You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@openoffice.apache.org by Rob Weir <ro...@apache.org> on 2012/08/19 17:52:33 UTC
[VOTE] Apache OpenOffice Community Graduation Vote
Per the IPMC's "Guide to Successful Graduation" [1] this is the
optional, but recommended, community vote for us to express our
willingness/readiness to govern ourselves. If this vote passes then
we continue by drafting a charter, submitting it for IPMC endorsement,
and then to the ASF Board for final approval. Details can be found
in the "Guide to Successful Graduation".
Everyone in the community is encouraged to vote. Votes from PPMC
members and Mentors are binding. This vote will run 72-hours.
[ ] +1 Apache OpenOffice community is ready to graduate from the
Apache Incubator.
[ ] +0 Don't care.
[ ] -1 Apache OpenOffice community is not ready to graduate from the
Apache Incubator because...
Regards,
-Rob
[1] http://incubator.apache.org/guides/graduation.html#tlp-community-vote
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Jianyuan Li <li...@gmail.com>.
+1
2012/8/21 bjcheny <co...@gmail.com>
> +1
>
> 2012/8/19 Rob Weir <ro...@apache.org>
>
> > Per the IPMC's "Guide to Successful Graduation" [1] this is the
> > optional, but recommended, community vote for us to express our
> > willingness/readiness to govern ourselves. If this vote passes then
> > we continue by drafting a charter, submitting it for IPMC endorsement,
> > and then to the ASF Board for final approval. Details can be found
> > in the "Guide to Successful Graduation".
> >
> > Everyone in the community is encouraged to vote. Votes from PPMC
> > members and Mentors are binding. This vote will run 72-hours.
> >
> >
> > [ ] +1 Apache OpenOffice community is ready to graduate from the
> > Apache Incubator.
> > [ ] +0 Don't care.
> > [ ] -1 Apache OpenOffice community is not ready to graduate from the
> > Apache Incubator because...
> >
> >
> > Regards,
> >
> > -Rob
> >
> > [1]
> http://incubator.apache.org/guides/graduation.html#tlp-community-vote
> >
>
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by bjcheny <co...@gmail.com>.
+1
2012/8/19 Rob Weir <ro...@apache.org>
> Per the IPMC's "Guide to Successful Graduation" [1] this is the
> optional, but recommended, community vote for us to express our
> willingness/readiness to govern ourselves. If this vote passes then
> we continue by drafting a charter, submitting it for IPMC endorsement,
> and then to the ASF Board for final approval. Details can be found
> in the "Guide to Successful Graduation".
>
> Everyone in the community is encouraged to vote. Votes from PPMC
> members and Mentors are binding. This vote will run 72-hours.
>
>
> [ ] +1 Apache OpenOffice community is ready to graduate from the
> Apache Incubator.
> [ ] +0 Don't care.
> [ ] -1 Apache OpenOffice community is not ready to graduate from the
> Apache Incubator because...
>
>
> Regards,
>
> -Rob
>
> [1] http://incubator.apache.org/guides/graduation.html#tlp-community-vote
>
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Steve Yin <st...@gmail.com>.
+1 Apache OpenOffice community is ready to graduate from the Apache
Incubator.
On Wed, Aug 22, 2012 at 12:18 PM, Yue Helen <he...@gmail.com> wrote:
> +1, we are ready!
>
> Helen
>
> 2012/8/19 Rob Weir <ro...@apache.org>
>
> > Per the IPMC's "Guide to Successful Graduation" [1] this is the
> > optional, but recommended, community vote for us to express our
> > willingness/readiness to govern ourselves. If this vote passes then
> > we continue by drafting a charter, submitting it for IPMC endorsement,
> > and then to the ASF Board for final approval. Details can be found
> > in the "Guide to Successful Graduation".
> >
> > Everyone in the community is encouraged to vote. Votes from PPMC
> > members and Mentors are binding. This vote will run 72-hours.
> >
> >
> > [ ] +1 Apache OpenOffice community is ready to graduate from the
> > Apache Incubator.
> > [ ] +0 Don't care.
> > [ ] -1 Apache OpenOffice community is not ready to graduate from the
> > Apache Incubator because...
> >
> >
> > Regards,
> >
> > -Rob
> >
> > [1]
> http://incubator.apache.org/guides/graduation.html#tlp-community-vote
> >
>
--
Best Regards,
Steve Yin
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Yue Helen <he...@gmail.com>.
+1, we are ready!
Helen
2012/8/19 Rob Weir <ro...@apache.org>
> Per the IPMC's "Guide to Successful Graduation" [1] this is the
> optional, but recommended, community vote for us to express our
> willingness/readiness to govern ourselves. If this vote passes then
> we continue by drafting a charter, submitting it for IPMC endorsement,
> and then to the ASF Board for final approval. Details can be found
> in the "Guide to Successful Graduation".
>
> Everyone in the community is encouraged to vote. Votes from PPMC
> members and Mentors are binding. This vote will run 72-hours.
>
>
> [ ] +1 Apache OpenOffice community is ready to graduate from the
> Apache Incubator.
> [ ] +0 Don't care.
> [ ] -1 Apache OpenOffice community is not ready to graduate from the
> Apache Incubator because...
>
>
> Regards,
>
> -Rob
>
> [1] http://incubator.apache.org/guides/graduation.html#tlp-community-vote
>
RE: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by "Dennis E. Hamilton" <or...@apache.org>.
+0 Abstain (binding)
-----Original Message-----
From: Rob Weir [mailto:robweir@apache.org]
Sent: Sunday, August 19, 2012 08:53
To: ooo-dev@incubator.apache.org
Subject: [VOTE] Apache OpenOffice Community Graduation Vote
Per the IPMC's "Guide to Successful Graduation" [1] this is the
optional, but recommended, community vote for us to express our
willingness/readiness to govern ourselves. If this vote passes then
we continue by drafting a charter, submitting it for IPMC endorsement,
and then to the ASF Board for final approval. Details can be found
in the "Guide to Successful Graduation".
Everyone in the community is encouraged to vote. Votes from PPMC
members and Mentors are binding. This vote will run 72-hours.
[ ] +1 Apache OpenOffice community is ready to graduate from the
Apache Incubator.
[ ] +0 Don't care.
[ ] -1 Apache OpenOffice community is not ready to graduate from the
Apache Incubator because...
Regards,
-Rob
[1] http://incubator.apache.org/guides/graduation.html#tlp-community-vote
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Dave Barton <bm...@apache.org>.
+1 Apache OpenOffice community is ready to graduate from the Apache
Incubator.
-------- Original Message --------
From: Rob Weir <ro...@apache.org>
To: ooo-dev@incubator.apache.org
Date: Sun, 19 Aug 2012 11:52:33 -0400
> Per the IPMC's "Guide to Successful Graduation" [1] this is the
> optional, but recommended, community vote for us to express our
> willingness/readiness to govern ourselves. If this vote passes then
> we continue by drafting a charter, submitting it for IPMC endorsement,
> and then to the ASF Board for final approval. Details can be found
> in the "Guide to Successful Graduation".
>
> Everyone in the community is encouraged to vote. Votes from PPMC
> members and Mentors are binding. This vote will run 72-hours.
>
>
> [ ] +1 Apache OpenOffice community is ready to graduate from the
> Apache Incubator.
> [ ] +0 Don't care.
> [ ] -1 Apache OpenOffice community is not ready to graduate from the
> Apache Incubator because...
>
>
> Regards,
>
> -Rob
>
> [1] http://incubator.apache.org/guides/graduation.html#tlp-community-vote
>
>
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Joost Andrae <Jo...@gmx.de>.
Hi,
+1
Kind regards, Joost
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Ariel Constenla-Haile <ar...@apache.org>.
On Sun, Aug 19, 2012 at 11:52:33AM -0400, Rob Weir wrote:
> Per the IPMC's "Guide to Successful Graduation" [1] this is the
> optional, but recommended, community vote for us to express our
> willingness/readiness to govern ourselves. If this vote passes then
> we continue by drafting a charter, submitting it for IPMC endorsement,
> and then to the ASF Board for final approval. Details can be found
> in the "Guide to Successful Graduation".
>
> Everyone in the community is encouraged to vote. Votes from PPMC
> members and Mentors are binding. This vote will run 72-hours.
>
>
> [ ] +1 Apache OpenOffice community is ready to graduate from the
> Apache Incubator.
> [ ] +0 Don't care.
> [ ] -1 Apache OpenOffice community is not ready to graduate from the
> Apache Incubator because...
+1
Regards
--
Ariel Constenla-Haile
La Plata, Argentina
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Kay Schenk <ka...@gmail.com>.
On 08/19/2012 08:52 AM, Rob Weir wrote:
> Per the IPMC's "Guide to Successful Graduation" [1] this is the
> optional, but recommended, community vote for us to express our
> willingness/readiness to govern ourselves. If this vote passes then
> we continue by drafting a charter, submitting it for IPMC endorsement,
> and then to the ASF Board for final approval. Details can be found
> in the "Guide to Successful Graduation".
>
> Everyone in the community is encouraged to vote. Votes from PPMC
> members and Mentors are binding. This vote will run 72-hours.
>
>
> [ ] +1 Apache OpenOffice community is ready to graduate from the
> Apache Incubator.
> [ ] +0 Don't care.
> [ ] -1 Apache OpenOffice community is not ready to graduate from the
> Apache Incubator because...
>
>
> Regards,
>
> -Rob
>
> [1] http://incubator.apache.org/guides/graduation.html#tlp-community-vote
>
+1 Apache OpenOffice community is ready to graduate from the Apache
Incubator
--
------------------------------------------------------------------------
MzK
"Never express yourself more clearly than you are able to think."
-- Niels Bohr
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Dave Fisher <da...@comcast.net>.
[X] +1 Apache OpenOffice community is ready to graduate from the
Apache Incubator
As a PPMC member - not to be interpreted as an IPMC vote.
Regards,
Dave
On Aug 19, 2012, at 8:52 AM, Rob Weir wrote:
> Per the IPMC's "Guide to Successful Graduation" [1] this is the
> optional, but recommended, community vote for us to express our
> willingness/readiness to govern ourselves. If this vote passes then
> we continue by drafting a charter, submitting it for IPMC endorsement,
> and then to the ASF Board for final approval. Details can be found
> in the "Guide to Successful Graduation".
>
> Everyone in the community is encouraged to vote. Votes from PPMC
> members and Mentors are binding. This vote will run 72-hours.
>
>
> [ ] +1 Apache OpenOffice community is ready to graduate from the
> Apache Incubator.
> [ ] +0 Don't care.
> [ ] -1 Apache OpenOffice community is not ready to graduate from the
> Apache Incubator because...
>
>
> Regards,
>
> -Rob
>
> [1] http://incubator.apache.org/guides/graduation.html#tlp-community-vote
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Christian Grobmeier <gr...@gmail.com>.
