Q: Apache TLP websites on non-ASF hardware

[Greg Stein <gs...@gmail.com>]

Hi Legal, et al,

I have a single question: can projects' primary websites (eg.
acme.apache.org) be served from any server of their choice?

Or the contrary form: must the site be served by ASF systems (our
machines/VMs, possibly via a CDN) ?

I believe "any system" is the correct answer, with one policy caveat: only
platforms that we believe have reasonable PII-handling and GDPR processes.
Two come to mind: wordpress.com and GitHub Pages. This caveat would
*disallow* a project standing up a VM somewhere for their primary presence
(we do allow VM for demo sites, etc). Infra would be responsible for
reviewing the requests to move site hosting, and to maintain the list of
"acceptable" platforms.

I do not believe the Foundation has any need to be the server. We make
requirements around SCM choices for provenance needs. I do not feel this is
necessary for serving websites.

This query is fueled by several concerns: provide more options to our
projects; allow for (say) zh.echarts.apache.org to operate within China;
enable use of new platforms and dynamic hosts; etc. ... Note that the
Foundation controls DNS -- we can revoke the CNAME record at any time we
find a PMC not conforming to the rules we shall define.

Infra believes we can do this within the needs of the Foundation. Does
Legal foresee any mines in using third parties to serve our projects'
primary websites?

Thanks,
Greg Stein
Infrastructure Administrator, ASF

Re: Q: Apache TLP websites on non-ASF hardware

[Hen <ba...@apache.org>]

On Tue, Sep 17, 2019 at 6:20 PM Greg Stein <gs...@gmail.com> wrote:

> Hi Legal, et al,
>
>
Feels sometimes that this should be "Policy Committee" :)


> I have a single question: can projects' primary websites (eg.
> acme.apache.org) be served from any server of their choice?
>

> Or the contrary form: must the site be served by ASF systems (our
> machines/VMs, possibly via a CDN) ?
>
>
I think there are three possibilities:

1) Must be on ASF systems.
2) Any server of Infra's choice.
3) Any server of the project's choice.

I think it ends up being #2. Any server that Infra approve, where Infra are
approving because they feel they can perform the required responsibilities.


> I believe "any system" is the correct answer, with one policy caveat: only
> platforms that we believe have reasonable PII-handling and GDPR processes.
> Two come to mind: wordpress.com and GitHub Pages. This caveat would
> *disallow* a project standing up a VM somewhere for their primary presence
> (we do allow VM for demo sites, etc). Infra would be responsible for
> reviewing the requests to move site hosting, and to maintain the list of
> "acceptable" platforms.
>

So... possible Infra required responsibilities:

* Infra can respond to a DMCA takedown request.
* The platform does not have PII/GDPR concerns (as reviewed by Infra or by
project using Infra review instructions).
* The platform does not have security concerns (as reviewed by Infra or by
project using Infra review instructions).
* Infra ultimately remains in control of the site (presumably via control
of DNS).

Project notes:

* A project wanting a non-standard site location should describe what
information they are taking from users (preferably none).
* Content used on the site should adhere to ASF policies.
* Project should do other things that Infra might normally do, with regards
to availability (backups, CDN etc.)
* Ensure Legal Discuss review legal terms for the platform. (might be
simpler for Infra to ensure this)

Other possibilities for Infra that I don't think rank; i.e. I don't think
Infra investing in project site availability is required for non-standard
sites:

* Infra can scale the site up effortlessly in case the project becomes an
overnight sensation.
* The site won't go down.


>
> I do not believe the Foundation has any need to be the server. We make
> requirements around SCM choices for provenance needs. I do not feel this is
> necessary for serving websites.
>

Agreed.


>
> This query is fueled by several concerns: provide more options to our
> projects; allow for (say) zh.echarts.apache.org to operate within China;
> enable use of new platforms and dynamic hosts; etc. ... Note that the
> Foundation controls DNS -- we can revoke the CNAME record at any time we
> find a PMC not conforming to the rules we shall define.
>

Sure.


