This was
still ongoing at the time of your email today.

Today you have contacted the PPMC with a different request about the
Getting Started page:

> It’s quite clear they should not be linked to from an Apache page
> like this as users will think these are Apache releases. Please remove
> them, after that bring it up on the incubator general list and we can
> discuss what needs to be done.

In response I have asked you, if it wouldn't be possible to first decide
how to properly disclaim links to third-parties on the website, before
removing the links and then potentially adding them back with a
disclaimer later.

This is a very simple question. It's quite late in my timezone and
updating the website will take some time. Why not udpate the website
once correctly instead of taking a route that requires multiple updates?

To resolve the situation, I suggest we start from your statement here:

> No Apache project should be distributing 3rd party releases from their
> web site without clearly informing the users of what they are getting.

Does adding the following notice pior to any mentioning of a third-party
binary release work for clearly informing users?

> WARNING: The following binary release is not provided by the Apache
> Software Foundation and third-party members of the MXNet community.
> They may contain closed-source components with restrictive licenses.
> You may want to download the official Apache MXNet (incubating) source
> release instead and build from source instead.

If so, PPMC can initiate the process of adding this statement to the
website tomorrow. If not, do you have a better suggestion?

And in either case, if the Incubator prefers the route of updating the
website multiple times and leaves a partially empty website in the
intermediate time, then let it be that way and PPMC may initiate that
process tomorrow.


>> I'm not sure what you mean. Note that Github automatically creates these
>> release pages based on the presence of git tags in the version control
>> history.
>
> Yes they do but they consists of Apache releases it looks like you
> have non Apache releases there. Other projects tag these add notes to
> make it very clear they are not Apache releases.

The context here is that I requested you to clarify on your mail from
May 24th in which you stated:

> The GitHub download page [2] is also confusing as it contains a mix of
> Apache and non-Apache releases

My understanding of your statement was that you refer to the source
archives created by Github, which are not the official ASF source
archives. MXNet project uploaded the ASF source archives in addition to
the Github source archives to ensure users can easily discover them. But
it appears this is not what you meant with "confusing" .

But given your response, I now believe you may be referring to git tags
that were made prior to MXNet joining the incubator on 2017-01-23 / on
which no vote by the PPMC took place? Adding notes to those releases can
be done easily if that is what you request.

Best regards
Leonard

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

Re: Issue with releases / feedback from ASF board

[Leonard Lausen <la...@apache.org>]

Hi Justin,

as there have been a couple of mails on the dev@ list prior to your mail
to general@ list and your mail contains a dramatic opening, I'd like to
provide some context here.

The problem in the current focus is how to ensure the
http://mxnet.apache.org/get_started page is compliant with ASF policies.
The page currently provides names of third-party binary distributions
not controlled by the PPMC which may confuse some users.

Let's take a look at the timeline first:

On May 5th 2020 I have opened LEGAL-515 and asked (among other
questions) how the MXNet PPMC can correctly reference third-party
distributions on the website. Unfortunately that question was not
answered. In fact the majority of questions in LEGAL-515 remained
unanswered throughout May (starting May 8th).

Note that prior to my question in LEGAL-515, the MXNet website has been
mentioning the names of third-party distributions already.

You just now stated:

> You were asked to do something about this a few weeks ago and as far
> as I can see have not done so. Please do so as soon as you can.

That's not entirely correct. I note that there a two different requests.
On May 24th you have contacted the PPMC, requesting the PPMC to (among
other things) improve the clarity of the Getting Started page:

> It also needs to be clear what a user is installed from this install
> page [http://mxnet.incubator.apache.org/get_started]

PPMC has been working on resolving this question in LEGAL-515 since May
5th and has also requested guidance from the trademark@ team. This was
still ongoing at the time of your email today.

Today you have contacted the PPMC with a different request about the
Getting Started page:

> It’s quite clear they should not be linked to from an Apache page
> like this as users will think these are Apache releases. Please remove
> them, after that bring it up on the incubator general list and we can
> discuss what needs to be done.

In response I have asked you, if it wouldn't be possible to first decide
how to properly disclaim links to third-parties on the website, before
removing the links and then potentially adding them back with a
disclaimer later.

This is a very simple question. It's quite late in my timezone and
updating the website will take some time. Why not udpate the website
once correctly instead of taking a route that requires multiple updates?

To resolve the situation, I suggest we start from your statement here:

> No Apache project should be distributing 3rd party releases from their
> web site without clearly informing the users of what they are getting.