+1
I think it is time for OOo to leave this place. :-)
On Sun, Aug 19, 2012 at 5:52 PM, Rob Weir <ro...@apache.org> wrote:
> Per the IPMC's "Guide to Successful Graduation" [1] this is the
> optional, but recommended, community vote for us to express our
> willingness/readiness to govern ourselves. If this vote passes then
> we continue by drafting a charter, submitting it for IPMC endorsement,
> and then to the ASF Board for final approval. Details can be found
> in the "Guide to Successful Graduation".
>
> Everyone in the community is encouraged to vote. Votes from PPMC
> members and Mentors are binding. This vote will run 72-hours.
>
>
> [ ] +1 Apache OpenOffice community is ready to graduate from the
> Apache Incubator.
> [ ] +0 Don't care.
> [ ] -1 Apache OpenOffice community is not ready to graduate from the
> Apache Incubator because...
>
>
> Regards,
>
> -Rob
>
> [1] http://incubator.apache.org/guides/graduation.html#tlp-community-vote
--
http://www.grobmeier.de
https://www.timeandbill.de
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by drew jensen <dr...@lo-portal.us>.
On Mon, 2012-08-20 at 17:01 -0700, Marvin Humphrey wrote:
> On Mon, Aug 20, 2012 at 3:03 PM, drew <dr...@baseanswers.com> wrote:
> > Well, for myself, I don't have a problem with the AOO project not having
> > official binary releases - in such a circumstance I would strongly
> > prefer no binary release at all.
>
> I wonder who might step into the breach to provide binaries for such a
> package...
Hi,
Well, for a start:
IBM stated it will release a free binary version at some point, after
shutting down the Symphony product.
CS2C, a Chinese firm working in cooperation with Ernest and Young IIRC,
releases a binary based on the source code - in fact I'm not even sure
AOO supplied binaries are available to most folks in China.
Multiracio releases a closed source version of the application for sale
in Europe and the US.
In the past quite a few Linux distributors included binary releases in
their offerings, they consume source not binaries.
The current BSD, OS/2 and Solaris ports will go out as source only from
AOO, but come to end users from a third party repository, unless I
totally missed what was happening there (and I might off ;)
There are currently two groups which offer binary versions packaged to
run off USB drives, as far as I understand it, they work from source and
don't require binaries.
Finally this is a well known brand now, it would be hard to believe that
if AOO did not release binaries the void would not be filled by others.
//drew
>
> > On the other hand if there is a binary release from the AOO project then
> > I believe it should be treated as a fully endorsed action.
>
> At the ASF, the source release is canonical. I have never seen anyone assert
> that the source release is not offical and endorsed by the ASF.
>
> There has been disagreement about whether binaries should be official or not.
> To the best of my knowledge, every time the matter has come up, the debate has
> been resolved with a compromise: that while binary releases are not endorsed
> by the ASF, they may be provided in addition to the source release for the
> "convenience" of users.
>
> What is different with AOO is that the compromise does not seem to satisfy
> an element within the PPMC and thus the matter is being forced.
>
> It would be a lot of hard, time-consuming work for the ASF to build the
> institutions necessary to provide binary releases that approach the standards
> our source releases set. (As illustrated by e.g. the challenges of setting up
> the code signing service.) Not all of us are convinced that it is for the
> best, either.
>
> Marvin Humphrey
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Rob Weir <ro...@apache.org>.
On Mon, Aug 20, 2012 at 8:01 PM, Marvin Humphrey <ma...@rectangular.com> wrote:
> On Mon, Aug 20, 2012 at 3:03 PM, drew <dr...@baseanswers.com> wrote:
>> Well, for myself, I don't have a problem with the AOO project not having
>> official binary releases - in such a circumstance I would strongly
>> prefer no binary release at all.
>
> I wonder who might step into the breach to provide binaries for such a
> package...
>
>> On the other hand if there is a binary release from the AOO project then
>> I believe it should be treated as a fully endorsed action.
>
> At the ASF, the source release is canonical. I have never seen anyone assert
> that the source release is not offical and endorsed by the ASF.
>
What would suggest is the concrete distinction between an "official"
binary and an "unofficial' binary?
I'd assert all binaries that I've seen a project release have these qualities:
1) Have LICENSE and NOTICE
2) Are build from the canonical source
3) Can use other 3rd party components per policy
4) Are voted on by the PMC's
5) Have hashes and detached digital signatures
6) Are distributed via the Apache mirrors
7) Are linked to on websites and announcements
8) Are used by and appreciated by users
9) Are for the public good
Which of these do would you say are not qualities of an "unofficial
binary"? Or would you suggest another?
Unless ASF or IPMC policy defines a distinction here, I think we're
just arguing about what color the bike shed is for angels dancing on a
head of pin. It is a distinction without a difference, or at least
not one that has been stated,
-Rob
> There has been disagreement about whether binaries should be official or not.
> To the best of my knowledge, every time the matter has come up, the debate has
> been resolved with a compromise: that while binary releases are not endorsed
> by the ASF, they may be provided in addition to the source release for the
> "convenience" of users.
>
> What is different with AOO is that the compromise does not seem to satisfy
> an element within the PPMC and thus the matter is being forced.
>
> It would be a lot of hard, time-consuming work for the ASF to build the
> institutions necessary to provide binary releases that approach the standards
> our source releases set. (As illustrated by e.g. the challenges of setting up
> the code signing service.) Not all of us are convinced that it is for the
> best, either.
>
> Marvin Humphrey
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Rob Weir <ro...@apache.org>.
On Mon, Aug 20, 2012 at 8:59 PM, drew <dr...@baseanswers.com> wrote:
> On Mon, 2012-08-20 at 17:01 -0700, Marvin Humphrey wrote:
>> On Mon, Aug 20, 2012 at 3:03 PM, drew <dr...@baseanswers.com> wrote:
>> > Well, for myself, I don't have a problem with the AOO project not having
>> > official binary releases - in such a circumstance I would strongly
>> > prefer no binary release at all.
>>
>> I wonder who might step into the breach to provide binaries for such a
>> package...
>
> Hi,
>
> Well, for a start:
>
> IBM stated it will release a free binary version at some point, after
> shutting down the Symphony product.
>
This is incorrect. Wearing my IBM hat I can say that our plan is not
to ship our own binary version at all, but to ship the Apache version
bundled with some proprietary extension modules that would help our
customers work with our server stack. I don't think we've ever said
otherwise.
> CS2C, a Chinese firm working in cooperation with Ernest and Young IIRC,
> releases a binary based on the source code - in fact I'm not even sure
> AOO supplied binaries are available to most folks in China.
>
> Multiracio releases a closed source version of the application for sale
> in Europe and the US.
>
> In the past quite a few Linux distributors included binary releases in
> their offerings, they consume source not binaries.
>
> The current BSD, OS/2 and Solaris ports will go out as source only from
> AOO, but come to end users from a third party repository, unless I
> totally missed what was happening there (and I might off ;)
>
> There are currently two groups which offer binary versions packaged to
> run off USB drives, as far as I understand it, they work from source and
> don't require binaries.
>
My understanding is the portable versions work from the binaries, not
the source. They rebuild the install portions only. This is similar
to a variety of distributions (not ports) in the ecosystem. There is
a lot you can do by taking the OpenOffice binaries and rebuilding the
install set with different extensions, templates, etc. This is far
easier than rebuilding from source.
> Finally this is a well known brand now, it would be hard to believe that
> if AOO did not release binaries the void would not be filled by others.
>
Indeed. Also, if we didn't release source either then someone else
would fill the void, probably Microsoft.
-Rob
> //drew
>
> ps - sorry if this double posts...
>
>>
>> > On the other hand if there is a binary release from the AOO project then
>> > I believe it should be treated as a fully endorsed action.
>>
>> At the ASF, the source release is canonical. I have never seen anyone assert
>> that the source release is not offical and endorsed by the ASF.
>>
>> There has been disagreement about whether binaries should be official or not.
>> To the best of my knowledge, every time the matter has come up, the debate has
>> been resolved with a compromise: that while binary releases are not endorsed
>> by the ASF, they may be provided in addition to the source release for the
>> "convenience" of users.
>>
>> What is different with AOO is that the compromise does not seem to satisfy
>> an element within the PPMC and thus the matter is being forced.
>>
>> It would be a lot of hard, time-consuming work for the ASF to build the
>> institutions necessary to provide binary releases that approach the standards
>> our source releases set. (As illustrated by e.g. the challenges of setting up
>> the code signing service.) Not all of us are convinced that it is for the
>> best, either.
>>
>> Marvin Humphrey
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>> For additional commands, e-mail: general-help@incubator.apache.org
>>
>>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Dave Fisher <da...@comcast.net>.
On Aug 26, 2012, at 12:54 PM, Dave Fisher wrote:
>
> On Aug 26, 2012, at 12:42 PM, Dennis E. Hamilton wrote:
>
>> FYI, concerning the matter of binaries distributed by the Apache OpenOffice project.
>>
>> I neglected to consider a case that Dave Fisher just raised here on ooo-dev: Where the binary dependencies relied upon in an Apache OpenOffice binary distribution are accessed from at build time and where those are identifiably preserved for purposes of replication/confirmation and also for any future forensic need. That is an element in my topic (2) below.
>
> Before we all light our hair on fire. I'm only saying that the build must not pull these out of svn, even as a backup. If you examine the current scripts that has been done already.
Correction - the scripts go to external sources first. I am prosing to take away the svn fallback.
>
> Regards,
> Dave
>
>>
>> Please do not comment on the general@ i.a.o thread. It is a zombie in the process of being burned at the stake.
>>
>> - Dennis
>>
>> -----Original Message-----
>> From: Dennis E. Hamilton [mailto:orcmid@apache.org]
>> Sent: Sunday, August 26, 2012 12:12
>> To: general@incubator.apache.org
>> Subject: RE: [VOTE] Apache OpenOffice Community Graduation Vote
>>
>> Since my post was mentioned later on this thread, I thought I would summarize what I have as the take-away from intervening discussion. I have no intention to deal with the use of language (i.e., semantics of "convenience") and the way that tacit policy understanding is conveyed among Apache project participants.
>>
>> I will also refrain from any further additions to this topic.
>>
>> TAKE-AWAYS
>>
>> With regard to the production and delivery to users of authentic Apache OpenOffice binary builds, there seem to be the following concerns (especially for, but not limited to, Windows and Apple binaries and aggravated further by the restraints that are growing around evolving "App Store" requirements for consumer- and cloud-oriented platforms). I see three cases:
>>
>> 1. Authentication of binaries
>> 2. Provenance of bundled binary dependencies
>> 3. Availability of source for inspection, audit, and provenance
>>
>> 1. AUTHENTICATION OF BINARIES
>>
>> The desire for binaries to be signed using digital signatures with private keys held by the ASF is a natural concern for authentication of a variety of binaries produced by Apache projects.
>>
>> There appears to be agreement that any such signature introductions must be done by ASF-authorized agents. The conclusion is that infrastructure would perform such signings. These signings, by virtue of their modification of the unsigned binary, will invalidate any external signatures that were prepared as part of the release process. (It is possible to extract the internal signature and verify an external signature, if that is ever any question about that.)