>
> Infra believes we can do this within the needs of the Foundation. Does
> Legal foresee any mines in using third parties to serve our projects'
> primary websites?
>

I'm not seeing anything huge :) Giving projects the leeway to innovate is
good, it's acceptable that that means they can screw things up. Perhaps one
usefulness would be to maintain a Gone Fishing page with Infra so that
Infra can easily put in place a project specific page if the DNS in
question stops serving https/http.

Others' thoughts?

Hen

Re: Q: Apache TLP websites on non-ASF hardware

[Fantri Fitriani <fa...@gmail.com>]

Pada tanggal Sab, 16 Nov 2019 10.05, Greg Stein <gs...@gmail.com> menulis:

> Coming back around to this question, with a wrap-up:
>
> On Wed, Sep 18, 2019 at 11:38 AM Mark Thomas <ma...@apache.org> wrote:
>
>> On 18/09/2019 13:52, Greg Stein wrote:
>> > (on phone; plz forgive terseness)
>> >
>> > On Wed, Sep 18, 2019, 03:01 Ted Dunning <ted.dunning@gmail.com
>> > <ma...@gmail.com>> wrote:
>> >
>> >
>> >     It sounds to me like Greg has this covered.
>> >
>> >     To summarize and verify my understanding, I think his position is:
>> >
>> >     1) any hardware can serve a primary Apache site
>> >
>> >
>> > Yes.
>> >
>> >     2) but the content has to ultimately be hosted in source control at
>> >     Apache
>> >
>> >
>> > Did not claim this. Consider a site based on WordPress.com.
>> >
>> > We would own the account, but the contents would not be in an SCM.
>>
>> In the past, that has been a requirement although probably not one that
>> was explicitly written down anywhere.
>>
>> How is the PMC meant to keep an eye on the site content if there isn't a
>> commit mailing list they can watch?
>>
>> I think there is also an issue of maintaining a record of our history. I
>> think the contents of our websites are part of that. I don't think it is
>> as important as maintaining our code history but I do think it is worth
>> doing.
>>
>> Where would responsibility for back-ups lie?
>>
>> I think the "not in an SCM" and the associated implications are worthy
>> of more (wider?) discussion before taking any action.
>
>
> The above is very persuasive, Mark. :-)
>
> For now, we will only allow GitHub Pages. We are running a test for Apache
> Datasketches (incubating), and possibly Apache JMeter (see INFRA-19395
> <https://issues.apache.org/jira/browse/INFRA-19395>).
>
> For Datasketches, they already have a GHP-based website, so this will
> allow them to not worry about migration. JMeter has been using GHP to
> develop/stage their website.
>
> Assuming this works well, then we'll document and roll out the option to
> PMCs. As Mark notes: all websites will be served from content stored in an
> ASF-controlled repository. Third parties can then have full access to the
> websites, in addition to the source code that we release.
>
> Thanks,
> Greg Stein
> Infrastructure Administrator, ASF
>
>

Re: Q: Apache TLP websites on non-ASF hardware

[Greg Stein <gs...@gmail.com>]

Coming back around to this question, with a wrap-up:

On Wed, Sep 18, 2019 at 11:38 AM Mark Thomas <ma...@apache.org> wrote:

> On 18/09/2019 13:52, Greg Stein wrote:
> > (on phone; plz forgive terseness)
> >
> > On Wed, Sep 18, 2019, 03:01 Ted Dunning <ted.dunning@gmail.com
> > <ma...@gmail.com>> wrote:
> >
> >
> >     It sounds to me like Greg has this covered.
> >
> >     To summarize and verify my understanding, I think his position is:
> >
> >     1) any hardware can serve a primary Apache site
> >
> >
> > Yes.
> >
> >     2) but the content has to ultimately be hosted in source control at
> >     Apache
> >
> >
> > Did not claim this. Consider a site based on WordPress.com.
> >
> > We would own the account, but the contents would not be in an SCM.
>
> In the past, that has been a requirement although probably not one that
> was explicitly written down anywhere.
>
> How is the PMC meant to keep an eye on the site content if there isn't a
> commit mailing list they can watch?
>
> I think there is also an issue of maintaining a record of our history. I
> think the contents of our websites are part of that. I don't think it is
> as important as maintaining our code history but I do think it is worth
> doing.
>
> Where would responsibility for back-ups lie?
>
> I think the "not in an SCM" and the associated implications are worthy
> of more (wider?) discussion before taking any action.