Does adding the following notice pior to any mentioning of a third-party
binary release work for clearly informing users?

> WARNING: The following binary release is not provided by the Apache
> Software Foundation and third-party members of the MXNet community.
> They may contain closed-source components with restrictive licenses.
> You may want to download the official Apache MXNet (incubating) source
> release instead and build from source instead.

If so, PPMC can initiate the process of adding this statement to the
website tomorrow. If not, do you have a better suggestion?

And in either case, if the Incubator prefers the route of updating the
website multiple times and leaves a partially empty website in the
intermediate time, then let it be that way and PPMC may initiate that
process tomorrow.


>> I'm not sure what you mean. Note that Github automatically creates these
>> release pages based on the presence of git tags in the version control
>> history.
>
> Yes they do but they consists of Apache releases it looks like you
> have non Apache releases there. Other projects tag these add notes to
> make it very clear they are not Apache releases.

The context here is that I requested you to clarify on your mail from
May 24th in which you stated:

> The GitHub download page [2] is also confusing as it contains a mix of
> Apache and non-Apache releases

My understanding of your statement was that you refer to the source
archives created by Github, which are not the official ASF source
archives. MXNet project uploaded the ASF source archives in addition to
the Github source archives to ensure users can easily discover them. But
it appears this is not what you meant with "confusing" .

But given your response, I now believe you may be referring to git tags
that were made prior to MXNet joining the incubator on 2017-01-23 / on
which no vote by the PPMC took place? Adding notes to those releases can
be done easily if that is what you request.

Best regards
Leonard

Re: Issue with releases / feedback from ASF board

[Justin Mclean <ju...@classsoftware.com>]

Hi,

> The status quo has been in place since a while. Do you think we have
> time to first discuss the correct solution on the Incubator list, before
> we delete the existing pages?

I’ll ask again. Please remove any releases that are not Apache releases, that includes any releases that are not compatible with the Apache license and include Category X compiled code. You can’t put 3rd party releases on that page as there is no indication that they are not Apache releases. No Apache project should be distributing 3rd party releases from their web site without clearly informing the users of what they are getting. You were asked to do something about this a few weeks ago and as far as I can see have not done so. Please do so as soon as you can.

> I'm not sure what you mean. Note that Github automatically creates these
> release pages based on the presence of git tags in the version control
> history.

Yes they do but they consists of Apache releases it looks like you have non Apache releases there. Other projects tag these add notes to make it very clear they are not Apache releases.

> So is your recommendation here to take down the ASF source archives

No I’m not asking that. I would just clearly mark the releases that are not Apache ones or not compatible with the Apache license.

Thanks,
Justin
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

Re: Issue with releases / feedback from ASF board

[Leonard Lausen <la...@apache.org>]

Hi Justin,

Justin Mclean <ju...@classsoftware.com> writes:
> It’s quite clear they should not be linked to from an Apache page
> like this as users will think these are Apache releases. Please remove
> them, after that bring it up on the incubator general list and we can
> discuss what needs to be done.

The status quo has been in place since a while. Do you think we have
time to first discuss the correct solution on the Incubator list, before
we delete the existing pages?

>> Also I notice you referred to the Github Release page. Github will automatically
>> provide a ZIP folder ("Source code (zip)") for the commit tagged as release.
>> PPMC has further uploaded the ASF .tar.gz, .tar.gz.asc and .tar.gz.sha512. Is
>> that what you mean with confusing mix of "Apache and non-Apache releases”?
>
> You need to mark anything that is not an Apache release very clearly
> and if that cannot be done them it needs to be removed.

I'm not sure what you mean. Note that Github automatically creates these
release pages based on the presence of git tags in the version control
history.

I looked at a number of Apache projects and their Github Release pages.
By the very nature of how Github presents the release page, they all
contain links to download a source archive provided by Github. Different
to MXNet, these projects do not in addition provide the ASF source
archives on their Github release page, but only the Github source
archives.

- Apache Arrow: https://github.com/apache/arrow/releases
- Apache Hadoop: https://github.com/apache/hadoop/releases
- Apache Maven: https://github.com/apache/maven/releases

Most closely, the Apache Beam project includes changelog in a similar
manner as MXNet and also tags RC releases on Github:

- Apache Beam https://github.com/apache/beam/releases

So is your recommendation here to take down the ASF source archives, ie.
the .tar.gz, .tar.gz.asz and .tar.gz.sha512 files and only keep the
basic Github functionality? This will make it harder for users to
discover the official ASF releases, but it's certainly something we can
do.

