Re: Issue with releases / feedback from ASF board

[Sheng Zha <zh...@apache.org>]

Hi Justin,

Here's an update on the progress of addressing the license issues:

Done:
- Add disclaimer to repo.mxnet.io and dist.mxnet.io to clarify that the
nightly releases there are not intended for public consumption. (changed.
pending cache refresh)
- Remove non-Apache releases in github release page.

Ongoing:
- Delete problematic Maven releases. dev@ is notified and per discussion
it's pending lazy consensus [1].
- Review with Apache Trademark on the current third-party binary
distributions of mxnet and make necessary correction. Review initiated with
trademarks@.
- Review with Apache Legal on the appropriate license for convenience
binary distribution and display it prominently. Currently waiting for reply
[2]

To do:
- Add source distribution to PyPI package `apache-mxnet`. This is intended
to be the official source release that is compliant with incubator
distribution guidelines [3].
- Non-official third-party Maven binary releases. We need input on the
requirements for observing the proper trademark usage first.

As we proceed, there may be more work to do, and we are tracking the
progress in https://github.com/apache/incubator-mxnet/issues/18397.

Let us know if you have any question.

Regards,
Sheng

[1]
https://lists.apache.org/thread.html/ra4e9572ac74857a80c64a31e8bf292d353e74cfa87bf457f47450303%40%3Cdev.mxnet.apache.org%3E
[2] https://issues.apache.org/jira/browse/LEGAL-515
[3]
https://cwiki.apache.org/confluence/display/INCUBATOR/DistributionGuidelines

On Sun, May 31, 2020 at 2:01 AM Justin Mclean <jm...@apache.org> wrote:

> Hi,
>
> I'm writing my board report in the next couple of days and just wondering
> what progress has been made on this.
>
> Thanks,
> Justin
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
>

Re: Issue with releases / feedback from ASF board

[Leonard Lausen <la...@apache.org>]

Thank you Betrand for the suggestion.

I have created a pull request to update the website. Anyone interested,
please take a look and leave feedback in the pull request or via
response to this mail. There is no preview of the resulting page
available, but we can also iterate via multiple pull requests in case of
any remaining problems.

https://github.com/apache/incubator-mxnet/pull/18487

The PR is quite large, thus my reluctance to first open a PR deleting
stuff and then adding things back. The effort for correcting the site in
a single step is significantly lower. I hope Incubator has understanding
for that.

Thanks
Leonard

Bertrand Delacretaz <bd...@codeconsult.ch> writes:
> Hi,
>
> On Thu, Jun 4, 2020 at 8:44 AM Leonard Lausen <la...@apache.org> wrote:
>> ...Does adding the following notice pior to any mentioning of a third-party
>> binary release work for clearly informing users?...
>
> I haven't followed all the details but IIUC what you are doing is
> linking to third-party packages that can help people get started with
> MXNet but are not provided by the ASF.
>
> If that's correct, I would phrase your disclaimer a bit differently.
>
>>
>> > WARNING: The following binary release is not provided by the Apache
>> > Software Foundation and third-party members of the MXNet community.
>> > They may contain closed-source components with restrictive licenses.
>> > You may want to download the official Apache MXNet (incubating) source
>> > release instead and build from source instead....
>
> WARNING: the following links are provided for your convenience but
> they point to packages that are *not* provided nor endorsed by the
> Apache Software Foundation.
> As such, they might contain software components with more restrictive
> licenses than the Apache License and you'll need to decide whether
> they are appropriate for your usage. Like all Apache Releases, the
> official Apache MXNet (incubating) releases consist of source code
> only and are found at <link>.
>
> -Bertrand

Re: Issue with releases / feedback from ASF board

[Leonard Lausen <la...@apache.org>]

Thank you Betrand for the suggestion.

I have created a pull request to update the website. Anyone interested,
please take a look and leave feedback in the pull request or via
response to this mail. There is no preview of the resulting page
available, but we can also iterate via multiple pull requests in case of
any remaining problems.

https://github.com/apache/incubator-mxnet/pull/18487

The PR is quite large, thus my reluctance to first open a PR deleting
stuff and then adding things back. The effort for correcting the site in
a single step is significantly lower. I hope Incubator has understanding
for that.