>>
>> The signing party would have the reliance of the release-manager external signatures and other attestation that the binary is produced from the release sources.
>>
>> This still leaves open additional concerns about the conditions under which the binaries are produced and any difficulties that result.
>>
>> An alternative is for the signing authority to also produce the binaries, using the release sources directly on secured build machines. There are a number of technical problems that arise in this case, unless the release candidates were built in the same manner but not (yet) signed. That could work. It would also confirm that the binaries are indeed produced from the release's sources using the parameters for the platform presumably also included in the source materials.
>>
>> The remaining question is, what is being attested to by the production of binaries that are authenticated in this manner? Simply that they have been built in this manner and that it was done using ASF infrastructure, the integrity of which the ASF can be accountable for. It is not an attestation that there are no bugs, no security defects, or even that the IP provenance is assured to be clean. It is that the binary was produced under these particular verifiable conditions from the source materials provided as part of the source release along with dependencies on binaries incorporated in the build.
>>
>> It also provides a strong differentiator for binaries, however they might be identified, including even release candidates and developer builds, that were not provided in this manner.
>>
>> 2. PROVENANCE OF BUNDLED BINARY DEPENDENCIES
>>
>> A complication in (1) is the incorporation of binary resources on which the source-code release depends in order to be built. These might be authorized (and usually authenticated) redistributables having closed-source origins. These might be authorized open-source libraries that must be used without construction from sources in order for authentication of the dependency to be preserved. (E.g., there are security libraries that have NIST certification on the binary library, never the source, and the certification is also sustained only when the library is used with specific tooling.)
>>
>> For whatever reason, it is appropriate and preferable that the binary form of a dependency be relied upon, whether a jar file, a static library, or a dynamic library (DLL or SO) that becomes incorporated in the authenticated binary.
>>
>> The specific dependencies of such a nature would need to be accounted for as part of the authenticated build. That requires more traceability to specific artifacts and the basis for their reliance in some manner that does not involve building of the dependencies from sources as part of the build. This would probably require additional rigorous treatment to satisfy requirements for the integrity of the ASF project build. It might take more than simple reliance on the asserted IP and provenance of the upstream-obtained binaries. I am thinking that one needs to be specific to the artifact level, at least.
>>
>> 3. AVAILABILITY OF SOURCE FOR INSPECTION, AUDIT, AND PROVENANCE
>>
>> On this thread, the importance of having source code available has been stated as a strong requirement. As far as I can tell, this is a requirement for IP provenance more than anything else.
>>
>> Of course, the good-faith reliance on upstream sources always comes to bear, even for source-code contributions. But having access to all source is reported by some as being essential for ASF releases and that is tied to the notion that the source code is the release. (This is despite specific provision in the treatment of licenses for distributing certain binary artifacts in order to avoid license confusion.)
>>
>> I don't have any clarity on this. I know that it would be a serious burden to some projects if there were restriction to authenticated builds for open-source platforms only and/or restriction to exclusively open-source libraries for other dependencies not satisfied by the platform itself.
>>
>> To the extent that the requirement is for more than IP provenance and license reconciliation, I am not clear who is being held to account for any deeper scrutiny than that. Are the PMC votes for a release expected to establish some sort of serious attestation concerning the nature of the source?
>>
>> Instead, is the requirement of specific source-code availability instead a requirement for potential forensic requirements later in the lifecycle of a release? Can this be satisfied without the source be in the release, by whatever arrangement and assurance that could be made to ensure its availability whenever needed?
>>
>> I have only question in this area. I believe there is a definite concern, but I am not sure where it has teeth beyond a ritual requirement.
>>
>> - Dennis
>>
>>
>> -----Original Message-----
>> From: Dennis E. Hamilton [mailto:orcmid@apache.org]
>> Sent: Monday, August 20, 2012 18:50
>> To: general@incubator.apache.org
>> Subject: RE: [VOTE] Apache OpenOffice Community Graduation Vote
>>
>> I do not dispute the existence of other reliable creators of binary distributions. The *nix packagings and installation in consumer desktops are notable for the value that they provide.
>>
>> I think that experience teaches us that there absolutely needs to be a way to obtain and install *authentic* binary distributions made using the release sources with a proper set of options for a given platform.
>>
>> It is near impossible to provide end-user support and bug confirmation without agreement on the authentic bindist that is being use and that it is a bindist made from known sources.
>>
>> And there are enough fraudulent distributions out there that this is critical as a way to safeguard users.
>>
>> For that reason alone, there needs to be an authenticated bindist, especially for Windows, the 80% that garners the focused attention of miscreants and opportunists.
>>
>> That is also the reason for wanting signed binaries that pass verification on Windows and OS X. There needs to be a way for everyday users to receive every assurance that they are installing an authentic bindist and that it is verifiable who the origin is. I suspect that reliable packagers of unique distributions (including any from IBM) will provide their own verifiable authenticity.
>>
>> - Dennis
>>
>> -----Original Message-----
>> From: drew [mailto:drew@baseanswers.com]
>> Sent: Monday, August 20, 2012 18:00
>> To: general@incubator.apache.org
>> Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
>>
>> [ ... ]
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>> For additional commands, e-mail: general-help@incubator.apache.org
>>
>
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Dave Fisher <da...@comcast.net>.
On Aug 26, 2012, at 12:42 PM, Dennis E. Hamilton wrote:
> FYI, concerning the matter of binaries distributed by the Apache OpenOffice project.
>
> I neglected to consider a case that Dave Fisher just raised here on ooo-dev: Where the binary dependencies relied upon in an Apache OpenOffice binary distribution are accessed from at build time and where those are identifiably preserved for purposes of replication/confirmation and also for any future forensic need. That is an element in my topic (2) below.
Before we all light our hair on fire. I'm only saying that the build must not pull these out of svn, even as a backup. If you examine the current scripts that has been done already.
Regards,
Dave
>
> Please do not comment on the general@ i.a.o thread. It is a zombie in the process of being burned at the stake.
>
> - Dennis
>
> -----Original Message-----
> From: Dennis E. Hamilton [mailto:orcmid@apache.org]
> Sent: Sunday, August 26, 2012 12:12
> To: general@incubator.apache.org
> Subject: RE: [VOTE] Apache OpenOffice Community Graduation Vote
>
> Since my post was mentioned later on this thread, I thought I would summarize what I have as the take-away from intervening discussion. I have no intention to deal with the use of language (i.e., semantics of "convenience") and the way that tacit policy understanding is conveyed among Apache project participants.
>
> I will also refrain from any further additions to this topic.
>
> TAKE-AWAYS
>
> With regard to the production and delivery to users of authentic Apache OpenOffice binary builds, there seem to be the following concerns (especially for, but not limited to, Windows and Apple binaries and aggravated further by the restraints that are growing around evolving "App Store" requirements for consumer- and cloud-oriented platforms). I see three cases:
>
> 1. Authentication of binaries
> 2. Provenance of bundled binary dependencies
> 3. Availability of source for inspection, audit, and provenance
>
> 1. AUTHENTICATION OF BINARIES
>
> The desire for binaries to be signed using digital signatures with private keys held by the ASF is a natural concern for authentication of a variety of binaries produced by Apache projects.
>
> There appears to be agreement that any such signature introductions must be done by ASF-authorized agents. The conclusion is that infrastructure would perform such signings. These signings, by virtue of their modification of the unsigned binary, will invalidate any external signatures that were prepared as part of the release process. (It is possible to extract the internal signature and verify an external signature, if that is ever any question about that.)
>
> The signing party would have the reliance of the release-manager external signatures and other attestation that the binary is produced from the release sources.
>
> This still leaves open additional concerns about the conditions under which the binaries are produced and any difficulties that result.
>
> An alternative is for the signing authority to also produce the binaries, using the release sources directly on secured build machines. There are a number of technical problems that arise in this case, unless the release candidates were built in the same manner but not (yet) signed. That could work. It would also confirm that the binaries are indeed produced from the release's sources using the parameters for the platform presumably also included in the source materials.
>
> The remaining question is, what is being attested to by the production of binaries that are authenticated in this manner? Simply that they have been built in this manner and that it was done using ASF infrastructure, the integrity of which the ASF can be accountable for. It is not an attestation that there are no bugs, no security defects, or even that the IP provenance is assured to be clean. It is that the binary was produced under these particular verifiable conditions from the source materials provided as part of the source release along with dependencies on binaries incorporated in the build.
>
> It also provides a strong differentiator for binaries, however they might be identified, including even release candidates and developer builds, that were not provided in this manner.
>
> 2. PROVENANCE OF BUNDLED BINARY DEPENDENCIES
>
> A complication in (1) is the incorporation of binary resources on which the source-code release depends in order to be built. These might be authorized (and usually authenticated) redistributables having closed-source origins. These might be authorized open-source libraries that must be used without construction from sources in order for authentication of the dependency to be preserved. (E.g., there are security libraries that have NIST certification on the binary library, never the source, and the certification is also sustained only when the library is used with specific tooling.)
>
> For whatever reason, it is appropriate and preferable that the binary form of a dependency be relied upon, whether a jar file, a static library, or a dynamic library (DLL or SO) that becomes incorporated in the authenticated binary.
>
> The specific dependencies of such a nature would need to be accounted for as part of the authenticated build. That requires more traceability to specific artifacts and the basis for their reliance in some manner that does not involve building of the dependencies from sources as part of the build. This would probably require additional rigorous treatment to satisfy requirements for the integrity of the ASF project build. It might take more than simple reliance on the asserted IP and provenance of the upstream-obtained binaries. I am thinking that one needs to be specific to the artifact level, at least.
>
> 3. AVAILABILITY OF SOURCE FOR INSPECTION, AUDIT, AND PROVENANCE
>
> On this thread, the importance of having source code available has been stated as a strong requirement. As far as I can tell, this is a requirement for IP provenance more than anything else.
>
> Of course, the good-faith reliance on upstream sources always comes to bear, even for source-code contributions. But having access to all source is reported by some as being essential for ASF releases and that is tied to the notion that the source code is the release. (This is despite specific provision in the treatment of licenses for distributing certain binary artifacts in order to avoid license confusion.)
>
> I don't have any clarity on this. I know that it would be a serious burden to some projects if there were restriction to authenticated builds for open-source platforms only and/or restriction to exclusively open-source libraries for other dependencies not satisfied by the platform itself.
>
> To the extent that the requirement is for more than IP provenance and license reconciliation, I am not clear who is being held to account for any deeper scrutiny than that. Are the PMC votes for a release expected to establish some sort of serious attestation concerning the nature of the source?
>
> Instead, is the requirement of specific source-code availability instead a requirement for potential forensic requirements later in the lifecycle of a release? Can this be satisfied without the source be in the release, by whatever arrangement and assurance that could be made to ensure its availability whenever needed?
>
> I have only question in this area. I believe there is a definite concern, but I am not sure where it has teeth beyond a ritual requirement.