Best regards
Leonard

Re: Issue with releases / feedback from ASF board

[Justin Mclean <ju...@classsoftware.com>]

Hi,

> this page currently contains some links to third-party binary distributions of
> MXNet (for example at [1]). The question of what the PPMC should recommend those
> third-parties to avoid trademarking issues is currently being discussed on
> private@ and trademark@.

It’s quite clear they should not be linked to from an Apache page like this as users will think these are Apache releases. Please remove them, after that bring it up on the incubator general list and we can discuss what needs to be done.

> Also I notice you referred to the Github Release page. Github will automatically
> provide a ZIP folder ("Source code (zip)") for the commit tagged as release.
> PPMC has further uploaded the ASF .tar.gz, .tar.gz.asc and .tar.gz.sha512. Is
> that what you mean with confusing mix of "Apache and non-Apache releases”?

You need to mark anything that is not an Apache release very clearly and if that cannot be done them it needs to be removed.

Thanks,
Justin

Re: Issue with releases / feedback from ASF board

[Leonard Lausen <la...@apache.org>]

Hi Justin,

this page currently contains some links to third-party binary distributions of
MXNet (for example at [1]). The question of what the PPMC should recommend those
third-parties to avoid trademarking issues is currently being discussed on
private@ and trademark@.

With respect to the MXNet Website linking to third-parties, I haven't been able
to find a policy yet. The current plan is to add a disclaimer and bring this up
with the Incubator for review. Do you think that's sensible? Do you have any
other recommendation?

Also I notice you referred to the Github Release page. Github will automatically
provide a ZIP folder ("Source code (zip)") for the commit tagged as release.
PPMC has further uploaded the ASF .tar.gz, .tar.gz.asc and .tar.gz.sha512. Is
that what you mean with confusing mix of "Apache and non-Apache releases"?

Best regards
Leonard

[1]: 
https://mxnet.apache.org/get_started?platform=linux&language=python&processor=gpu&environ=pip&
;

On Wed, 2020-06-03 at 23:50 +0000, Justin Mclean wrote:
> Hi,
> 
> I don't see what has been done about this [1] which I mentioned above. What is
> the planned action here?
> 
> Thanks,
> Justin
> 
> 1. https://mxnet.apache.org/get_started?
> 

Re: Issue with releases / feedback from ASF board

[Justin Mclean <jm...@apache.org>]

Hi,

I don't see what has been done about this [1] which I mentioned above. What is the planned action here?

Thanks,
Justin

1. https://mxnet.apache.org/get_started?

Re: Issue with releases / feedback from ASF board

[Sheng Zha <zh...@apache.org>]

Hi Justin,

Here's an update on the progress of addressing the license issues:

Done:
- Add disclaimer to repo.mxnet.io and dist.mxnet.io to clarify that the
nightly releases there are not intended for public consumption. (changed.
pending cache refresh)
- Remove non-Apache releases in github release page.

Ongoing:
- Delete problematic Maven releases. dev@ is notified and per discussion
it's pending lazy consensus [1].
- Review with Apache Trademark on the current third-party binary
distributions of mxnet and make necessary correction. Review initiated with
trademarks@.
- Review with Apache Legal on the appropriate license for convenience
binary distribution and display it prominently. Currently waiting for reply
[2]

To do:
- Add source distribution to PyPI package `apache-mxnet`. This is intended
to be the official source release that is compliant with incubator
distribution guidelines [3].
- Non-official third-party Maven binary releases. We need input on the
requirements for observing the proper trademark usage first.

As we proceed, there may be more work to do, and we are tracking the
progress in https://github.com/apache/incubator-mxnet/issues/18397.

Let us know if you have any question.

Regards,
Sheng

[1]
https://lists.apache.org/thread.html/ra4e9572ac74857a80c64a31e8bf292d353e74cfa87bf457f47450303%40%3Cdev.mxnet.apache.org%3E
[2] https://issues.apache.org/jira/browse/LEGAL-515
[3]
https://cwiki.apache.org/confluence/display/INCUBATOR/DistributionGuidelines

On Sun, May 31, 2020 at 2:01 AM Justin Mclean <jm...@apache.org> wrote:

> Hi,
>
> I'm writing my board report in the next couple of days and just wondering
> what progress has been made on this.
>
> Thanks,
> Justin
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
>

Re: Issue with releases / feedback from ASF board

[Sheng Zha <zh...@apache.org>]

Hi Justin,

Here's an update on the progress of addressing the license issues:

Done:
- Add disclaimer to repo.mxnet.io and dist.mxnet.io to clarify that the
nightly releases there are not intended for public consumption. (changed.
pending cache refresh)
- Remove non-Apache releases in github release page.

