You are viewing a plain text version of this content. The canonical link for it is here.
Posted to legal-discuss@apache.org by "Austin, Richard (Fort Collins)" <ri...@hpe.com> on 2016/10/17 19:50:45 UTC
Country of Origin of various ASF projects
Good afternoon,
I am trying to determine the Country of Origin of a lengthy list of Apache open-source projects, in order to determine whether they are in compliance with the U. S. Trade Agreements Act (TAA). (Some of our customers require this.) TAA defines the Country of Origin as the country where the software is built--where final compilation occurs. There is a LONG list of countries that are TAA-approved.
One person at human-response@apache.org<ma...@apache.org> noted that each project is generally compiled on the local machine of the Release Manager for that specific version and then uploaded. While I can contact each project separately to ask about the build country, I was advised that it might be worth checking with Apache Legal Affairs, in case a compilation of this information already exists. (It seems very likely that other groups needing TAA compliance would have already been asking Apache about this.)
Do you know of any centralized source of Country of Origin information for Apache projects? Note that we are only looking for the country or countries--we do NOT need information on specific servers, cities, or states.
Thanks very much for any information--or pointers to others who may have relevant information.
Regards,
Richard Austin
Software Development Engineer
Hewlett Packard Enterprise
Re: Country of Origin of various ASF projects
Posted by Jim Jagielski <ji...@jaguNET.com>.
The ASF releases source code, not final-compiled artifacts. Some projects
do also allow for convenience binaries to be released and available for
download, but they are not the official releases of the project nor the
foundation: just the source code is.
> On Oct 17, 2016, at 3:50 PM, Austin, Richard (Fort Collins) <ri...@hpe.com> wrote:
>
> Good afternoon,
>
> I am trying to determine the Country of Origin of a lengthy list of Apache open-source projects, in order to determine whether they are in compliance with the U. S. Trade Agreements Act (TAA). (Some of our customers require this.) TAA defines the Country of Origin as the country where the software is built--where final compilation occurs. There is a LONG list of countries that are TAA-approved.
>
> One person at human-response@apache.org noted that each project is generally compiled on the local machine of the Release Manager for that specific version and then uploaded. While I can contact each project separately to ask about the build country, I was advised that it might be worth checking with Apache Legal Affairs, in case a compilation of this information already exists. (It seems very likely that other groups needing TAA compliance would have already been asking Apache about this.)
>
> Do you know of any centralized source of Country of Origin information for Apache projects? Note that we are only looking for the country or countries--we do NOT need information on specific servers, cities, or states.
>
> Thanks very much for any information--or pointers to others who may have relevant information.
>
> Regards,
> Richard Austin
> Software Development Engineer
> Hewlett Packard Enterprise
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: Country of Origin of various ASF projects
Posted by Roman Shaposhnik <ro...@shaposhnik.org>.
On Mon, Oct 17, 2016 at 12:50 PM, Austin, Richard (Fort Collins)
<ri...@hpe.com> wrote:
> Good afternoon,
>
>
>
> I am trying to determine the Country of Origin of a lengthy list of Apache
> open-source projects, in order to determine whether they are in compliance
> with the U. S. Trade Agreements Act (TAA). (Some of our customers require
> this.) TAA defines the Country of Origin as the country where the software
> is built--where final compilation occurs. There is a LONG list of countries
> that are TAA-approved.
>
>
> One person at human-response@apache.org noted that each project is generally
> compiled on the local machine of the Release Manager for that specific
> version and then uploaded. While I can contact each project separately to
> ask about the build country, I was advised that it might be worth checking
> with Apache Legal Affairs, in case a compilation of this information already
> exists. (It seems very likely that other groups needing TAA compliance
> would have already been asking Apache about this.)
I think it would be useful to state the very fundamental assumption
that ASF has:
legally speaking ASF is NOT in a business of releasing fully integrated (read
compiled, linked and packaged) but rather in a business of releasing source
code for our projects. Hence the only artifact that we're in business
of distributing
officially has a country of origin within US (since all of our source
code management
infrastructure currently resides in US).
While it is true that projects are within their right to distribute
'binary convenience
artifacts' those are handled on a project-by-project basis with the only basic
assumption that whatever gets released has to be explicitly vetted by
the project's
PMC during the normal release vote.
Thanks,
Roman.