The above is very persuasive, Mark. :-)

For now, we will only allow GitHub Pages. We are running a test for Apache
Datasketches (incubating), and possibly Apache JMeter (see INFRA-19395
<https://issues.apache.org/jira/browse/INFRA-19395>).

For Datasketches, they already have a GHP-based website, so this will allow
them to not worry about migration. JMeter has been using GHP to
develop/stage their website.

Assuming this works well, then we'll document and roll out the option to
PMCs. As Mark notes: all websites will be served from content stored in an
ASF-controlled repository. Third parties can then have full access to the
websites, in addition to the source code that we release.

Thanks,
Greg Stein
Infrastructure Administrator, ASF

Re: Q: Apache TLP websites on non-ASF hardware

[Mark Thomas <ma...@apache.org>]

On 18/09/2019 13:52, Greg Stein wrote:
> (on phone; plz forgive terseness)
> 
> On Wed, Sep 18, 2019, 03:01 Ted Dunning <ted.dunning@gmail.com
> <ma...@gmail.com>> wrote:
> 
> 
>     It sounds to me like Greg has this covered. 
> 
>     To summarize and verify my understanding, I think his position is:
> 
>     1) any hardware can serve a primary Apache site
> 
> 
> Yes.
> 
>     2) but the content has to ultimately be hosted in source control at
>     Apache
> 
> 
> Did not claim this. Consider a site based on WordPress.com.
> 
> We would own the account, but the contents would not be in an SCM.

In the past, that has been a requirement although probably not one that
was explicitly written down anywhere.

How is the PMC meant to keep an eye on the site content if there isn't a
commit mailing list they can watch?

I think there is also an issue of maintaining a record of our history. I
think the contents of our websites are part of that. I don't think it is
as important as maintaining our code history but I do think it is worth
doing.

Where would responsibility for back-ups lie?

I think the "not in an SCM" and the associated implications are worthy
of more (wider?) discussion before taking any action.

Mark



> 
>     3) but the software used has to be respectful of PII (most easily by
>     not storing anything close to that)
>     4) but the DNS driving to the hardware serving the site has to be
>     under Apache control
> 
> 
> Yes, and yes.
> 
> Cheers,
> -g
> 
> 
>     Is this right?
> 
> 
>     On Wed, Sep 18, 2019 at 3:20 AM Greg Stein <gstein@gmail.com
>     <ma...@gmail.com>> wrote:
> 
>         Hi Legal, et al,
> 
>         I have a single question: can projects' primary websites (eg.
>         acme.apache.org <http://acme.apache.org>) be served from any
>         server of their choice?
> 
>         Or the contrary form: must the site be served by ASF systems
>         (our machines/VMs, possibly via a CDN) ?
> 
>         I believe "any system" is the correct answer, with one policy
>         caveat: only platforms that we believe have reasonable
>         PII-handling and GDPR processes. Two come to mind: wordpress.com
>         <http://wordpress.com> and GitHub Pages. This caveat would
>         *disallow* a project standing up a VM somewhere for their
>         primary presence (we do allow VM for demo sites, etc). Infra
>         would be responsible for reviewing the requests to move site
>         hosting, and to maintain the list of "acceptable" platforms.
> 
>         I do not believe the Foundation has any need to be the server.
>         We make requirements around SCM choices for provenance needs. I
>         do not feel this is necessary for serving websites.
> 
>         This query is fueled by several concerns: provide more options
>         to our projects; allow for (say) zh.echarts.apache.org
>         <http://zh.echarts.apache.org> to operate within China; enable
>         use of new platforms and dynamic hosts; etc. ... Note that the
>         Foundation controls DNS -- we can revoke the CNAME record at any
>         time we find a PMC not conforming to the rules we shall define.
> 
>         Infra believes we can do this within the needs of the
>         Foundation. Does Legal foresee any mines in using third parties
>         to serve our projects' primary websites?
> 
>         Thanks,
>         Greg Stein
>         Infrastructure Administrator, ASF
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