Thanks
Leonard

Bertrand Delacretaz <bd...@codeconsult.ch> writes:
> Hi,
>
> On Thu, Jun 4, 2020 at 8:44 AM Leonard Lausen <la...@apache.org> wrote:
>> ...Does adding the following notice pior to any mentioning of a third-party
>> binary release work for clearly informing users?...
>
> I haven't followed all the details but IIUC what you are doing is
> linking to third-party packages that can help people get started with
> MXNet but are not provided by the ASF.
>
> If that's correct, I would phrase your disclaimer a bit differently.
>
>>
>> > WARNING: The following binary release is not provided by the Apache
>> > Software Foundation and third-party members of the MXNet community.
>> > They may contain closed-source components with restrictive licenses.
>> > You may want to download the official Apache MXNet (incubating) source
>> > release instead and build from source instead....
>
> WARNING: the following links are provided for your convenience but
> they point to packages that are *not* provided nor endorsed by the
> Apache Software Foundation.
> As such, they might contain software components with more restrictive
> licenses than the Apache License and you'll need to decide whether
> they are appropriate for your usage. Like all Apache Releases, the
> official Apache MXNet (incubating) releases consist of source code
> only and are found at <link>.
>
> -Bertrand

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

Re: Issue with releases / feedback from ASF board

[Bertrand Delacretaz <bd...@codeconsult.ch>]

Hi,

On Thu, Jun 4, 2020 at 8:44 AM Leonard Lausen <la...@apache.org> wrote:
> ...Does adding the following notice pior to any mentioning of a third-party
> binary release work for clearly informing users?...

I haven't followed all the details but IIUC what you are doing is
linking to third-party packages that can help people get started with
MXNet but are not provided by the ASF.

If that's correct, I would phrase your disclaimer a bit differently.

>
> > WARNING: The following binary release is not provided by the Apache
> > Software Foundation and third-party members of the MXNet community.
> > They may contain closed-source components with restrictive licenses.
> > You may want to download the official Apache MXNet (incubating) source
> > release instead and build from source instead....

WARNING: the following links are provided for your convenience but
they point to packages that are *not* provided nor endorsed by the
Apache Software Foundation.
As such, they might contain software components with more restrictive
licenses than the Apache License and you'll need to decide whether
they are appropriate for your usage. Like all Apache Releases, the
official Apache MXNet (incubating) releases consist of source code
only and are found at <link>.

-Bertrand

Re: Issue with releases / feedback from ASF board

[Justin Mclean <ju...@classsoftware.com>]

Hi,

> On May 5th 2020 I have opened LEGAL-515 and asked (among other
> questions) how the MXNet PPMC can correctly reference third-party
> distributions on the website. Unfortunately that question was not answered.

It looks answered to me. Your question “Finally, I believe the MXNet project website would need to be updated to clarify that such binaries are provided by third parties and not associated with the ASF. Is that correct?” was answered as “correct" on the 5th May. 

> In response I have asked you, if it wouldn't be possible to first decide
> how to properly disclaim links to third-parties on the website, 

It quite straight forward put a big disclaimer there saying these are not Apache releases. This as it has been discussed before here and examples easily found. e.g [1] 

>> WARNING: The following binary release is not provided by the Apache
>> Software Foundation and third-party members of the MXNet community.
>> They may contain closed-source components with restrictive licenses.
>> You may want to download the official Apache MXNet (incubating) source
>> release instead and build from source instead.

Why say “may" when you know it to be incompatible with the Apache license? Be clear about the situation, your users deserve that.

But something like this would be a good start. Making the source download more prominent would be another. Addressing any naming and trademark issues (also needed) can come later.

> And in either case, if the Incubator prefers the route of updating the
> website multiple times

It's not hard to update the text on a website (or shouldn’t be). The incubator would prefer that the podlings follow ASF policy and when something serious is pointed out correct it in a reasonable amount of time. Yes some things may take time to discuss but you can still act in the meantime. In this case the right course of action should have been to clearly inform your users of the issue(s) while you were working out what to do. Adding a disclaimer is a good first step and could have been done before now.

> But given your response, I now believe you may be referring to git tags
> that were made prior to MXNet joining the incubator on 2017-01-23 / on
> which no vote by the PPMC took place?

Correct. Be sure to clearly label these are not ASF releases. Also be clear to clearly label any release that is not compatible with the Apache license.

Basically a user should not be surprised to find out what they have been using is not an Apache release or is not compatible with the Apache license.

Thanks,
Justin

1. https://nuttx.apache.org/download/
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

Re: Issue with releases / feedback from ASF board

[Bertrand Delacretaz <bd...@codeconsult.ch>]

Hi,

On Thu, Jun 4, 2020 at 8:44 AM Leonard Lausen <la...@apache.org> wrote:
> ...Does adding the following notice pior to any mentioning of a third-party
> binary release work for clearly informing users?...