Ongoing:
- Delete problematic Maven releases. dev@ is notified and per discussion
it's pending lazy consensus [1].
- Review with Apache Trademark on the current third-party binary
distributions of mxnet and make necessary correction. Review initiated with
trademarks@.
- Review with Apache Legal on the appropriate license for convenience
binary distribution and display it prominently. Currently waiting for reply
[2]

To do:
- Add source distribution to PyPI package `apache-mxnet`. This is intended
to be the official source release that is compliant with incubator
distribution guidelines [3].
- Non-official third-party Maven binary releases. We need input on the
requirements for observing the proper trademark usage first.

As we proceed, there may be more work to do, and we are tracking the
progress in https://github.com/apache/incubator-mxnet/issues/18397.

Let us know if you have any question.

Regards,
Sheng

[1]
https://lists.apache.org/thread.html/ra4e9572ac74857a80c64a31e8bf292d353e74cfa87bf457f47450303%40%3Cdev.mxnet.apache.org%3E
[2] https://issues.apache.org/jira/browse/LEGAL-515
[3]
https://cwiki.apache.org/confluence/display/INCUBATOR/DistributionGuidelines

On Sun, May 31, 2020 at 2:01 AM Justin Mclean <jm...@apache.org> wrote:

> Hi,
>
> I'm writing my board report in the next couple of days and just wondering
> what progress has been made on this.
>
> Thanks,
> Justin
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
>

Re: Issue with releases / feedback from ASF board

[Justin Mclean <jm...@apache.org>]

Hi,

I'm writing my board report in the next couple of days and just wondering what progress has been made on this.

Thanks,
Justin

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

Re: Issue with releases / feedback from ASF board

[Sheng Zha <sz...@gmail.com>]

Thanks for the reply. Besides the clarification below, we will track and
address here [1] the rest of the comments in this thread.

> > - We will introduce source releases on PyPI and Maven using apache-mxnet
> > name to provide users with the option to have Apache distribution and
allow
> > users to compile CUDA/cuDNN code as an option.
>
> I assume that mean you will two distribution on PyPI? Or is the intent to
remove the other one?

- We PPMC will create apache-mxnet package with Apache releases in the form
of source distributions. This is intended as first-party release to comply
with the draft release policy.
- As individual, and with appropriate names and description as determined
by trademark review, I intend to continue to provide binary releases on
PyPI for the convenience of the community. This is out of necessity as
compiling all the CUDA code in MXNet can take hours even on powerful CPUs.

-sz

[1] https://github.com/apache/incubator-mxnet/issues/18397

On Sat, May 23, 2020 at 5:15 PM Justin Mclean <ju...@classsoftware.com>
wrote:

> Hi,
>
> > - MXNet publishes only nightly pre-release builds to dist.mxnet.io for
> the
> > verification purpose for projects in the ecosystem and for developers who
> > work on the bleeding edge.
>
> IMO Something more needs to be done here, at the very least I would expect
> to se a very large disclaimer that these are not releases for use of the
> general public and for internal development use only and are not Apache
> Releases.  A google search brings up that page and it is incorrectly titled
> "Apache MXNet Python Binary Distribution”. I see other download pages that
> just contain links and no information to what the files are.
>
> It also needs to be clear what a user is installed from this install page
> [1] which I assume is using the above? The GitHub download page [2] is also
> confusing as it contains a mix of Apache and non-Apache releases.
>
> > - PyPI releases are not the act of this PPMC, but are from individuals
> > acting as third-party for the convenience of the community.
>
> Currently this page isn’t in line with Apache trademark policy.
>
> > With my PPMC hat on, we will take the following actions:
> >
> > - We will try to take down problematic Maven releases immediately and
> > discuss in the community how to proceed with future Maven releases.
>
> Thanks for that.
>
> > - We will introduce source releases on PyPI and Maven using apache-mxnet
> > name to provide users with the option to have Apache distribution and
> allow
> > users to compile CUDA/cuDNN code as an option.
>
> I assume that mean you will two distribution on PyPI? Or is the intent to
> remove the other one?
>
> > Finally, we appreciate any lesson other projects can share on licensing
> and
> > distribution that involves CUDA code. Thanks.
>
> I’m not aware of any other project that uses CUDU code.
>
> Thanks,
> Justin
>
> 1. https://mxnet.apache.org/get_started/?
> 2. https://github.com/apache/incubator-mxnet/releases
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
>