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: Country of Origin of various ASF projects
Posted by Craig Russell <cr...@oracle.com>.
> On Oct 17, 2016, at 3:28 PM, Alex Harui <ah...@adobe.com> wrote:
>
> And what are the rules if I compiled the code on a VM in the cloud? Does
> it matter where that VM is running?
>
> Seems like folks who need TAA compliance should always work from source
> packages and compile it themselves.
+1
Apache deals in open *source*.
Convenience binaries can be built by anyone, anywhere there is a computer with an internet connection or a postal address where a tape (!) containing sources can be delivered.
Craig
>
> -Alex
>
> On 10/17/16, 2:15 PM, "sebb" <se...@gmail.com> wrote:
>
>> Note also that each individual release may have a different release
>> manager who may reside in a different country.
>> And of course people may change their country of residence.
>>
>> On 17 October 2016 at 21:00, Paul Libbrecht <pa...@hoplahup.net> wrote:
>>> Why can’t you or someone at your company rebuild within the US (or
>>> anywhere
>>> else appropriate) so that this compliance is guaranteed? It is generally
>>> expected that someone else successfully building will build the same
>>> artefact, even if differences such as modification date of binary files
>>> may
>>> exist. E.g. version numbers are the same.
>>>
>>> paul
>>>
>>>
>>> On 17 Oct 2016, at 21:50, Austin, Richard (Fort Collins)
>>> <ri...@hpe.com> wrote:
>>>
>>> Good afternoon,
>>>
>>> I am trying to determine the Country of Origin of a lengthy list of
>>> Apache
>>> open-source projects, in order to determine whether they are in
>>> compliance
>>> with the U. S. Trade Agreements Act (TAA). (Some of our customers
>>> require
>>> this.) TAA defines the Country of Origin as the country where the
>>> software
>>> is built--where final compilation occurs. There is a LONG list of
>>> countries
>>> that are TAA-approved.
>>>
>>> One person at human-response@apache.org noted that each project is
>>> generally
>>> compiled on the local machine of the Release Manager for that specific
>>> version and then uploaded. While I can contact each project separately
>>> to
>>> ask about the build country, I was advised that it might be worth
>>> checking
>>> with Apache Legal Affairs, in case a compilation of this information
>>> already
>>> exists. (It seems very likely that other groups needing TAA compliance
>>> would have already been asking Apache about this.)
>>>
>>> Do you know of any centralized source of Country of Origin information
>>> for
>>> Apache projects? Note that we are only looking for the country or
>>> countries--we do NOT need information on specific servers, cities, or
>>> states.
>>>
>>> Thanks very much for any information--or pointers to others who may have
>>> relevant information.
>>>
>>> Regards,
>>> Richard Austin
>>> Software Development Engineer
>>> Hewlett Packard Enterprise
>>>
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>> For additional commands, e-mail: legal-discuss-help@apache.org
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
>
Craig L Russell
clr@apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: Country of Origin of various ASF projects
Posted by Alex Harui <ah...@adobe.com>.
And what are the rules if I compiled the code on a VM in the cloud? Does
it matter where that VM is running?
Seems like folks who need TAA compliance should always work from source
packages and compile it themselves.
-Alex
On 10/17/16, 2:15 PM, "sebb" <se...@gmail.com> wrote:
>Note also that each individual release may have a different release
>manager who may reside in a different country.
>And of course people may change their country of residence.
>
>On 17 October 2016 at 21:00, Paul Libbrecht <pa...@hoplahup.net> wrote:
>> Why can’t you or someone at your company rebuild within the US (or
>>anywhere
>> else appropriate) so that this compliance is guaranteed? It is generally
>> expected that someone else successfully building will build the same
>> artefact, even if differences such as modification date of binary files
>>may
>> exist. E.g. version numbers are the same.
>>
>> paul
>>
>>
>> On 17 Oct 2016, at 21:50, Austin, Richard (Fort Collins)
>> <ri...@hpe.com> wrote:
>>
>> Good afternoon,
>>
>> I am trying to determine the Country of Origin of a lengthy list of
>>Apache
>> open-source projects, in order to determine whether they are in
>>compliance
>> with the U. S. Trade Agreements Act (TAA). (Some of our customers
>>require
>> this.) TAA defines the Country of Origin as the country where the
>>software
>> is built--where final compilation occurs. There is a LONG list of
>>countries
>> that are TAA-approved.