I haven't followed all the details but IIUC what you are doing is
linking to third-party packages that can help people get started with
MXNet but are not provided by the ASF.

If that's correct, I would phrase your disclaimer a bit differently.

>
> > WARNING: The following binary release is not provided by the Apache
> > Software Foundation and third-party members of the MXNet community.
> > They may contain closed-source components with restrictive licenses.
> > You may want to download the official Apache MXNet (incubating) source
> > release instead and build from source instead....

WARNING: the following links are provided for your convenience but
they point to packages that are *not* provided nor endorsed by the
Apache Software Foundation.
As such, they might contain software components with more restrictive
licenses than the Apache License and you'll need to decide whether
they are appropriate for your usage. Like all Apache Releases, the
official Apache MXNet (incubating) releases consist of source code
only and are found at <link>.

-Bertrand

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

Re: Issue with releases / feedback from ASF board

[Leonard Lausen <la...@apache.org>]

Hi Justin,

as there have been a couple of mails on the dev@ list prior to your mail
to general@ list and your mail contains a dramatic opening, I'd like to
provide some context here.

The problem in the current focus is how to ensure the
http://mxnet.apache.org/get_started page is compliant with ASF policies.
The page currently provides names of third-party binary distributions
not controlled by the PPMC which may confuse some users.

Let's take a look at the timeline first:

On May 5th 2020 I have opened LEGAL-515 and asked (among other
questions) how the MXNet PPMC can correctly reference third-party
distributions on the website. Unfortunately that question was not
answered. In fact the majority of questions in LEGAL-515 remained
unanswered throughout May (starting May 8th).

Note that prior to my question in LEGAL-515, the MXNet website has been
mentioning the names of third-party distributions already.

You just now stated:

> You were asked to do something about this a few weeks ago and as far
> as I can see have not done so. Please do so as soon as you can.

That's not entirely correct. I note that there a two different requests.
On May 24th you have contacted the PPMC, requesting the PPMC to (among
other things) improve the clarity of the Getting Started page:

> It also needs to be clear what a user is installed from this install
> page [http://mxnet.incubator.apache.org/get_started]

PPMC has been working on resolving this question in LEGAL-515 since May
5th and has also requested guidance from the trademark@ team. This was
still ongoing at the time of your email today.

Today you have contacted the PPMC with a different request about the
Getting Started page:

> It’s quite clear they should not be linked to from an Apache page
> like this as users will think these are Apache releases. Please remove
> them, after that bring it up on the incubator general list and we can
> discuss what needs to be done.

In response I have asked you, if it wouldn't be possible to first decide
how to properly disclaim links to third-parties on the website, before
removing the links and then potentially adding them back with a
disclaimer later.

This is a very simple question. It's quite late in my timezone and
updating the website will take some time. Why not udpate the website
once correctly instead of taking a route that requires multiple updates?

To resolve the situation, I suggest we start from your statement here:

> No Apache project should be distributing 3rd party releases from their
> web site without clearly informing the users of what they are getting.

Does adding the following notice pior to any mentioning of a third-party
binary release work for clearly informing users?

> WARNING: The following binary release is not provided by the Apache
> Software Foundation and third-party members of the MXNet community.
> They may contain closed-source components with restrictive licenses.
> You may want to download the official Apache MXNet (incubating) source
> release instead and build from source instead.

If so, PPMC can initiate the process of adding this statement to the
website tomorrow. If not, do you have a better suggestion?

And in either case, if the Incubator prefers the route of updating the
website multiple times and leaves a partially empty website in the
intermediate time, then let it be that way and PPMC may initiate that
process tomorrow.


>> I'm not sure what you mean. Note that Github automatically creates these
>> release pages based on the presence of git tags in the version control
>> history.
>
> Yes they do but they consists of Apache releases it looks like you
> have non Apache releases there. Other projects tag these add notes to
> make it very clear they are not Apache releases.

The context here is that I requested you to clarify on your mail from
May 24th in which you stated:

> The GitHub download page [2] is also confusing as it contains a mix of
> Apache and non-Apache releases

My understanding of your statement was that you refer to the source
archives created by Github, which are not the official ASF source
archives. MXNet project uploaded the ASF source archives in addition to
the Github source archives to ensure users can easily discover them. But
it appears this is not what you meant with "confusing" .

But given your response, I now believe you may be referring to git tags
that were made prior to MXNet joining the incubator on 2017-01-23 / on
which no vote by the PPMC took place? Adding notes to those releases can
be done easily if that is what you request.