>
> - Dennis
>
>
> -----Original Message-----
> From: Dennis E. Hamilton [mailto:orcmid@apache.org]
> Sent: Monday, August 20, 2012 18:50
> To: general@incubator.apache.org
> Subject: RE: [VOTE] Apache OpenOffice Community Graduation Vote
>
> I do not dispute the existence of other reliable creators of binary distributions. The *nix packagings and installation in consumer desktops are notable for the value that they provide.
>
> I think that experience teaches us that there absolutely needs to be a way to obtain and install *authentic* binary distributions made using the release sources with a proper set of options for a given platform.
>
> It is near impossible to provide end-user support and bug confirmation without agreement on the authentic bindist that is being use and that it is a bindist made from known sources.
>
> And there are enough fraudulent distributions out there that this is critical as a way to safeguard users.
>
> For that reason alone, there needs to be an authenticated bindist, especially for Windows, the 80% that garners the focused attention of miscreants and opportunists.
>
> That is also the reason for wanting signed binaries that pass verification on Windows and OS X. There needs to be a way for everyday users to receive every assurance that they are installing an authentic bindist and that it is verifiable who the origin is. I suspect that reliable packagers of unique distributions (including any from IBM) will provide their own verifiable authenticity.
>
> - Dennis
>
> -----Original Message-----
> From: drew [mailto:drew@baseanswers.com]
> Sent: Monday, August 20, 2012 18:00
> To: general@incubator.apache.org
> Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
>
> [ ... ]
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
FW: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by "Dennis E. Hamilton" <or...@apache.org>.
FYI, concerning the matter of binaries distributed by the Apache OpenOffice project.
I neglected to consider a case that Dave Fisher just raised here on ooo-dev: Where the binary dependencies relied upon in an Apache OpenOffice binary distribution are accessed from at build time and where those are identifiably preserved for purposes of replication/confirmation and also for any future forensic need. That is an element in my topic (2) below.
Please do not comment on the general@ i.a.o thread. It is a zombie in the process of being burned at the stake.
- Dennis
-----Original Message-----
From: Dennis E. Hamilton [mailto:orcmid@apache.org]
Sent: Sunday, August 26, 2012 12:12
To: general@incubator.apache.org
Subject: RE: [VOTE] Apache OpenOffice Community Graduation Vote
Since my post was mentioned later on this thread, I thought I would summarize what I have as the take-away from intervening discussion. I have no intention to deal with the use of language (i.e., semantics of "convenience") and the way that tacit policy understanding is conveyed among Apache project participants.
I will also refrain from any further additions to this topic.
TAKE-AWAYS
With regard to the production and delivery to users of authentic Apache OpenOffice binary builds, there seem to be the following concerns (especially for, but not limited to, Windows and Apple binaries and aggravated further by the restraints that are growing around evolving "App Store" requirements for consumer- and cloud-oriented platforms). I see three cases:
1. Authentication of binaries
2. Provenance of bundled binary dependencies
3. Availability of source for inspection, audit, and provenance
1. AUTHENTICATION OF BINARIES
The desire for binaries to be signed using digital signatures with private keys held by the ASF is a natural concern for authentication of a variety of binaries produced by Apache projects.
There appears to be agreement that any such signature introductions must be done by ASF-authorized agents. The conclusion is that infrastructure would perform such signings. These signings, by virtue of their modification of the unsigned binary, will invalidate any external signatures that were prepared as part of the release process. (It is possible to extract the internal signature and verify an external signature, if that is ever any question about that.)
The signing party would have the reliance of the release-manager external signatures and other attestation that the binary is produced from the release sources.
This still leaves open additional concerns about the conditions under which the binaries are produced and any difficulties that result.
An alternative is for the signing authority to also produce the binaries, using the release sources directly on secured build machines. There are a number of technical problems that arise in this case, unless the release candidates were built in the same manner but not (yet) signed. That could work. It would also confirm that the binaries are indeed produced from the release's sources using the parameters for the platform presumably also included in the source materials.
The remaining question is, what is being attested to by the production of binaries that are authenticated in this manner? Simply that they have been built in this manner and that it was done using ASF infrastructure, the integrity of which the ASF can be accountable for. It is not an attestation that there are no bugs, no security defects, or even that the IP provenance is assured to be clean. It is that the binary was produced under these particular verifiable conditions from the source materials provided as part of the source release along with dependencies on binaries incorporated in the build.
It also provides a strong differentiator for binaries, however they might be identified, including even release candidates and developer builds, that were not provided in this manner.
2. PROVENANCE OF BUNDLED BINARY DEPENDENCIES
A complication in (1) is the incorporation of binary resources on which the source-code release depends in order to be built. These might be authorized (and usually authenticated) redistributables having closed-source origins. These might be authorized open-source libraries that must be used without construction from sources in order for authentication of the dependency to be preserved. (E.g., there are security libraries that have NIST certification on the binary library, never the source, and the certification is also sustained only when the library is used with specific tooling.)
For whatever reason, it is appropriate and preferable that the binary form of a dependency be relied upon, whether a jar file, a static library, or a dynamic library (DLL or SO) that becomes incorporated in the authenticated binary.
The specific dependencies of such a nature would need to be accounted for as part of the authenticated build. That requires more traceability to specific artifacts and the basis for their reliance in some manner that does not involve building of the dependencies from sources as part of the build. This would probably require additional rigorous treatment to satisfy requirements for the integrity of the ASF project build. It might take more than simple reliance on the asserted IP and provenance of the upstream-obtained binaries. I am thinking that one needs to be specific to the artifact level, at least.
3. AVAILABILITY OF SOURCE FOR INSPECTION, AUDIT, AND PROVENANCE
On this thread, the importance of having source code available has been stated as a strong requirement. As far as I can tell, this is a requirement for IP provenance more than anything else.
Of course, the good-faith reliance on upstream sources always comes to bear, even for source-code contributions. But having access to all source is reported by some as being essential for ASF releases and that is tied to the notion that the source code is the release. (This is despite specific provision in the treatment of licenses for distributing certain binary artifacts in order to avoid license confusion.)
I don't have any clarity on this. I know that it would be a serious burden to some projects if there were restriction to authenticated builds for open-source platforms only and/or restriction to exclusively open-source libraries for other dependencies not satisfied by the platform itself.
To the extent that the requirement is for more than IP provenance and license reconciliation, I am not clear who is being held to account for any deeper scrutiny than that. Are the PMC votes for a release expected to establish some sort of serious attestation concerning the nature of the source?
Instead, is the requirement of specific source-code availability instead a requirement for potential forensic requirements later in the lifecycle of a release? Can this be satisfied without the source be in the release, by whatever arrangement and assurance that could be made to ensure its availability whenever needed?
I have only question in this area. I believe there is a definite concern, but I am not sure where it has teeth beyond a ritual requirement.
- Dennis
-----Original Message-----
From: Dennis E. Hamilton [mailto:orcmid@apache.org]
Sent: Monday, August 20, 2012 18:50
To: general@incubator.apache.org
Subject: RE: [VOTE] Apache OpenOffice Community Graduation Vote
I do not dispute the existence of other reliable creators of binary distributions. The *nix packagings and installation in consumer desktops are notable for the value that they provide.
I think that experience teaches us that there absolutely needs to be a way to obtain and install *authentic* binary distributions made using the release sources with a proper set of options for a given platform.
It is near impossible to provide end-user support and bug confirmation without agreement on the authentic bindist that is being use and that it is a bindist made from known sources.
And there are enough fraudulent distributions out there that this is critical as a way to safeguard users.
For that reason alone, there needs to be an authenticated bindist, especially for Windows, the 80% that garners the focused attention of miscreants and opportunists.
That is also the reason for wanting signed binaries that pass verification on Windows and OS X. There needs to be a way for everyday users to receive every assurance that they are installing an authentic bindist and that it is verifiable who the origin is. I suspect that reliable packagers of unique distributions (including any from IBM) will provide their own verifiable authenticity.
- Dennis
-----Original Message-----
From: drew [mailto:drew@baseanswers.com]
Sent: Monday, August 20, 2012 18:00
To: general@incubator.apache.org
Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
[ ... ]
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Rob Weir <ro...@apache.org>.
On Mon, Aug 27, 2012 at 7:10 AM, Greg Stein <gs...@gmail.com> wrote:
> On Aug 27, 2012 6:15 AM, "Jukka Zitting" <ju...@gmail.com> wrote:
>>
>> Hi,
>>
>> I'm jumping in late to this discussion after returning from vacation.
>> To summarize my understanding:
>>
>> * As Joe says, there's no problem with current OpenOffice releases.
>
> Agreed.
>
>> * The project is looking for ways to produce "blessed binaries" as a
>> part of future releases, and has been working with the relevant
>> parties (infra, legal, etc.) on the implications.
>
> I have not seen this, especially in regards to this thread. Argument is
> occurring on this list instead.
>
You should take a look at infra-dev@ where Infra, AOO members as well
as members of other Apache projects interested in digital signatures,
have been discussing code signing requirements and ways of providing a
code signing capability.
>> * I trust that the project is capable of continuing that work and
>> abiding with whatever conclusion also as after graduation.
>
> Fair enough, but I do not share that trust. I fear the project claiming
> unique difference, and damaging the Foundation, rather than an
> understanding of how we can solve our mission together. I believe AOO has
> unique characteristics and that the ASF needs to adapt, but I do not
> believe the community cares to properly see through those changes. I see
> self-righteous bullying instead.
>
I agree that this thread has not been productive. But you really
should check the discussions on infra-dev@ before making statements on
whether we know how to work with other parts of the ASF.
> The ASF and the people that make us what we are, are not perfect. We don't
> know everything. But we *do* deserve consideration to make things Right.
> AOO is an awesome opportunity or us all, and we should do what we can for
> their success. It must happen with an old, and with a new, community
> working together.
>
Again, look at the discussions on infra-dev. Your constructive input
is most welcome on those threads. Ditto for any one else.
-Rob
> Cheers,
> -g
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Andre Fischer <aw...@gmail.com>.
On 27.08.2012 13:10, Greg Stein wrote:
> On Aug 27, 2012 6:15 AM, "Jukka Zitting" <ju...@gmail.com> wrote:
>>
>> Hi,
>>
>> I'm jumping in late to this discussion after returning from vacation.
>> To summarize my understanding:
>>
>> * As Joe says, there's no problem with current OpenOffice releases.
>
> Agreed.
>
>> * The project is looking for ways to produce "blessed binaries" as a
>> part of future releases, and has been working with the relevant
>> parties (infra, legal, etc.) on the implications.
>
> I have not seen this, especially in regards to this thread. Argument is
> occurring on this list instead.
>
>> * I trust that the project is capable of continuing that work and
>> abiding with whatever conclusion also as after graduation.
>
> Fair enough, but I do not share that trust. I fear the project claiming
> unique difference, and damaging the Foundation, rather than an
> understanding of how we can solve our mission together. I believe AOO has
> unique characteristics and that the ASF needs to adapt, but I do not
> believe the community cares to properly see through those changes.