Re: Issue with releases / feedback from ASF board

[Sheng Zha <sz...@gmail.com>]

Thanks for the reply. Besides the clarification below, we will track and
address here [1] the rest of the comments in this thread.

> > - We will introduce source releases on PyPI and Maven using apache-mxnet
> > name to provide users with the option to have Apache distribution and
allow
> > users to compile CUDA/cuDNN code as an option.
>
> I assume that mean you will two distribution on PyPI? Or is the intent to
remove the other one?

- We PPMC will create apache-mxnet package with Apache releases in the form
of source distributions. This is intended as first-party release to comply
with the draft release policy.
- As individual, and with appropriate names and description as determined
by trademark review, I intend to continue to provide binary releases on
PyPI for the convenience of the community. This is out of necessity as
compiling all the CUDA code in MXNet can take hours even on powerful CPUs.

-sz

[1] https://github.com/apache/incubator-mxnet/issues/18397

On Sat, May 23, 2020 at 5:15 PM Justin Mclean <ju...@classsoftware.com>
wrote:

> Hi,
>
> > - MXNet publishes only nightly pre-release builds to dist.mxnet.io for
> the
> > verification purpose for projects in the ecosystem and for developers who
> > work on the bleeding edge.
>
> IMO Something more needs to be done here, at the very least I would expect
> to se a very large disclaimer that these are not releases for use of the
> general public and for internal development use only and are not Apache
> Releases.  A google search brings up that page and it is incorrectly titled
> "Apache MXNet Python Binary Distribution”. I see other download pages that
> just contain links and no information to what the files are.
>
> It also needs to be clear what a user is installed from this install page
> [1] which I assume is using the above? The GitHub download page [2] is also
> confusing as it contains a mix of Apache and non-Apache releases.
>
> > - PyPI releases are not the act of this PPMC, but are from individuals
> > acting as third-party for the convenience of the community.
>
> Currently this page isn’t in line with Apache trademark policy.
>
> > With my PPMC hat on, we will take the following actions:
> >
> > - We will try to take down problematic Maven releases immediately and
> > discuss in the community how to proceed with future Maven releases.
>
> Thanks for that.
>
> > - We will introduce source releases on PyPI and Maven using apache-mxnet
> > name to provide users with the option to have Apache distribution and
> allow
> > users to compile CUDA/cuDNN code as an option.
>
> I assume that mean you will two distribution on PyPI? Or is the intent to
> remove the other one?
>
> > Finally, we appreciate any lesson other projects can share on licensing
> and
> > distribution that involves CUDA code. Thanks.
>
> I’m not aware of any other project that uses CUDU code.
>
> Thanks,
> Justin
>
> 1. https://mxnet.apache.org/get_started/?
> 2. https://github.com/apache/incubator-mxnet/releases
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
>

Re: Issue with releases / feedback from ASF board

[Tianqi Chen <tq...@cs.washington.edu>]

>
> I’m not aware of any other project that uses CUDU code.
>

I want to point out that most machine learning and analytics related
projects will likely need to involve (and likely distribute) CUDA code,
this would include some of the current TLPs.

Here are some examples using search:
- Arrow https://arrow.apache.org/docs/python/cuda.html
- SystemML https://systemml.apache.org/docs/1.2.0/gpu
- Singa
https://svn.apache.org/repos/infra/websites/production/singa/content/docs/gpu.html

TQ



>
> 1. https://mxnet.apache.org/get_started/?
> 2. https://github.com/apache/incubator-mxnet/releases
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
>

Re: Issue with releases / feedback from ASF board

[Justin Mclean <ju...@classsoftware.com>]

Hi,

> - MXNet publishes only nightly pre-release builds to dist.mxnet.io for the
> verification purpose for projects in the ecosystem and for developers who
> work on the bleeding edge.

IMO Something more needs to be done here, at the very least I would expect to se a very large disclaimer that these are not releases for use of the general public and for internal development use only and are not Apache Releases.  A google search brings up that page and it is incorrectly titled "Apache MXNet Python Binary Distribution”. I see other download pages that just contain links and no information to what the files are.