Best regards
Leonard

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

Re: Issue with releases / feedback from ASF board

[Leonard Lausen <la...@apache.org>]

Hi Justin,

as there have been a couple of mails on the dev@ list prior to your mail
to general@ list and your mail contains a dramatic opening, I'd like to
provide some context here.

The problem in the current focus is how to ensure the
http://mxnet.apache.org/get_started page is compliant with ASF policies.
The page currently provides names of third-party binary distributions
not controlled by the PPMC which may confuse some users.

Let's take a look at the timeline first:

On May 5th 2020 I have opened LEGAL-515 and asked (among other
questions) how the MXNet PPMC can correctly reference third-party
distributions on the website. Unfortunately that question was not
answered. In fact the majority of questions in LEGAL-515 remained
unanswered throughout May (starting May 8th).

Note that prior to my question in LEGAL-515, the MXNet website has been
mentioning the names of third-party distributions already.

You just now stated:

> You were asked to do something about this a few weeks ago and as far
> as I can see have not done so. Please do so as soon as you can.

That's not entirely correct. I note that there a two different requests.
On May 24th you have contacted the PPMC, requesting the PPMC to (among
other things) improve the clarity of the Getting Started page:

> It also needs to be clear what a user is installed from this install
> page [http://mxnet.incubator.apache.org/get_started]

PPMC has been working on resolving this question in LEGAL-515 since May
5th and has also requested guidance from the trademark@ team. This was
still ongoing at the time of your email today.

Today you have contacted the PPMC with a different request about the
Getting Started page:

> It’s quite clear they should not be linked to from an Apache page
> like this as users will think these are Apache releases. Please remove
> them, after that bring it up on the incubator general list and we can
> discuss what needs to be done.

In response I have asked you, if it wouldn't be possible to first decide
how to properly disclaim links to third-parties on the website, before
removing the links and then potentially adding them back with a
disclaimer later.

This is a very simple question. It's quite late in my timezone and
updating the website will take some time. Why not udpate the website
once correctly instead of taking a route that requires multiple updates?

To resolve the situation, I suggest we start from your statement here:

> No Apache project should be distributing 3rd party releases from their
> web site without clearly informing the users of what they are getting.

Does adding the following notice pior to any mentioning of a third-party
binary release work for clearly informing users?

> WARNING: The following binary release is not provided by the Apache
> Software Foundation and third-party members of the MXNet community.
> They may contain closed-source components with restrictive licenses.
> You may want to download the official Apache MXNet (incubating) source
> release instead and build from source instead.

If so, PPMC can initiate the process of adding this statement to the
website tomorrow. If not, do you have a better suggestion?

And in either case, if the Incubator prefers the route of updating the
website multiple times and leaves a partially empty website in the
intermediate time, then let it be that way and PPMC may initiate that
process tomorrow.


>> I'm not sure what you mean. Note that Github automatically creates these
>> release pages based on the presence of git tags in the version control
>> history.
>
> Yes they do but they consists of Apache releases it looks like you
> have non Apache releases there. Other projects tag these add notes to
> make it very clear they are not Apache releases.

The context here is that I requested you to clarify on your mail from
May 24th in which you stated:

> The GitHub download page [2] is also confusing as it contains a mix of
> Apache and non-Apache releases

My understanding of your statement was that you refer to the source
archives created by Github, which are not the official ASF source
archives. MXNet project uploaded the ASF source archives in addition to
the Github source archives to ensure users can easily discover them. But
it appears this is not what you meant with "confusing" .

But given your response, I now believe you may be referring to git tags
that were made prior to MXNet joining the incubator on 2017-01-23 / on
which no vote by the PPMC took place? Adding notes to those releases can
be done easily if that is what you request.

Best regards
Leonard

Re: Issue with releases / feedback from ASF board

[Justin Mclean <ju...@classsoftware.com>]

Hi,

> The status quo has been in place since a while. Do you think we have
> time to first discuss the correct solution on the Incubator list, before
> we delete the existing pages?

I’ll ask again. Please remove any releases that are not Apache releases, that includes any releases that are not compatible with the Apache license and include Category X compiled code. You can’t put 3rd party releases on that page as there is no indication that they are not Apache releases. No Apache project should be distributing 3rd party releases from their web site without clearly informing the users of what they are getting. You were asked to do something about this a few weeks ago and as far as I can see have not done so. Please do so as soon as you can.

> I'm not sure what you mean. Note that Github automatically creates these
> release pages based on the presence of git tags in the version control
> history.

Yes they do but they consists of Apache releases it looks like you have non Apache releases there. Other projects tag these add notes to make it very clear they are not Apache releases.