>>
>> One person at human-response@apache.org noted that each project is
>>generally
>> compiled on the local machine of the Release Manager for that specific
>> version and then uploaded. While I can contact each project separately
>>to
>> ask about the build country, I was advised that it might be worth
>>checking
>> with Apache Legal Affairs, in case a compilation of this information
>>already
>> exists. (It seems very likely that other groups needing TAA compliance
>> would have already been asking Apache about this.)
>>
>> Do you know of any centralized source of Country of Origin information
>>for
>> Apache projects? Note that we are only looking for the country or
>> countries--we do NOT need information on specific servers, cities, or
>> states.
>>
>> Thanks very much for any information--or pointers to others who may have
>> relevant information.
>>
>> Regards,
>> Richard Austin
>> Software Development Engineer
>> Hewlett Packard Enterprise
>>
>>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>For additional commands, e-mail: legal-discuss-help@apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Convenience binaries [Was: Country of Origin of various ASF projects]
Posted by Andy Seaborne <an...@apache.org>.
I am trying to understand the implications of all this for convenience
binaries for a project that uses the excellent Apache HttpClient as a
dependency but has no crypto software itself.
The project produces convenience binaries: zip file including all
dependencies and combined shaded uber jars which includes all
dependencies. The project also uses maven for distribution of built
artifacts.
The source-release does not include HttpClient so there is nothing to do
for the formal release product.
There are 3 channels for the binaries where ASF is first point at which
the binaries are accessible.
archive.a.o, repository.a.o/snapshots and repository.a.o/releases.
(To me, it looks like the maven repo as publication channel is no
different from archive.a.o, except that "snapshots" get published there
and while primarily for the developers, they are publicly accessible.)
Registration:
A/ The project should register the binaries.
B/ The project should not point to the git repo (no crpyto there).
C/ All 3 channels (archive.a.o and 2 maven repos) are ControlledSource.
READMEs:
C/ The README in the source-release does not include a crypto notice.
D/ The binaries (zip and combined jar maven artifacts) include a README
with a crypto notice.
Andy
On 19/10/16 11:18, Stian Soiland-Reyes wrote:
> The ASF only consider the source release the atomic Release (tm) -
> which certainly is what should be used by downstream consumers who
> need to check Country of Origin or in other ways want to be sure of
> what exact code they are using.
>
> However our binary "convenience" artifacts (e.g. the JARs in Maven
> Central which Java developers generally use as-is) are also
> distributed by ASF as an organization, promoted and hosted by us (via
> our mirrors) - so I don't think we can argue them to be irrelevant.
>
> So I think the answer is that "convenience binaries" are built by the
> individual release managers (varies per release), which would live in
> different locations (possibly temporarily reside in a different
> location at the time of preparing a release), and which may be using
> build infrastructure in a third location (in particular building Maven
> projects would commonly rely on Maven Central and artifacts that
> themselves have mixed origin) - and as such it is difficult to define
> a single Country of Origin for binary releases. Consumers who need to
> consider Country of Origin should only use the the source releases,
> verified by their PGP signatures, and build it on their own
> infrastructure.
>
>
> Refs:
>
> http://www.apache.org/dev/release#owned-controlled-hardware
> http://www.apache.org/dev/release#what
> https://www.apache.org/dev/release-distribution.html
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: Country of Origin of various ASF projects
Posted by sebb <se...@gmail.com>.
On 20 October 2016 at 01:54, Wheeler, David A <dw...@ida.org> wrote:
> All - thanks for the insight. I particularly appreciated the answer by Stian Soiland-Reyes on Wednesday, October 19, 2016 04:19.
>
> However - can this *please* be documented somewhere in a public FAQ?
+1
> I recommend that <http://www.apache.org/dev/release> be modified to specifically answer this question, so that others can get the same answer. I've cobbled up a draft, below, which is basically a reformat of the answer by Stian Soiland-Reyes.
>
> Who should this be sent to?
>
> --- David A. Wheeler
>
> =============================================
>
> Proposed addition to <http://www.apache.org/dev/release> - add to the end of "Release Licensing Questions":
>
> Q: What is the "Country of Origin" for purposes of the U.S. Trade Agreements Act (TAA) and similar acts?