It also needs to be clear what a user is installed from this install page [1] which I assume is using the above? The GitHub download page [2] is also confusing as it contains a mix of Apache and non-Apache releases.

> - PyPI releases are not the act of this PPMC, but are from individuals
> acting as third-party for the convenience of the community.

Currently this page isn’t in line with Apache trademark policy.

> With my PPMC hat on, we will take the following actions:
> 
> - We will try to take down problematic Maven releases immediately and
> discuss in the community how to proceed with future Maven releases.

Thanks for that.

> - We will introduce source releases on PyPI and Maven using apache-mxnet
> name to provide users with the option to have Apache distribution and allow
> users to compile CUDA/cuDNN code as an option.

I assume that mean you will two distribution on PyPI? Or is the intent to remove the other one?

> Finally, we appreciate any lesson other projects can share on licensing and
> distribution that involves CUDA code. Thanks.

I’m not aware of any other project that uses CUDU code.

Thanks,
Justin

1. https://mxnet.apache.org/get_started/?
2. https://github.com/apache/incubator-mxnet/releases
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

Re: Issue with releases / feedback from ASF board

[Justin Mclean <ju...@classsoftware.com>]

Hi,

> - MXNet publishes only nightly pre-release builds to dist.mxnet.io for the
> verification purpose for projects in the ecosystem and for developers who
> work on the bleeding edge.

IMO Something more needs to be done here, at the very least I would expect to se a very large disclaimer that these are not releases for use of the general public and for internal development use only and are not Apache Releases.  A google search brings up that page and it is incorrectly titled "Apache MXNet Python Binary Distribution”. I see other download pages that just contain links and no information to what the files are.

It also needs to be clear what a user is installed from this install page [1] which I assume is using the above? The GitHub download page [2] is also confusing as it contains a mix of Apache and non-Apache releases.

> - PyPI releases are not the act of this PPMC, but are from individuals
> acting as third-party for the convenience of the community.

Currently this page isn’t in line with Apache trademark policy.

> With my PPMC hat on, we will take the following actions:
> 
> - We will try to take down problematic Maven releases immediately and
> discuss in the community how to proceed with future Maven releases.

Thanks for that.

> - We will introduce source releases on PyPI and Maven using apache-mxnet
> name to provide users with the option to have Apache distribution and allow
> users to compile CUDA/cuDNN code as an option.

I assume that mean you will two distribution on PyPI? Or is the intent to remove the other one?

> Finally, we appreciate any lesson other projects can share on licensing and
> distribution that involves CUDA code. Thanks.

I’m not aware of any other project that uses CUDU code.

Thanks,
Justin

1. https://mxnet.apache.org/get_started/?
2. https://github.com/apache/incubator-mxnet/releases

Re: Issue with releases / feedback from ASF board

[Sheng Zha <zh...@apache.org>]

Hi Justin and incubator,

Thank you for the feedback.

1. We fully intend to address the licensing issues in releases and software
distributions as part of our efforts towards graduation.

2. To my knowledge, there was no intention from this PPMC to bypass the
software release policy.

To clarify on 2:

- MXNet publishes only nightly pre-release builds to dist.mxnet.io for the
verification purpose for projects in the ecosystem and for developers who
work on the bleeding edge.

- PyPI releases are not the act of this PPMC, but are from individuals
acting as third-party for the convenience of the community. The binary
releases there are not from dist.mxnet.io, but are produced from the same
or similar build scripts without modification to the source code.

- We made a mistake on Maven releases that we took the same solution as
PyPI without carefully reviewing that it complies with the license
requirement.

With my PPMC hat off, as the individual who made releases to PyPI:

- I do NOT intend to confuse the users of our PyPI releases to be the act
of MXNet PPMC as I didn't use the apache-mxnet as PyPI package name, which
is specified by the draft policy on releases [1]. I will initiate review
with Apache Trademark to make sure it is clear.

- I do NOT intend to confuse the users of our PyPI releases to be under
Apache License 2.0 and it's an artifact from using the same build script. I
will seek input from Apache Legal on LEGAL-515 to clarify what the proper
licensing should be.

With my PPMC hat on, we will take the following actions:

- We will try to take down problematic Maven releases immediately and
discuss in the community how to proceed with future Maven releases.