It makes me sad that you think this way. I am part of the community and
I do care about changes that will make AOO a well accepted TLP of the
ASF. I am working very hard towards this goal and most of my work
consists of exactly these changes. Things like downloading of external
libraries and extensions, removing code that depends on external
libraries with incompatible licenses, cleaning up code that depends on
category-B licensed libraries or integrating the rat scan into the
regular AOO build process.
I am a software developer, not a lawyer. In order to make the
appropriate code changes I need very clear guidelines of what is in
policy and what is not. When it comes to coding there is no room for
contradictory interpretations or unprecise wording. The clearer and more
explicitly stated the ASF policies are the better I can clean-up and
improve our code.
> I see
> self-righteous bullying instead.
I don't. But maybe I got desensitized by a twelve year long exposition
to feedback from end-users in mailing lists, forums, and bug comments,
often enough in non too friendly words in all-uppercase letters.
>
> The ASF and the people that make us what we are, are not perfect. We don't
> know everything. But we *do* deserve consideration to make things Right.
> AOO is an awesome opportunity or us all, and we should do what we can for
> their success. It must happen with an old, and with a new, community
> working together.
Thanks. The same is true in the other direction.
-Andre
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Greg Stein <gs...@gmail.com>.
On Aug 27, 2012 6:15 AM, "Jukka Zitting" <ju...@gmail.com> wrote:
>
> Hi,
>
> I'm jumping in late to this discussion after returning from vacation.
> To summarize my understanding:
>
> * As Joe says, there's no problem with current OpenOffice releases.
Agreed.
> * The project is looking for ways to produce "blessed binaries" as a
> part of future releases, and has been working with the relevant
> parties (infra, legal, etc.) on the implications.
I have not seen this, especially in regards to this thread. Argument is
occurring on this list instead.
> * I trust that the project is capable of continuing that work and
> abiding with whatever conclusion also as after graduation.
Fair enough, but I do not share that trust. I fear the project claiming
unique difference, and damaging the Foundation, rather than an
understanding of how we can solve our mission together. I believe AOO has
unique characteristics and that the ASF needs to adapt, but I do not
believe the community cares to properly see through those changes. I see
self-righteous bullying instead.
The ASF and the people that make us what we are, are not perfect. We don't
know everything. But we *do* deserve consideration to make things Right.
AOO is an awesome opportunity or us all, and we should do what we can for
their success. It must happen with an old, and with a new, community
working together.
Cheers,
-g
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Jukka Zitting <ju...@gmail.com>.
Hi,
I'm jumping in late to this discussion after returning from vacation.
To summarize my understanding:
* As Joe says, there's no problem with current OpenOffice releases.
* The project is looking for ways to produce "blessed binaries" as a
part of future releases, and has been working with the relevant
parties (infra, legal, etc.) on the implications.
* I trust that the project is capable of continuing that work and
abiding with whatever conclusion also as after graduation.
Thus I don't see this as a blocker for graduation.
Also below my answer's to some of Dennis' questions:
On Sun, Aug 26, 2012 at 9:11 PM, Dennis E. Hamilton <or...@apache.org> wrote:
> 3. AVAILABILITY OF SOURCE FOR INSPECTION, AUDIT, AND PROVENANCE
>
> On this thread, the importance of having source code available has been stated
> as a strong requirement. As far as I can tell, this is a requirement for IP provenance
> more than anything else.
It goes way deeper than IP provenance. If you don't release the
source, you're not doing open source [1].
> Of course, the good-faith reliance on upstream sources always comes to bear, even for
> source-code contributions. But having access to all source is reported by some as being
> essential for ASF releases and that is tied to the notion that the source code is the
> release. (This is despite specific provision in the treatment of licenses for distributing
> certain binary artifacts in order to avoid license confusion.)
That confusion is nicely resolved by the recent clarification that
such binary dependencies are to be separately downloaded and not
included in our source releases.
> I don't have any clarity on this. I know that it would be a serious burden to some projects
> if there were restriction to authenticated builds for open-source platforms only and/or
> restriction to exclusively open-source libraries for other dependencies not satisfied by
> the platform itself.
The software we (i.e. the ASF) release must be in source form ("source
materials needed to make changes to the software" [2]), but building
and using a release may well require differently licensed and possibly
binary-only dependencies or a platform [3]. Distributing the result of
building a source release is also fine as long as the licenses of all
the included bits allow redistribution.
> To the extent that the requirement is for more than IP provenance and license
> reconciliation, I am not clear who is being held to account for any deeper scrutiny
> than that. Are the PMC votes for a release expected to establish some sort of
> serious attestation concerning the nature of the source?
Yes.
> Instead, is the requirement of specific source-code availability instead a requirement
> for potential forensic requirements later in the lifecycle of a release?
No, without source code there by definition can be no release.
> Can this be satisfied without the source be in the release, by whatever arrangement
> and assurance that could be made to ensure its availability whenever needed?
No. Note that this does not mean that a binary artifact produced from
the sources would need to include the source code, just that all the
source code needed to produce the intended binary artifacts must be
included in a release.
[1] http://opensource.org/docs/OSD#include-source-code
[2] http://www.apache.org/dev/release.html#what
[3] http://www.apache.org/legal/
BR,
Jukka Zitting
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
RE: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by "Dennis E. Hamilton" <or...@apache.org>.
Since my post was mentioned later on this thread, I thought I would summarize what I have as the take-away from intervening discussion. I have no intention to deal with the use of language (i.e., semantics of "convenience") and the way that tacit policy understanding is conveyed among Apache project participants.
I will also refrain from any further additions to this topic.
TAKE-AWAYS
With regard to the production and delivery to users of authentic Apache OpenOffice binary builds, there seem to be the following concerns (especially for, but not limited to, Windows and Apple binaries and aggravated further by the restraints that are growing around evolving "App Store" requirements for consumer- and cloud-oriented platforms). I see three cases:
1. Authentication of binaries
2. Provenance of bundled binary dependencies
3. Availability of source for inspection, audit, and provenance
1. AUTHENTICATION OF BINARIES
The desire for binaries to be signed using digital signatures with private keys held by the ASF is a natural concern for authentication of a variety of binaries produced by Apache projects.
There appears to be agreement that any such signature introductions must be done by ASF-authorized agents. The conclusion is that infrastructure would perform such signings. These signings, by virtue of their modification of the unsigned binary, will invalidate any external signatures that were prepared as part of the release process. (It is possible to extract the internal signature and verify an external signature, if that is ever any question about that.)
The signing party would have the reliance of the release-manager external signatures and other attestation that the binary is produced from the release sources.
This still leaves open additional concerns about the conditions under which the binaries are produced and any difficulties that result.
An alternative is for the signing authority to also produce the binaries, using the release sources directly on secured build machines. There are a number of technical problems that arise in this case, unless the release candidates were built in the same manner but not (yet) signed. That could work. It would also confirm that the binaries are indeed produced from the release's sources using the parameters for the platform presumably also included in the source materials.
The remaining question is, what is being attested to by the production of binaries that are authenticated in this manner? Simply that they have been built in this manner and that it was done using ASF infrastructure, the integrity of which the ASF can be accountable for. It is not an attestation that there are no bugs, no security defects, or even that the IP provenance is assured to be clean. It is that the binary was produced under these particular verifiable conditions from the source materials provided as part of the source release along with dependencies on binaries incorporated in the build.
It also provides a strong differentiator for binaries, however they might be identified, including even release candidates and developer builds, that were not provided in this manner.
2. PROVENANCE OF BUNDLED BINARY DEPENDENCIES
A complication in (1) is the incorporation of binary resources on which the source-code release depends in order to be built. These might be authorized (and usually authenticated) redistributables having closed-source origins. These might be authorized open-source libraries that must be used without construction from sources in order for authentication of the dependency to be preserved. (E.g., there are security libraries that have NIST certification on the binary library, never the source, and the certification is also sustained only when the library is used with specific tooling.)
For whatever reason, it is appropriate and preferable that the binary form of a dependency be relied upon, whether a jar file, a static library, or a dynamic library (DLL or SO) that becomes incorporated in the authenticated binary.
The specific dependencies of such a nature would need to be accounted for as part of the authenticated build. That requires more traceability to specific artifacts and the basis for their reliance in some manner that does not involve building of the dependencies from sources as part of the build. This would probably require additional rigorous treatment to satisfy requirements for the integrity of the ASF project build. It might take more than simple reliance on the asserted IP and provenance of the upstream-obtained binaries. I am thinking that one needs to be specific to the artifact level, at least.
3. AVAILABILITY OF SOURCE FOR INSPECTION, AUDIT, AND PROVENANCE
On this thread, the importance of having source code available has been stated as a strong requirement. As far as I can tell, this is a requirement for IP provenance more than anything else.
Of course, the good-faith reliance on upstream sources always comes to bear, even for source-code contributions. But having access to all source is reported by some as being essential for ASF releases and that is tied to the notion that the source code is the release. (This is despite specific provision in the treatment of licenses for distributing certain binary artifacts in order to avoid license confusion.)
I don't have any clarity on this. I know that it would be a serious burden to some projects if there were restriction to authenticated builds for open-source platforms only and/or restriction to exclusively open-source libraries for other dependencies not satisfied by the platform itself.
To the extent that the requirement is for more than IP provenance and license reconciliation, I am not clear who is being held to account for any deeper scrutiny than that. Are the PMC votes for a release expected to establish some sort of serious attestation concerning the nature of the source?
Instead, is the requirement of specific source-code availability instead a requirement for potential forensic requirements later in the lifecycle of a release? Can this be satisfied without the source be in the release, by whatever arrangement and assurance that could be made to ensure its availability whenever needed?
I have only question in this area. I believe there is a definite concern, but I am not sure where it has teeth beyond a ritual requirement.
- Dennis
-----Original Message-----
From: Dennis E. Hamilton [mailto:orcmid@apache.org]
Sent: Monday, August 20, 2012 18:50
To: general@incubator.apache.org
Subject: RE: [VOTE] Apache OpenOffice Community Graduation Vote
I do not dispute the existence of other reliable creators of binary distributions. The *nix packagings and installation in consumer desktops are notable for the value that they provide.
I think that experience teaches us that there absolutely needs to be a way to obtain and install *authentic* binary distributions made using the release sources with a proper set of options for a given platform.
It is near impossible to provide end-user support and bug confirmation without agreement on the authentic bindist that is being use and that it is a bindist made from known sources.
And there are enough fraudulent distributions out there that this is critical as a way to safeguard users.
For that reason alone, there needs to be an authenticated bindist, especially for Windows, the 80% that garners the focused attention of miscreants and opportunists.
That is also the reason for wanting signed binaries that pass verification on Windows and OS X. There needs to be a way for everyday users to receive every assurance that they are installing an authentic bindist and that it is verifiable who the origin is. I suspect that reliable packagers of unique distributions (including any from IBM) will provide their own verifiable authenticity.