>
> Some country's laws involve the "country of origin". For example, the U. S. Trade Agreements Act (TAA) imposes laws involving the "country of origin", and it defines the Country of Origin as the country where the software is built-(where final compilation occurs).
OK.
> The ASF only consider the source release the release. This is what should be used by downstream consumers who need to check Country of Origin or in other ways want to be sure of what exact code they are using. Source releases are acts of the Foundation.
The above para does not read well to me. Also not sure the 3rd
sentence is needed here.
> Many ASF projects also provide binary "convenience" artifacts, aka "convenience binaries". These include the JARs in Maven Central, which Java developers generally use as-is. Some of these are also distributed by ASF as an organization, and even promoted and hosted by ASF (via ASF mirrors).
"Some of these" is ambiguous - does it refer to JARs in Maven Central
or convenience binaries?
[In theory "these" refers to the nearest possible objects, but I
suspect that is not the case here]
> However, "convenience binaries" are built by the individual release managers (who may vary per release), who would live in different locations (possibly temporarily residing in a different location at the time of preparing a release), and who may be using build infrastructure in a third location (in particular building Maven projects would commonly rely on Maven Central and artifacts that themselves have mixed origin). As such, it is difficult to define a single Country of Origin for binary releases. Consumers who need to consider Country of Origin should only use the source releases, verified by their PGP signatures, and build it on their own infrastructure.
"it is difficult" => 'it is not generally possible"
> References:
> http://www.apache.org/dev/release#owned-controlled-hardware
> http://www.apache.org/dev/release#what
> https://www.apache.org/dev/release-distribution.html
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: Country of Origin of various ASF projects
Posted by Stian Soiland-Reyes <st...@apache.org>.
Thanks! Hope you are able to re-shape my late-night ramblings..
There's also the partially overlapping
https://www.apache.org/licenses/exports/ - although Country of Origin
applies also to non-encryption software.
Any Apache committer can suggest an update using the CMS system at
https://cms.apache.org/www/ and navigating to the corresponding
folder. Suggest your patch on dev@community as it would be part of the
policy document.
On 20 October 2016 at 02:54, Wheeler, David A <dw...@ida.org> wrote:
> All - thanks for the insight. I particularly appreciated the answer by Stian Soiland-Reyes on Wednesday, October 19, 2016 04:19.
>
> However - can this *please* be documented somewhere in a public FAQ? I recommend that <http://www.apache.org/dev/release> be modified to specifically answer this question, so that others can get the same answer. I've cobbled up a draft, below, which is basically a reformat of the answer by Stian Soiland-Reyes.
>
> Who should this be sent to?
>
> --- David A. Wheeler
>
> =============================================
>
> Proposed addition to <http://www.apache.org/dev/release> - add to the end of "Release Licensing Questions":
>
> Q: What is the "Country of Origin" for purposes of the U.S. Trade Agreements Act (TAA) and similar acts?
>
> Some country's laws involve the "country of origin". For example, the U. S. Trade Agreements Act (TAA) imposes laws involving the "country of origin", and it defines the Country of Origin as the country where the software is built-(where final compilation occurs).
>
> The ASF only consider the source release the release. This is what should be used by downstream consumers who need to check Country of Origin or in other ways want to be sure of what exact code they are using. Source releases are acts of the Foundation.
>
> Many ASF projects also provide binary "convenience" artifacts, aka "convenience binaries". These include the JARs in Maven Central, which Java developers generally use as-is. Some of these are also distributed by ASF as an organization, and even promoted and hosted by ASF (via ASF mirrors).
>
> However, "convenience binaries" are built by the individual release managers (who may vary per release), who would live in different locations (possibly temporarily residing in a different location at the time of preparing a release), and who may be using build infrastructure in a third location (in particular building Maven projects would commonly rely on Maven Central and artifacts that themselves have mixed origin). As such, it is difficult to define a single Country of Origin for binary releases. Consumers who need to consider Country of Origin should only use the source releases, verified by their PGP signatures, and build it on their own infrastructure.
>
> References:
> http://www.apache.org/dev/release#owned-controlled-hardware
> http://www.apache.org/dev/release#what
> https://www.apache.org/dev/release-distribution.html
>
>
>
--
Stian Soiland-Reyes
http://orcid.org/0000-0001-9842-9718
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
RE: Country of Origin of various ASF projects
Posted by "Wheeler, David A" <dw...@ida.org>.