- We will introduce source releases on PyPI and Maven using apache-mxnet
name to provide users with the option to have Apache distribution and allow
users to compile CUDA/cuDNN code as an option.


Finally, we appreciate any lesson other projects can share on licensing and
distribution that involves CUDA code. Thanks.

Regards,

Sheng

On behalf of Apache MXNet (Incubating) PPMC


On Fri, May 22, 2020 at 8:49 PM Justin Mclean <jm...@apache.org> wrote:

> Hi,
>
> The incubator report had the following feedback:
>      Incubator needs to address the software distribution issues
>      regarding MXNet (not reporting this month). The PPMC is
>      effectively bypassing our software release policies by creating
>      distribution packages that are combined with non-open-source
>      platform libraries and publishing them on dist.mxnet.io, where
>      they are picked up and distributed using the PyPi channel to
>      all Python users. The resulting pages on PyPi mislead users
>      into thinking they are installing an Apache License 2.0 package
>      even though it contains software that we are not allowed to
>      distribute under our license.
>      https://issues.apache.org/jira/browse/LEGAL-515
>      https://dist.mxnet.io/python/cu102
>      https://pypi.org/project/mxnet-cu102/
>
> I can see you have been discussing this here [1] so some progress has been
> made. It would be a good idea to keep the Incubator PMC in the loop on what
> actions the PMC is going to take to resolve this.
>
> Thanks,
> Justin
>
> 1. https://s.apache.org/5102c
>
>

Re: Issue with releases / feedback from ASF board

[Sheng Zha <zh...@apache.org>]

Hi Justin and incubator,

Thank you for the feedback.

1. We fully intend to address the licensing issues in releases and software
distributions as part of our efforts towards graduation.

2. To my knowledge, there was no intention from this PPMC to bypass the
software release policy.

To clarify on 2:

- MXNet publishes only nightly pre-release builds to dist.mxnet.io for the
verification purpose for projects in the ecosystem and for developers who
work on the bleeding edge.

- PyPI releases are not the act of this PPMC, but are from individuals
acting as third-party for the convenience of the community. The binary
releases there are not from dist.mxnet.io, but are produced from the same
or similar build scripts without modification to the source code.

- We made a mistake on Maven releases that we took the same solution as
PyPI without carefully reviewing that it complies with the license
requirement.

With my PPMC hat off, as the individual who made releases to PyPI:

- I do NOT intend to confuse the users of our PyPI releases to be the act
of MXNet PPMC as I didn't use the apache-mxnet as PyPI package name, which
is specified by the draft policy on releases [1]. I will initiate review
with Apache Trademark to make sure it is clear.

- I do NOT intend to confuse the users of our PyPI releases to be under
Apache License 2.0 and it's an artifact from using the same build script. I
will seek input from Apache Legal on LEGAL-515 to clarify what the proper
licensing should be.

With my PPMC hat on, we will take the following actions:

- We will try to take down problematic Maven releases immediately and
discuss in the community how to proceed with future Maven releases.

- We will introduce source releases on PyPI and Maven using apache-mxnet
name to provide users with the option to have Apache distribution and allow
users to compile CUDA/cuDNN code as an option.


Finally, we appreciate any lesson other projects can share on licensing and
distribution that involves CUDA code. Thanks.

Regards,

Sheng

On behalf of Apache MXNet (Incubating) PPMC


On Fri, May 22, 2020 at 8:49 PM Justin Mclean <jm...@apache.org> wrote:

> Hi,
>
> The incubator report had the following feedback:
>      Incubator needs to address the software distribution issues
>      regarding MXNet (not reporting this month). The PPMC is
>      effectively bypassing our software release policies by creating
>      distribution packages that are combined with non-open-source
>      platform libraries and publishing them on dist.mxnet.io, where
>      they are picked up and distributed using the PyPi channel to
>      all Python users. The resulting pages on PyPi mislead users
>      into thinking they are installing an Apache License 2.0 package
>      even though it contains software that we are not allowed to
>      distribute under our license.
>      https://issues.apache.org/jira/browse/LEGAL-515
>      https://dist.mxnet.io/python/cu102
>      https://pypi.org/project/mxnet-cu102/
>
> I can see you have been discussing this here [1] so some progress has been
> made. It would be a good idea to keep the Incubator PMC in the loop on what
> actions the PMC is going to take to resolve this.
>
> Thanks,
> Justin
>
> 1. https://s.apache.org/5102c
>
>