- Dennis
-----Original Message-----
From: drew [mailto:drew@baseanswers.com]
Sent: Monday, August 20, 2012 18:00
To: general@incubator.apache.org
Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
[ ... ]
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
RE: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by "Dennis E. Hamilton" <or...@apache.org>.
I do not dispute the existence of other reliable creators of binary distributions. The *nix packagings and installation in consumer desktops are notable for the value that they provide.
I think that experience teaches us that there absolutely needs to be a way to obtain and install *authentic* binary distributions made using the release sources with a proper set of options for a given platform.
It is near impossible to provide end-user support and bug confirmation without agreement on the authentic bindist that is being use and that it is a bindist made from known sources.
And there are enough fraudulent distributions out there that this is critical as a way to safeguard users.
For that reason alone, there needs to be an authenticated bindist, especially for Windows, the 80% that garners the focused attention of miscreants and opportunists.
That is also the reason for wanting signed binaries that pass verification on Windows and OS X. There needs to be a way for everyday users to receive every assurance that they are installing an authentic bindist and that it is verifiable who the origin is. I suspect that reliable packagers of unique distributions (including any from IBM) will provide their own verifiable authenticity.
- Dennis
-----Original Message-----
From: drew [mailto:drew@baseanswers.com]
Sent: Monday, August 20, 2012 18:00
To: general@incubator.apache.org
Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
On Mon, 2012-08-20 at 17:01 -0700, Marvin Humphrey wrote:
> On Mon, Aug 20, 2012 at 3:03 PM, drew <dr...@baseanswers.com> wrote:
> > Well, for myself, I don't have a problem with the AOO project not having
> > official binary releases - in such a circumstance I would strongly
> > prefer no binary release at all.
>
> I wonder who might step into the breach to provide binaries for such a
> package...
Hi,
Well, for a start:
IBM stated it will release a free binary version at some point, after
shutting down the Symphony product.
CS2C, a Chinese firm working in cooperation with Ernest and Young IIRC,
releases a binary based on the source code - in fact I'm not even sure
AOO supplied binaries are available to most folks in China.
Multiracio releases a closed source version of the application for sale
in Europe and the US.
In the past quite a few Linux distributors included binary releases in
their offerings, they consume source not binaries.
The current BSD, OS/2 and Solaris ports will go out as source only from
AOO, but come to end users from a third party repository, unless I
totally missed what was happening there (and I might off ;)
There are currently two groups which offer binary versions packaged to
run off USB drives, as far as I understand it, they work from source and
don't require binaries.
Finally this is a well known brand now, it would be hard to believe that
if AOO did not release binaries the void would not be filled by others.
//drew
ps - sorry if this double posts...
>
> > On the other hand if there is a binary release from the AOO project then
> > I believe it should be treated as a fully endorsed action.
>
> At the ASF, the source release is canonical. I have never seen anyone assert
> that the source release is not offical and endorsed by the ASF.
>
> There has been disagreement about whether binaries should be official or not.
> To the best of my knowledge, every time the matter has come up, the debate has
> been resolved with a compromise: that while binary releases are not endorsed
> by the ASF, they may be provided in addition to the source release for the
> "convenience" of users.
>
> What is different with AOO is that the compromise does not seem to satisfy
> an element within the PPMC and thus the matter is being forced.
>
> It would be a lot of hard, time-consuming work for the ASF to build the
> institutions necessary to provide binary releases that approach the standards
> our source releases set. (As illustrated by e.g. the challenges of setting up
> the code signing service.) Not all of us are convinced that it is for the
> best, either.
>
> Marvin Humphrey
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by drew <dr...@baseanswers.com>.
On Mon, 2012-08-20 at 17:01 -0700, Marvin Humphrey wrote:
> On Mon, Aug 20, 2012 at 3:03 PM, drew <dr...@baseanswers.com> wrote:
> > Well, for myself, I don't have a problem with the AOO project not having
> > official binary releases - in such a circumstance I would strongly
> > prefer no binary release at all.
>
> I wonder who might step into the breach to provide binaries for such a
> package...
Hi,
Well, for a start:
IBM stated it will release a free binary version at some point, after
shutting down the Symphony product.
CS2C, a Chinese firm working in cooperation with Ernest and Young IIRC,
releases a binary based on the source code - in fact I'm not even sure
AOO supplied binaries are available to most folks in China.
Multiracio releases a closed source version of the application for sale
in Europe and the US.
In the past quite a few Linux distributors included binary releases in
their offerings, they consume source not binaries.
The current BSD, OS/2 and Solaris ports will go out as source only from
AOO, but come to end users from a third party repository, unless I
totally missed what was happening there (and I might off ;)
There are currently two groups which offer binary versions packaged to
run off USB drives, as far as I understand it, they work from source and
don't require binaries.
Finally this is a well known brand now, it would be hard to believe that
if AOO did not release binaries the void would not be filled by others.
//drew
ps - sorry if this double posts...
>
> > On the other hand if there is a binary release from the AOO project then
> > I believe it should be treated as a fully endorsed action.
>
> At the ASF, the source release is canonical. I have never seen anyone assert
> that the source release is not offical and endorsed by the ASF.
>
> There has been disagreement about whether binaries should be official or not.
> To the best of my knowledge, every time the matter has come up, the debate has
> been resolved with a compromise: that while binary releases are not endorsed
> by the ASF, they may be provided in addition to the source release for the
> "convenience" of users.
>
> What is different with AOO is that the compromise does not seem to satisfy
> an element within the PPMC and thus the matter is being forced.
>
> It would be a lot of hard, time-consuming work for the ASF to build the
> institutions necessary to provide binary releases that approach the standards
> our source releases set. (As illustrated by e.g. the challenges of setting up
> the code signing service.) Not all of us are convinced that it is for the
> best, either.
>
> Marvin Humphrey
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Marvin Humphrey <ma...@rectangular.com>.
On Mon, Aug 20, 2012 at 3:03 PM, drew <dr...@baseanswers.com> wrote:
> Well, for myself, I don't have a problem with the AOO project not having
> official binary releases - in such a circumstance I would strongly
> prefer no binary release at all.
I wonder who might step into the breach to provide binaries for such a
package...
> On the other hand if there is a binary release from the AOO project then
> I believe it should be treated as a fully endorsed action.
At the ASF, the source release is canonical. I have never seen anyone assert
that the source release is not offical and endorsed by the ASF.
There has been disagreement about whether binaries should be official or not.
To the best of my knowledge, every time the matter has come up, the debate has
been resolved with a compromise: that while binary releases are not endorsed
by the ASF, they may be provided in addition to the source release for the
"convenience" of users.
What is different with AOO is that the compromise does not seem to satisfy
an element within the PPMC and thus the matter is being forced.
It would be a lot of hard, time-consuming work for the ASF to build the
institutions necessary to provide binary releases that approach the standards
our source releases set. (As illustrated by e.g. the challenges of setting up
the code signing service.) Not all of us are convinced that it is for the
best, either.
Marvin Humphrey
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Benson Margulies <bi...@gmail.com>.
I would like to offer a very loud +1 to Bertrand's email.
Here we are on a community graduation vote thread. This sub-discussion
would seem to lead to one of three outcomes:
1) No place new. AOO proceeds out of the incubator operating under the
current regime, and those AOO community members who are already
engaged in discussions with infra and others about the preconditions
for formal binary releases continue -- taking Bertrand's suggestion.
2) The community votes to stay in the incubator until a binary release
plan exists. I can't see why this has any attraction for the
community.
3) The community, or a subset thereof, takes their marbles and sets up
shop in some other environment where binary releases are
well-established.
Before people start throwing things at me, I want to emphasize that
(3) is offered only for completeness. If (1) is the order of the day,
and an IPMC vote comes around soon, I'll be voting in favor of
graduation.
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Ross Gardler <rg...@opendirective.com>.
Some people "think", others have stayed clearly and unambiguously.
Including mentors who have voted on your binary release.
If the peanut gallery it's a confused then educate, don't argue. As for
those demanding a policy, I repeat my original statement - patches welcome.
The arguments are pointless.
You want precision. You have it. It's in the thread. You we given a clear
and direct response to your proposal. Don't tell me to read the thread
again. I already wasted my time reading it twice. As well as time spent
reviewing the AOO release.
Draw out the clarity that exists then, if necessary, go to legal@ with
three remainder.
Continuing to argue is a waste if time.
>From a mobile device - forgive errors and terseness
On Aug 26, 2012 10:17 AM, "Rob Weir" <ro...@apache.org> wrote:
> On Sun, Aug 26, 2012 at 7:46 AM, Ross Gardler
> <rg...@opendirective.com> wrote:
> > Moving back to AOO lists
> >
> > These argument is a waste of everyones time. It seems to me that what
> is/is
> > not permissible is clear, indeed has been clear for some time.the summary
> > is... Patches welcome.
> >
>
> Clear to some, but obviously not clear to others on the IPMC, since
> some are suggesting that this podling is not in conformance with ASF
> policy with regard to releases.
>
> > More importantly...
> >
> > As for some members of the AOO PPMC implying this is all new to them
> > because it is not documented in precise language is frankly insulting to
> > mentors whom have worked hard to communicate release policy around
> binaries.
> >
>
> Ross you should read the entire thread. You'll find that some on the
> IPMC are suggesting that there is more to policy that what you or Joe
> think there is.
>
> I'm trying to figure out exactly what that delta is. If you have
> anything constructive to add, I'm sure it would be appreciated.
>
> It is one thing to have an unwritten policy, it is another to have
> vastly different interpretations of what that policy is. For
> something as critical as defining what a release is, since there are
> clearly differences of opinion, it is probably time to raise it above
> the level of folklore, and write it down. No one should be genuinely
> insulted by a request that what is claimed as ASF policy be written
> down, especially if someone has already volunteered to do the
> drafting.
>
> In any case I now count four people on the IPMC list who are
> suggesting that we need a written policy in this area, to remove
> ambiguity.
>
> > Individuals arguing against those who know the ASF well, and are
> supported
> > by the vast majority of community commentators (including those opting to
> > stay silent because their points have been made), are not demonstrating
> > their ability to work in a collaborative, constructive project
> environment.
> >
> > When creating a PMC we are looking for people who can resolve conflict,
> not
> > make conflict. PMC members need to be constructive not obstructive. A
> > failure to recognise the difference is a demonstration of a failure to
> > understand how ASF projects work. PMC membership does not empower people
> to
> > contribute to the code, it empowers them to ensure the community is
> healthy.
> >
>
> IMHO it is very constructive in a disagreement to at least identify,
> with some precision, what it is that we are disagreeing about.
> Until that occurs, we're just going in circles. So far I'm the only
> one in that thread who has put forward a constructive proposal for
> this language, and asked if there was anything to add.
>
> -Rob
>
> > The style of argumentation on this topic is, in some cases, destructive
> not
> > constructive. I'm not replying to a specific mail or individual, I'm
> simply
> > asking people to consider whether sending another email is constructive
> or
> > destructive. Is it possible to put that time into a constructive patch
> > instead?