All - thanks for the insight. I particularly appreciated the answer by Stian Soiland-Reyes on Wednesday, October 19, 2016 04:19.
However - can this *please* be documented somewhere in a public FAQ? I recommend that <http://www.apache.org/dev/release> be modified to specifically answer this question, so that others can get the same answer. I've cobbled up a draft, below, which is basically a reformat of the answer by Stian Soiland-Reyes.
Who should this be sent to?
--- David A. Wheeler
=============================================
Proposed addition to <http://www.apache.org/dev/release> - add to the end of "Release Licensing Questions":
Q: What is the "Country of Origin" for purposes of the U.S. Trade Agreements Act (TAA) and similar acts?
Some country's laws involve the "country of origin". For example, the U. S. Trade Agreements Act (TAA) imposes laws involving the "country of origin", and it defines the Country of Origin as the country where the software is built-(where final compilation occurs).
The ASF only consider the source release the release. This is what should be used by downstream consumers who need to check Country of Origin or in other ways want to be sure of what exact code they are using. Source releases are acts of the Foundation.
Many ASF projects also provide binary "convenience" artifacts, aka "convenience binaries". These include the JARs in Maven Central, which Java developers generally use as-is. Some of these are also distributed by ASF as an organization, and even promoted and hosted by ASF (via ASF mirrors).
However, "convenience binaries" are built by the individual release managers (who may vary per release), who would live in different locations (possibly temporarily residing in a different location at the time of preparing a release), and who may be using build infrastructure in a third location (in particular building Maven projects would commonly rely on Maven Central and artifacts that themselves have mixed origin). As such, it is difficult to define a single Country of Origin for binary releases. Consumers who need to consider Country of Origin should only use the source releases, verified by their PGP signatures, and build it on their own infrastructure.
References:
http://www.apache.org/dev/release#owned-controlled-hardware
http://www.apache.org/dev/release#what
https://www.apache.org/dev/release-distribution.html
RE: Country of Origin of various ASF projects
Posted by "Austin, Richard (Fort Collins)" <ri...@hpe.com>.
Many thanks to all of you who have responded to my question--you have been prompt and unambiguous. :) Your answers are much appreciated!
Regards,
Richard Austin
Software Development Engineer
Hewlett Packard Enterprise
-----Original Message-----
From: Stian Soiland-Reyes [mailto:stain@apache.org]
Sent: Wednesday, October 19, 2016 04:19
To: legal-discuss@apache.org
Subject: Re: Country of Origin of various ASF projects
The ASF only consider the source release the atomic Release (tm) - which certainly is what should be used by downstream consumers who need to check Country of Origin or in other ways want to be sure of what exact code they are using.
However our binary "convenience" artifacts (e.g. the JARs in Maven Central which Java developers generally use as-is) are also distributed by ASF as an organization, promoted and hosted by us (via our mirrors) - so I don't think we can argue them to be irrelevant.
So I think the answer is that "convenience binaries" are built by the individual release managers (varies per release), which would live in different locations (possibly temporarily reside in a different location at the time of preparing a release), and which may be using build infrastructure in a third location (in particular building Maven projects would commonly rely on Maven Central and artifacts that themselves have mixed origin) - and as such it is difficult to define a single Country of Origin for binary releases. Consumers who need to consider Country of Origin should only use the the source releases, verified by their PGP signatures, and build it on their own infrastructure.
Refs:
http://www.apache.org/dev/release#owned-controlled-hardware
http://www.apache.org/dev/release#what
https://www.apache.org/dev/release-distribution.html
On 19 October 2016 at 01:53, Ted Dunning <te...@gmail.com> wrote:
>
> On Tue, Oct 18, 2016 at 2:30 PM, sebb <se...@gmail.com> wrote:
>>
>> > Releases are acts of the Foundation, due to our PMCs voting on
>> > them, so I don't think the release manager has any impact on this.
>>
>> I was responding to the statement in the original e-mail which said:
>>
>> "TAA defines the Country of Origin as the country where the software
>> is built--where final compilation occurs"
>>
>> However as others have pointed out, the ASF releases source, so the
>> question is largely moot.
>
>
> Moot is not exactly the right word (events have not placed the issue
> beyond the law). Better would be "irrelevant".
>
> There is no "final compilation" with Apache source releases, therefore
> the question of where that compilation occurs is not a valid question
> and thus has no answer.