Re: [Non-DoD Source] Re: Q: Apache TLP websites on non-ASF hardware

["Karan, Cem F CIV USARMY CCDC ARL (USA)" <ce...@mail.mil.INVALID>]

Also on phone, please forgive errors.

Thanks,
Cem Karan

—-
Other than quoted laws, regulations or officially published policies, the views expressed herein are not intended to be used as an authoritative state of law nor do they reflect official positions of the U.S. Army, Department of Defense or U.S. Government.

On Sep 18, 2019, at 8:53 AM, Greg Stein <gs...@gmail.com>> wrote:

All active links contained in this email were disabled. Please verify the identity of the sender, and confirm the authenticity of all links contained within the message prior to copying and pasting the address to a Web browser.

________________________________


(on phone; plz forgive terseness)

On Wed, Sep 18, 2019, 03:01 Ted Dunning <te...@gmail.com> < Caution-mailto:ted.dunning@gmail.com > > wrote:

It sounds to me like Greg has this covered.

To summarize and verify my understanding, I think his position is:

1) any hardware can serve a primary Apache site

Yes.

2) but the content has to ultimately be hosted in source control at Apache

Did not claim this. Consider a site based on WordPress.com<http://WordPress.com>.

We would own the account, but the contents would not be in an SCM.

No backups on ASF controlled hardware? What happens if the hosting service goes out of business?


3) but the software used has to be respectful of PII (most easily by not storing anything close to that)
4) but the DNS driving to the hardware serving the site has to be under Apache control

Yes, and yes.

Cheers,
-g


Is this right?


On Wed, Sep 18, 2019 at 3:20 AM Greg Stein <gs...@gmail.com> < Caution-mailto:gstein@gmail.com > > wrote:
Hi Legal, et al,

I have a single question: can projects' primary websites (eg. acme.apache.org<http://acme.apache.org> < Caution-http://acme.apache.org > ) be served from any server of their choice?

Or the contrary form: must the site be served by ASF systems (our machines/VMs, possibly via a CDN) ?

I believe "any system" is the correct answer, with one policy caveat: only platforms that we believe have reasonable PII-handling and GDPR processes. Two come to mind: wordpress.com<http://wordpress.com> < Caution-http://wordpress.com >  and GitHub Pages. This caveat would *disallow* a project standing up a VM somewhere for their primary presence (we do allow VM for demo sites, etc). Infra would be responsible for reviewing the requests to move site hosting, and to maintain the list of "acceptable" platforms.

I do not believe the Foundation has any need to be the server. We make requirements around SCM choices for provenance needs. I do not feel this is necessary for serving websites.

This query is fueled by several concerns: provide more options to our projects; allow for (say) zh.echarts.apache.org<http://zh.echarts.apache.org> < Caution-http://zh.echarts.apache.org >  to operate within China; enable use of new platforms and dynamic hosts; etc. ... Note that the Foundation controls DNS -- we can revoke the CNAME record at any time we find a PMC not conforming to the rules we shall define.

Infra believes we can do this within the needs of the Foundation. Does Legal foresee any mines in using third parties to serve our projects' primary websites?

Thanks,
Greg Stein
Infrastructure Administrator, ASF

Re: Q: Apache TLP websites on non-ASF hardware

[Greg Stein <gs...@gmail.com>]

(on phone; plz forgive terseness)

On Wed, Sep 18, 2019, 03:01 Ted Dunning <te...@gmail.com> wrote:

>
> It sounds to me like Greg has this covered.
>
> To summarize and verify my understanding, I think his position is:
>
> 1) any hardware can serve a primary Apache site
>

Yes.