> So is your recommendation here to take down the ASF source archives

No I’m not asking that. I would just clearly mark the releases that are not Apache ones or not compatible with the Apache license.

Thanks,
Justin
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

Re: Issue with releases / feedback from ASF board

[Leonard Lausen <la...@apache.org>]

Hi Justin,

Justin Mclean <ju...@classsoftware.com> writes:
> It’s quite clear they should not be linked to from an Apache page
> like this as users will think these are Apache releases. Please remove
> them, after that bring it up on the incubator general list and we can
> discuss what needs to be done.

The status quo has been in place since a while. Do you think we have
time to first discuss the correct solution on the Incubator list, before
we delete the existing pages?

>> Also I notice you referred to the Github Release page. Github will automatically
>> provide a ZIP folder ("Source code (zip)") for the commit tagged as release.
>> PPMC has further uploaded the ASF .tar.gz, .tar.gz.asc and .tar.gz.sha512. Is
>> that what you mean with confusing mix of "Apache and non-Apache releases”?
>
> You need to mark anything that is not an Apache release very clearly
> and if that cannot be done them it needs to be removed.

I'm not sure what you mean. Note that Github automatically creates these
release pages based on the presence of git tags in the version control
history.

I looked at a number of Apache projects and their Github Release pages.
By the very nature of how Github presents the release page, they all
contain links to download a source archive provided by Github. Different
to MXNet, these projects do not in addition provide the ASF source
archives on their Github release page, but only the Github source
archives.

- Apache Arrow: https://github.com/apache/arrow/releases
- Apache Hadoop: https://github.com/apache/hadoop/releases
- Apache Maven: https://github.com/apache/maven/releases

Most closely, the Apache Beam project includes changelog in a similar
manner as MXNet and also tags RC releases on Github:

- Apache Beam https://github.com/apache/beam/releases

So is your recommendation here to take down the ASF source archives, ie.
the .tar.gz, .tar.gz.asz and .tar.gz.sha512 files and only keep the
basic Github functionality? This will make it harder for users to
discover the official ASF releases, but it's certainly something we can
do.

Best regards
Leonard

Re: Issue with releases / feedback from ASF board

[Justin Mclean <ju...@classsoftware.com>]

Hi,

> this page currently contains some links to third-party binary distributions of
> MXNet (for example at [1]). The question of what the PPMC should recommend those
> third-parties to avoid trademarking issues is currently being discussed on
> private@ and trademark@.

It’s quite clear they should not be linked to from an Apache page like this as users will think these are Apache releases. Please remove them, after that bring it up on the incubator general list and we can discuss what needs to be done.

> Also I notice you referred to the Github Release page. Github will automatically
> provide a ZIP folder ("Source code (zip)") for the commit tagged as release.
> PPMC has further uploaded the ASF .tar.gz, .tar.gz.asc and .tar.gz.sha512. Is
> that what you mean with confusing mix of "Apache and non-Apache releases”?

You need to mark anything that is not an Apache release very clearly and if that cannot be done them it needs to be removed.

Thanks,
Justin

Re: Issue with releases / feedback from ASF board

[Leonard Lausen <la...@apache.org>]

Hi Justin,

this page currently contains some links to third-party binary distributions of
MXNet (for example at [1]). The question of what the PPMC should recommend those
third-parties to avoid trademarking issues is currently being discussed on
private@ and trademark@.

With respect to the MXNet Website linking to third-parties, I haven't been able
to find a policy yet. The current plan is to add a disclaimer and bring this up
with the Incubator for review. Do you think that's sensible? Do you have any
other recommendation?

Also I notice you referred to the Github Release page. Github will automatically
provide a ZIP folder ("Source code (zip)") for the commit tagged as release.
PPMC has further uploaded the ASF .tar.gz, .tar.gz.asc and .tar.gz.sha512. Is
that what you mean with confusing mix of "Apache and non-Apache releases"?

Best regards
Leonard

[1]: 
https://mxnet.apache.org/get_started?platform=linux&language=python&processor=gpu&environ=pip&
;

On Wed, 2020-06-03 at 23:50 +0000, Justin Mclean wrote:
> Hi,
> 
> I don't see what has been done about this [1] which I mentioned above. What is
> the planned action here?
> 
> Thanks,
> Justin
> 
> 1. https://mxnet.apache.org/get_started?
> 

Re: Issue with releases / feedback from ASF board

[Justin Mclean <jm...@apache.org>]

Hi,

I don't see what has been done about this [1] which I mentioned above. What is the planned action here?

Thanks,
Justin

1. https://mxnet.apache.org/get_started?