>
>
--
Stian Soiland-Reyes
http://orcid.org/0000-0001-9842-9718
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: Country of Origin of various ASF projects
Posted by Stian Soiland-Reyes <st...@apache.org>.
The ASF only consider the source release the atomic Release (tm) -
which certainly is what should be used by downstream consumers who
need to check Country of Origin or in other ways want to be sure of
what exact code they are using.
However our binary "convenience" artifacts (e.g. the JARs in Maven
Central which Java developers generally use as-is) are also
distributed by ASF as an organization, promoted and hosted by us (via
our mirrors) - so I don't think we can argue them to be irrelevant.
So I think the answer is that "convenience binaries" are built by the
individual release managers (varies per release), which would live in
different locations (possibly temporarily reside in a different
location at the time of preparing a release), and which may be using
build infrastructure in a third location (in particular building Maven
projects would commonly rely on Maven Central and artifacts that
themselves have mixed origin) - and as such it is difficult to define
a single Country of Origin for binary releases. Consumers who need to
consider Country of Origin should only use the the source releases,
verified by their PGP signatures, and build it on their own
infrastructure.
Refs:
http://www.apache.org/dev/release#owned-controlled-hardware
http://www.apache.org/dev/release#what
https://www.apache.org/dev/release-distribution.html
On 19 October 2016 at 01:53, Ted Dunning <te...@gmail.com> wrote:
>
> On Tue, Oct 18, 2016 at 2:30 PM, sebb <se...@gmail.com> wrote:
>>
>> > Releases are acts of the Foundation, due to our PMCs voting on them,
>> > so I don't think the release manager has any impact on this.
>>
>> I was responding to the statement in the original e-mail which said:
>>
>> "TAA defines the Country of Origin as the country where the software
>> is built--where final compilation occurs"
>>
>> However as others have pointed out, the ASF releases source, so the
>> question is largely moot.
>
>
> Moot is not exactly the right word (events have not placed the issue beyond
> the law). Better would be "irrelevant".
>
> There is no "final compilation" with Apache source releases, therefore the
> question of where that compilation occurs is not a valid question and thus
> has no answer.
>
>
--
Stian Soiland-Reyes
http://orcid.org/0000-0001-9842-9718
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: Country of Origin of various ASF projects
Posted by sebb <se...@gmail.com>.
On 19 October 2016 at 01:53, Ted Dunning <te...@gmail.com> wrote:
>
> On Tue, Oct 18, 2016 at 2:30 PM, sebb <se...@gmail.com> wrote:
>>
>> > Releases are acts of the Foundation, due to our PMCs voting on them,
>> > so I don't think the release manager has any impact on this.
>>
>> I was responding to the statement in the original e-mail which said:
>>
>> "TAA defines the Country of Origin as the country where the software
>> is built--where final compilation occurs"
>>
>> However as others have pointed out, the ASF releases source, so the
>> question is largely moot.
>
>
> Moot is not exactly the right word (events have not placed the issue beyond
> the law). Better would be "irrelevant".
This is getting off-topic, but moot in the UK generally means
irrelevant, as per the second meaning in your link.
"of little or no practical value, meaning, or relevance; purely academic: "
> There is no "final compilation" with Apache source releases, therefore the
> question of where that compilation occurs is not a valid question and thus
> has no answer.
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: Country of Origin of various ASF projects
Posted by Ted Dunning <te...@gmail.com>.
On Tue, Oct 18, 2016 at 2:30 PM, sebb <se...@gmail.com> wrote:
> > Releases are acts of the Foundation, due to our PMCs voting on them,
> > so I don't think the release manager has any impact on this.
>
> I was responding to the statement in the original e-mail which said:
>
> "TAA defines the Country of Origin as the country where the software
> is built--where final compilation occurs"
>
> However as others have pointed out, the ASF releases source, so the
> question is largely moot.
Moot <http://www.dictionary.com/browse/moot> is not exactly the right word
(events have not placed the issue beyond the law). Better would be
"irrelevant".
There is no "final compilation" with Apache source releases, therefore the
question of where that compilation occurs is not a valid question and thus
has no answer.
Re: Country of Origin of various ASF projects
Posted by sebb <se...@gmail.com>.