2) but the content has to ultimately be hosted in source control at Apache
>

Did not claim this. Consider a site based on WordPress.com.

We would own the account, but the contents would not be in an SCM.

3) but the software used has to be respectful of PII (most easily by not
> storing anything close to that)
> 4) but the DNS driving to the hardware serving the site has to be under
> Apache control
>

Yes, and yes.

Cheers,
-g


> Is this right?
>
>
> On Wed, Sep 18, 2019 at 3:20 AM Greg Stein <gs...@gmail.com> wrote:
>
>> Hi Legal, et al,
>>
>> I have a single question: can projects' primary websites (eg.
>> acme.apache.org) be served from any server of their choice?
>>
>> Or the contrary form: must the site be served by ASF systems (our
>> machines/VMs, possibly via a CDN) ?
>>
>> I believe "any system" is the correct answer, with one policy caveat:
>> only platforms that we believe have reasonable PII-handling and GDPR
>> processes. Two come to mind: wordpress.com and GitHub Pages. This caveat
>> would *disallow* a project standing up a VM somewhere for their primary
>> presence (we do allow VM for demo sites, etc). Infra would be responsible
>> for reviewing the requests to move site hosting, and to maintain the list
>> of "acceptable" platforms.
>>
>> I do not believe the Foundation has any need to be the server. We make
>> requirements around SCM choices for provenance needs. I do not feel this is
>> necessary for serving websites.
>>
>> This query is fueled by several concerns: provide more options to our
>> projects; allow for (say) zh.echarts.apache.org to operate within China;
>> enable use of new platforms and dynamic hosts; etc. ... Note that the
>> Foundation controls DNS -- we can revoke the CNAME record at any time we
>> find a PMC not conforming to the rules we shall define.
>>
>> Infra believes we can do this within the needs of the Foundation. Does
>> Legal foresee any mines in using third parties to serve our projects'
>> primary websites?
>>
>> Thanks,
>> Greg Stein
>> Infrastructure Administrator, ASF
>>
>>

Re: Q: Apache TLP websites on non-ASF hardware

[Ted Dunning <te...@gmail.com>]

It sounds to me like Greg has this covered.

To summarize and verify my understanding, I think his position is:

1) any hardware can serve a primary Apache site
2) but the content has to ultimately be hosted in source control at Apache
3) but the software used has to be respectful of PII (most easily by not
storing anything close to that)
4) but the DNS driving to the hardware serving the site has to be under
Apache control

Is this right?


On Wed, Sep 18, 2019 at 3:20 AM Greg Stein <gs...@gmail.com> wrote:

> Hi Legal, et al,
>
> I have a single question: can projects' primary websites (eg.
> acme.apache.org) be served from any server of their choice?
>
> Or the contrary form: must the site be served by ASF systems (our
> machines/VMs, possibly via a CDN) ?
>
> I believe "any system" is the correct answer, with one policy caveat: only
> platforms that we believe have reasonable PII-handling and GDPR processes.
> Two come to mind: wordpress.com and GitHub Pages. This caveat would
> *disallow* a project standing up a VM somewhere for their primary presence
> (we do allow VM for demo sites, etc). Infra would be responsible for
> reviewing the requests to move site hosting, and to maintain the list of
> "acceptable" platforms.
>
> I do not believe the Foundation has any need to be the server. We make
> requirements around SCM choices for provenance needs. I do not feel this is
> necessary for serving websites.
>
> This query is fueled by several concerns: provide more options to our
> projects; allow for (say) zh.echarts.apache.org to operate within China;
> enable use of new platforms and dynamic hosts; etc. ... Note that the
> Foundation controls DNS -- we can revoke the CNAME record at any time we
> find a PMC not conforming to the rules we shall define.
>
> Infra believes we can do this within the needs of the Foundation. Does
> Legal foresee any mines in using third parties to serve our projects'
> primary websites?
>
> Thanks,
> Greg Stein
> Infrastructure Administrator, ASF
>
>