> >
> > Ross
> > On Aug 26, 2012 7:26 AM, "Branko Čibej" <br...@apache.org> wrote:
> >
> >> On 26.08.2012 13:15, Tim Williams wrote:
> >> > Marvin gave the link earlier in this thread. 4th para is the relevant
> >> bit.
> >> >
> >> > http://www.apache.org/dev/release.html#what
> >>
> >> The relevant part is in the last paragraph. However, that says
> >> "convenience" and defines version numbering requirements, but it does
> >> /not/ state that the binaries are not sanctioned by the ASF and are not
> >> part of the official ASF release.
> >>
> >> It would be very useful if that paragraph were amended to say so
> >> explicitly. I've had no end of trouble trying to explain to managers and
> >> customers that any binaries that come from the ASF are not "official".
> >> Regardless of the policy stated numerous times in this thread and on
> >> this list, this is not clear anywhere in the bylaws or other online
> >> documentation (that I can find).
> >>
> >> -- Brane
> >>
> >> P.S.: I asked this same question on legal-discuss a week ago. My post
> >> has not even been moderated through as of today, so referring people to
> >> that list doesn't appear to be too helpful.
> >>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> >> For additional commands, e-mail: general-help@incubator.apache.org
> >>
> >>
>
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Rob Weir <ro...@apache.org>.
On Sun, Aug 26, 2012 at 7:46 AM, Ross Gardler
<rg...@opendirective.com> wrote:
> Moving back to AOO lists
>
> These argument is a waste of everyones time. It seems to me that what is/is
> not permissible is clear, indeed has been clear for some time.the summary
> is... Patches welcome.
>
Clear to some, but obviously not clear to others on the IPMC, since
some are suggesting that this podling is not in conformance with ASF
policy with regard to releases.
> More importantly...
>
> As for some members of the AOO PPMC implying this is all new to them
> because it is not documented in precise language is frankly insulting to
> mentors whom have worked hard to communicate release policy around binaries.
>
Ross you should read the entire thread. You'll find that some on the
IPMC are suggesting that there is more to policy that what you or Joe
think there is.
I'm trying to figure out exactly what that delta is. If you have
anything constructive to add, I'm sure it would be appreciated.
It is one thing to have an unwritten policy, it is another to have
vastly different interpretations of what that policy is. For
something as critical as defining what a release is, since there are
clearly differences of opinion, it is probably time to raise it above
the level of folklore, and write it down. No one should be genuinely
insulted by a request that what is claimed as ASF policy be written
down, especially if someone has already volunteered to do the
drafting.
In any case I now count four people on the IPMC list who are
suggesting that we need a written policy in this area, to remove
ambiguity.
> Individuals arguing against those who know the ASF well, and are supported
> by the vast majority of community commentators (including those opting to
> stay silent because their points have been made), are not demonstrating
> their ability to work in a collaborative, constructive project environment.
>
> When creating a PMC we are looking for people who can resolve conflict, not
> make conflict. PMC members need to be constructive not obstructive. A
> failure to recognise the difference is a demonstration of a failure to
> understand how ASF projects work. PMC membership does not empower people to
> contribute to the code, it empowers them to ensure the community is healthy.
>
IMHO it is very constructive in a disagreement to at least identify,
with some precision, what it is that we are disagreeing about.
Until that occurs, we're just going in circles. So far I'm the only
one in that thread who has put forward a constructive proposal for
this language, and asked if there was anything to add.
-Rob
> The style of argumentation on this topic is, in some cases, destructive not
> constructive. I'm not replying to a specific mail or individual, I'm simply
> asking people to consider whether sending another email is constructive or
> destructive. Is it possible to put that time into a constructive patch
> instead?
>
> Ross
> On Aug 26, 2012 7:26 AM, "Branko Čibej" <br...@apache.org> wrote:
>
>> On 26.08.2012 13:15, Tim Williams wrote:
>> > Marvin gave the link earlier in this thread. 4th para is the relevant
>> bit.
>> >
>> > http://www.apache.org/dev/release.html#what
>>
>> The relevant part is in the last paragraph. However, that says
>> "convenience" and defines version numbering requirements, but it does
>> /not/ state that the binaries are not sanctioned by the ASF and are not
>> part of the official ASF release.
>>
>> It would be very useful if that paragraph were amended to say so
>> explicitly. I've had no end of trouble trying to explain to managers and
>> customers that any binaries that come from the ASF are not "official".
>> Regardless of the policy stated numerous times in this thread and on
>> this list, this is not clear anywhere in the bylaws or other online
>> documentation (that I can find).
>>
>> -- Brane
>>
>> P.S.: I asked this same question on legal-discuss a week ago. My post
>> has not even been moderated through as of today, so referring people to
>> that list doesn't appear to be too helpful.
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>> For additional commands, e-mail: general-help@incubator.apache.org
>>
>>
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Ross Gardler <rg...@opendirective.com>.
Moving back to AOO lists
These argument is a waste of everyones time. It seems to me that what is/is
not permissible is clear, indeed has been clear for some time.the summary
is... Patches welcome.
More importantly...
As for some members of the AOO PPMC implying this is all new to them
because it is not documented in precise language is frankly insulting to
mentors whom have worked hard to communicate release policy around binaries.
Individuals arguing against those who know the ASF well, and are supported
by the vast majority of community commentators (including those opting to
stay silent because their points have been made), are not demonstrating
their ability to work in a collaborative, constructive project environment.
When creating a PMC we are looking for people who can resolve conflict, not
make conflict. PMC members need to be constructive not obstructive. A
failure to recognise the difference is a demonstration of a failure to
understand how ASF projects work. PMC membership does not empower people to
contribute to the code, it empowers them to ensure the community is healthy.
The style of argumentation on this topic is, in some cases, destructive not
constructive. I'm not replying to a specific mail or individual, I'm simply
asking people to consider whether sending another email is constructive or
destructive. Is it possible to put that time into a constructive patch
instead?
Ross
On Aug 26, 2012 7:26 AM, "Branko Čibej" <br...@apache.org> wrote:
> On 26.08.2012 13:15, Tim Williams wrote:
> > Marvin gave the link earlier in this thread. 4th para is the relevant
> bit.
> >
> > http://www.apache.org/dev/release.html#what
>
> The relevant part is in the last paragraph. However, that says
> "convenience" and defines version numbering requirements, but it does
> /not/ state that the binaries are not sanctioned by the ASF and are not
> part of the official ASF release.
>
> It would be very useful if that paragraph were amended to say so
> explicitly. I've had no end of trouble trying to explain to managers and
> customers that any binaries that come from the ASF are not "official".
> Regardless of the policy stated numerous times in this thread and on
> this list, this is not clear anywhere in the bylaws or other online
> documentation (that I can find).
>
> -- Brane
>
> P.S.: I asked this same question on legal-discuss a week ago. My post
> has not even been moderated through as of today, so referring people to
> that list doesn't appear to be too helpful.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
>
Downloads during build management, Was: Fwd: [VOTE] Apache
OpenOffice Community Graduation Vote
Posted by Florian Holeczek <fl...@apache.org>.
Hi all,
just picked this up on general@incubator, maybe this affects us, too?
Regards
Florian
----- Weitergeleitete Mail -----
Von: "Joe Schaefer" <jo...@yahoo.com>
An: general@incubator.apache.org
Gesendet: Sonntag, 26. August 2012 19:44:41
Betreff: Re: [VOTE] Apache OpenOffice Community Graduation Vote
----- Original Message -----
> From: Dave Fisher <da...@comcast.net>
> To: general@incubator.apache.org
> Cc:
> Sent: Sunday, August 26, 2012 1:08 PM
> Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
>
>
> On Aug 26, 2012, at 7:46 AM, Joe Schaefer wrote:
>
>> AOO doesn't need to change anything to their current release processes
>> other than to stop pointing source downloads at svn (which is the sole
>> reason I won't vote for AOO candidates).
>
> Well this is worth discussion.
>
> On this page [1]:
>
> The source downloads go through aoo-closer.cgi, but all of the hashes and
> signatures go through www.a.o/dist/. Is that your issue?
No, but I'm tired of talking about it. If you try to build from source
the build system will download packages from svn.apache.org instead of
from elsewhere or the mirrors. That violates infra policy.
>
> Or is it this page [2]?
>
> Please help me understand what is wrong and it will be fixed.
>
> Best Regards,
> Dave
>
> [1] http://incubator.apache.org/openofficeorg/downloads.html
> [2] http://www.openoffice.org/download/other.html#tested-sdk
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Dave Fisher <da...@comcast.net>.
On Sep 6, 2012, at 7:10 AM, Jürgen Schmidt wrote:
> On 8/26/12 7:44 PM, Joe Schaefer wrote:
>> ----- Original Message -----
>>
>>> From: Dave Fisher <da...@comcast.net>
>>> To: general@incubator.apache.org
>>> Cc:
>>> Sent: Sunday, August 26, 2012 1:08 PM
>>> Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
>>>
>>>
>>> On Aug 26, 2012, at 7:46 AM, Joe Schaefer wrote:
>>>
>>>> AOO doesn't need to change anything to their current release processes
>>>> other than to stop pointing source downloads at svn (which is the sole
>>>> reason I won't vote for AOO candidates).
>>>
>>> Well this is worth discussion.
>>>
>>> On this page [1]:
>>>
>>> The source downloads go through aoo-closer.cgi, but all of the hashes and
>>> signatures go through www.a.o/dist/. Is that your issue?
>>
>> No, but I'm tired of talking about it. If you try to build from source
>> the build system will download packages from svn.apache.org instead of
>> from elsewhere or the mirrors. That violates infra policy.
>
> this is already fixed and if you would have build AOO 3.4.1 on your own
> you would have noticed this. It was also discussed on ooo-dev.
At the time that Joe wrote this email svn.apache.org was still a backup location for binary artifacts in the build.
It is fixed now because I took this note as an action item, confirmed the policy on IRC, and removed those backups from the dependency list.
Now read the rest of the thread and understand (I hope) why certain actions are being taken.
Best Regards,
Dave
>
> Juergen
>
>
>>
>>>
>>> Or is it this page [2]?
>>>
>>> Please help me understand what is wrong and it will be fixed.
>>>
>>> Best Regards,
>>> Dave
>>>
>>> [1] http://incubator.apache.org/openofficeorg/downloads.html
>>> [2] http://www.openoffice.org/download/other.html#tested-sdk
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>>> For additional commands, e-mail: general-help@incubator.apache.org
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>> For additional commands, e-mail: general-help@incubator.apache.org
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Jürgen Schmidt <jo...@gmail.com>.
On 8/26/12 7:44 PM, Joe Schaefer wrote:
> ----- Original Message -----
>
>> From: Dave Fisher <da...@comcast.net>
>> To: general@incubator.apache.org
>> Cc:
>> Sent: Sunday, August 26, 2012 1:08 PM
>> Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
>>
>>
>> On Aug 26, 2012, at 7:46 AM, Joe Schaefer wrote:
>>
>>> AOO doesn't need to change anything to their current release processes
>>> other than to stop pointing source downloads at svn (which is the sole
>>> reason I won't vote for AOO candidates).