On 18 October 2016 at 11:20, Bertrand Delacretaz <bd...@apache.org> wrote:
> On Mon, Oct 17, 2016 at 11:15 PM, sebb <se...@gmail.com> wrote:
>> ...Note also that each individual release may have a different release
>> manager who may reside in a different country...
>
> Releases are acts of the Foundation, due to our PMCs voting on them,
> so I don't think the release manager has any impact on this.
I was responding to the statement in the original e-mail which said:
"TAA defines the Country of Origin as the country where the software
is built--where final compilation occurs"
However as others have pointed out, the ASF releases source, so the
question is largely moot.
> -Bertrand
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: Country of Origin of various ASF projects
Posted by Bertrand Delacretaz <bd...@apache.org>.
On Mon, Oct 17, 2016 at 11:15 PM, sebb <se...@gmail.com> wrote:
> ...Note also that each individual release may have a different release
> manager who may reside in a different country...
Releases are acts of the Foundation, due to our PMCs voting on them,
so I don't think the release manager has any impact on this.
-Bertrand
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: Country of Origin of various ASF projects
Posted by sebb <se...@gmail.com>.
Note also that each individual release may have a different release
manager who may reside in a different country.
And of course people may change their country of residence.
On 17 October 2016 at 21:00, Paul Libbrecht <pa...@hoplahup.net> wrote:
> Why can’t you or someone at your company rebuild within the US (or anywhere
> else appropriate) so that this compliance is guaranteed? It is generally
> expected that someone else successfully building will build the same
> artefact, even if differences such as modification date of binary files may
> exist. E.g. version numbers are the same.
>
> paul
>
>
> On 17 Oct 2016, at 21:50, Austin, Richard (Fort Collins)
> <ri...@hpe.com> wrote:
>
> Good afternoon,
>
> I am trying to determine the Country of Origin of a lengthy list of Apache
> open-source projects, in order to determine whether they are in compliance
> with the U. S. Trade Agreements Act (TAA). (Some of our customers require
> this.) TAA defines the Country of Origin as the country where the software
> is built--where final compilation occurs. There is a LONG list of countries
> that are TAA-approved.
>
> One person at human-response@apache.org noted that each project is generally
> compiled on the local machine of the Release Manager for that specific
> version and then uploaded. While I can contact each project separately to
> ask about the build country, I was advised that it might be worth checking
> with Apache Legal Affairs, in case a compilation of this information already
> exists. (It seems very likely that other groups needing TAA compliance
> would have already been asking Apache about this.)
>
> Do you know of any centralized source of Country of Origin information for
> Apache projects? Note that we are only looking for the country or
> countries--we do NOT need information on specific servers, cities, or
> states.
>
> Thanks very much for any information--or pointers to others who may have
> relevant information.
>
> Regards,
> Richard Austin
> Software Development Engineer
> Hewlett Packard Enterprise
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: Country of Origin of various ASF projects
Posted by Paul Libbrecht <pa...@hoplahup.net>.
Why can’t you or someone at your company rebuild within the US (or anywhere else appropriate) so that this compliance is guaranteed? It is generally expected that someone else successfully building will build the same artefact, even if differences such as modification date of binary files may exist. E.g. version numbers are the same.
paul
> On 17 Oct 2016, at 21:50, Austin, Richard (Fort Collins) <ri...@hpe.com> wrote:
>
> Good afternoon,
>
> I am trying to determine the Country of Origin of a lengthy list of Apache open-source projects, in order to determine whether they are in compliance with the U. S. Trade Agreements Act (TAA). (Some of our customers require this.) TAA defines the Country of Origin as the country where the software is built--where final compilation occurs. There is a LONG list of countries that are TAA-approved.
>
> One person at human-response@apache.org <ma...@apache.org> noted that each project is generally compiled on the local machine of the Release Manager for that specific version and then uploaded. While I can contact each project separately to ask about the build country, I was advised that it might be worth checking with Apache Legal Affairs, in case a compilation of this information already exists. (It seems very likely that other groups needing TAA compliance would have already been asking Apache about this.)
>
> Do you know of any centralized source of Country of Origin information for Apache projects? Note that we are only looking for the country or countries--we do NOT need information on specific servers, cities, or states.
>
> Thanks very much for any information--or pointers to others who may have relevant information.
>
> Regards,
> Richard Austin
> Software Development Engineer
> Hewlett Packard Enterprise