>>
>> Well this is worth discussion.
>>
>> On this page [1]:
>>
>> The source downloads go through aoo-closer.cgi, but all of the hashes and
>> signatures go through www.a.o/dist/. Is that your issue?
>
> No, but I'm tired of talking about it. If you try to build from source
> the build system will download packages from svn.apache.org instead of
> from elsewhere or the mirrors. That violates infra policy.
this is already fixed and if you would have build AOO 3.4.1 on your own
you would have noticed this. It was also discussed on ooo-dev.
Juergen
>
>>
>> Or is it this page [2]?
>>
>> Please help me understand what is wrong and it will be fixed.
>>
>> Best Regards,
>> Dave
>>
>> [1] http://incubator.apache.org/openofficeorg/downloads.html
>> [2] http://www.openoffice.org/download/other.html#tested-sdk
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>> For additional commands, e-mail: general-help@incubator.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Joe Schaefer <jo...@yahoo.com>.
----- Original Message -----
> From: Dave Fisher <da...@comcast.net>
> To: general@incubator.apache.org
> Cc:
> Sent: Sunday, August 26, 2012 1:08 PM
> Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
>
>
> On Aug 26, 2012, at 7:46 AM, Joe Schaefer wrote:
>
>> AOO doesn't need to change anything to their current release processes
>> other than to stop pointing source downloads at svn (which is the sole
>> reason I won't vote for AOO candidates).
>
> Well this is worth discussion.
>
> On this page [1]:
>
> The source downloads go through aoo-closer.cgi, but all of the hashes and
> signatures go through www.a.o/dist/. Is that your issue?
No, but I'm tired of talking about it. If you try to build from source
the build system will download packages from svn.apache.org instead of
from elsewhere or the mirrors. That violates infra policy.
>
> Or is it this page [2]?
>
> Please help me understand what is wrong and it will be fixed.
>
> Best Regards,
> Dave
>
> [1] http://incubator.apache.org/openofficeorg/downloads.html
> [2] http://www.openoffice.org/download/other.html#tested-sdk
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Rob Weir <ro...@apache.org>.
On Sun, Aug 26, 2012 at 1:08 PM, Dave Fisher <da...@comcast.net> wrote:
>
> On Aug 26, 2012, at 7:46 AM, Joe Schaefer wrote:
>
>> AOO doesn't need to change anything to their current release processes
>> other than to stop pointing source downloads at svn (which is the sole
>> reason I won't vote for AOO candidates).
>
> Well this is worth discussion.
>
> On this page [1]:
>
> The source downloads go through aoo-closer.cgi, but all of the hashes and signatures go through www.a.o/dist/. Is that your issue?
>
> Or is it this page [2]?
>
> Please help me understand what is wrong and it will be fixed.
>
This is the old bootstrap.sh issue, where build dependencies where
being downloaded from svn, from out ext-sources directory. This is a
superset of the issues Pedro had with the cat-b dependencies. We need
to make it so the dependencies are all downloaded from somewhere else.
Otherwise we're sucking ASF bandwidth.
> Best Regards,
> Dave
>
> [1] http://incubator.apache.org/openofficeorg/downloads.html
> [2] http://www.openoffice.org/download/other.html#tested-sdk
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Dave Fisher <da...@comcast.net>.
On Aug 26, 2012, at 7:46 AM, Joe Schaefer wrote:
> AOO doesn't need to change anything to their current release processes
> other than to stop pointing source downloads at svn (which is the sole
> reason I won't vote for AOO candidates).
Well this is worth discussion.
On this page [1]:
The source downloads go through aoo-closer.cgi, but all of the hashes and signatures go through www.a.o/dist/. Is that your issue?
Or is it this page [2]?
Please help me understand what is wrong and it will be fixed.
Best Regards,
Dave
[1] http://incubator.apache.org/openofficeorg/downloads.html
[2] http://www.openoffice.org/download/other.html#tested-sdk
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Benson Margulies <bi...@gmail.com>.
Sigh. Apache is a volunteer organization with a history and a culture.
As a volunteer organization, it cannot possibly create and maintain a
set of documents that describe every bit of cultural norm and
historical context.
New committers on existing projects learn from their communities.
Podling members learn from their mentors.
Even out here on general@, I've seen several iterations of some AOO
people asking about signed builds and binary releases and experienced
Apache members offering answers. This is how it works. Legal-discuss@
and board@ are *not* the normal way to answer these questions.
Writing for myself, I see how the AOO situation differs from just
about any previous project, and why AOO people would want a different
answer to the question. And, over time and a whole lot of effort, a
different answer may be forthcoming. However, until then, it is what
it is, and a thread here is not going to change it.
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Joe Schaefer <jo...@yahoo.com>.
Better attitude, now all you need to do is subscribe to site-dev@apache.org
and join the rest of the people who care about the content of our site
documentation.
----- Original Message -----
> From: Branko Čibej <br...@apache.org>
> To: general@incubator.apache.org
> Cc:
> Sent: Sunday, August 26, 2012 11:13 AM
> Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
>
> On 26.08.2012 17:04, Joe Schaefer wrote:
>> Waah Brane- obviously you're not as community-oriented
>> as you'd like to think. release.html is the byproduct
>> of several years of writing oriented towards the lowest
>> common denominator of the org, but if you think you know
>> how to improve it you have all the requisite karma already.
>>
>> All that's missing is a clue.
>
> Joe, I know very well (and you know that I know) that I can edit most of
> the things that appear on our web site. But if community-oriented means
> that anyone should just edit those docs to scratch an itch and to hell
> with consensus and the consequences, then you're right, I'm definitely a
> misfit here.
>
> -- Brane
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Benson Margulies <bi...@gmail.com>.
> Joe, I know very well (and you know that I know) that I can edit most of
> the things that appear on our web site. But if community-oriented means
> that anyone should just edit those docs to scratch an itch and to hell
> with consensus and the consequences, then you're right, I'm definitely a
> misfit here.
Brane, editing the docs to do a better job of explaining is not 'to
hell with consensus and consequences.' If you feel clear that you can
see a way to improve without changing the semantics, all you'll get
for your trouble is applause. 'Misfit' would be the label for someone
who tried to change the policy by editing the document.
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Branko Čibej <br...@apache.org>.
On 26.08.2012 17:04, Joe Schaefer wrote:
> Waah Brane- obviously you're not as community-oriented
> as you'd like to think. release.html is the byproduct
> of several years of writing oriented towards the lowest
> common denominator of the org, but if you think you know
> how to improve it you have all the requisite karma already.
>
> All that's missing is a clue.
Joe, I know very well (and you know that I know) that I can edit most of
the things that appear on our web site. But if community-oriented means
that anyone should just edit those docs to scratch an itch and to hell
with consensus and the consequences, then you're right, I'm definitely a
misfit here.
-- Brane
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Joe Schaefer <jo...@yahoo.com>.
Waah Brane- obviously you're not as community-oriented
as you'd like to think. release.html is the byproduct
of several years of writing oriented towards the lowest
common denominator of the org, but if you think you know
how to improve it you have all the requisite karma already.
All that's missing is a clue.
----- Original Message -----
> From: Branko Čibej <br...@apache.org>
> To: general@incubator.apache.org
> Cc:
> Sent: Sunday, August 26, 2012 10:53 AM
> Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
>
> On 26.08.2012 16:46, Joe Schaefer wrote:
>> The point most people seem to make out of "sanctioned"
>> or "official" builds revolves around indemnifying volunteers
>> involved in the production of the release.
>>
>>
>> I'm tired of rehashing release.html for the umpteenth time
>> simply because Brane or you or some other newb lacks the
>> experience to know the context behind the document, but
>> as they say patches welcome (on site-dev@apache.org). Every
>> committer can alter the wording on that page and do something
>> more productive than make clueless arguments on this
>> ever devolving thread.
>
> That's very helpful, thanks. So if someone asks me about ASF releases
> and binaries I should refer them to the legal-discuss archives, or these
> general@ archives, or simply tell them to find a founding member to
> condescendingly explain the obvious. Because I sure can't give 'em a
> link to some page on our web site.
>
> I'll refrain from spelling out the epithets that come to mind.
>
> -- Brane
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Branko Čibej <br...@apache.org>.
On 26.08.2012 16:46, Joe Schaefer wrote:
> The point most people seem to make out of "sanctioned"
> or "official" builds revolves around indemnifying volunteers
> involved in the production of the release.
>
>
> I'm tired of rehashing release.html for the umpteenth time
> simply because Brane or you or some other newb lacks the
> experience to know the context behind the document, but
> as they say patches welcome (on site-dev@apache.org). Every
> committer can alter the wording on that page and do something
> more productive than make clueless arguments on this
> ever devolving thread.
That's very helpful, thanks. So if someone asks me about ASF releases
and binaries I should refer them to the legal-discuss archives, or these
general@ archives, or simply tell them to find a founding member to
condescendingly explain the obvious. Because I sure can't give 'em a
link to some page on our web site.
I'll refrain from spelling out the epithets that come to mind.
-- Brane
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Joe Schaefer <jo...@yahoo.com>.
The point most people seem to make out of "sanctioned"
or "official" builds revolves around indemnifying volunteers
involved in the production of the release.
I'm tired of rehashing release.html for the umpteenth time
simply because Brane or you or some other newb lacks the
experience to know the context behind the document, but
as they say patches welcome (on site-dev@apache.org). Every
committer can alter the wording on that page and do something
more productive than make clueless arguments on this
ever devolving thread.
AOO is mentored by some of the most experienced people in the org,
please just ignore any further chaff from this thread and pay attention
to the guidance you have been repeatedly given on this issue.
AOO doesn't need to change anything to their current release processes
other than to stop pointing source downloads at svn (which is the sole
reason I won't vote for AOO candidates).
----- Original Message -----
> From: Rob Weir <ro...@apache.org>
> To: general@incubator.apache.org
> Cc:
> Sent: Sunday, August 26, 2012 9:54 AM
> Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
>
> On Sun, Aug 26, 2012 at 7:26 AM, Branko Čibej <br...@apache.org> wrote:
>> On 26.08.2012 13:15, Tim Williams wrote:
>>> Marvin gave the link earlier in this thread. 4th para is the relevant
> bit.
>>>
>>> http://www.apache.org/dev/release.html#what
>>
>> The relevant part is in the last paragraph. However, that says
>> "convenience" and defines version numbering requirements, but it
> does
>> /not/ state that the binaries are not sanctioned by the ASF and are not
>> part of the official ASF release.
>>
>
> And again, as I and others have stated, this is merely a label with no
> content to it. What does "sanctioned (or not sanctioned) by the ASF
> mean"? Anything specific?
>
> Remember, the binaries (or "Object form" in the words of the license)
> are also covered by the Apache License 2.0, and sections 7 and 8 of
> that license already say that it is provided as-is, and disclaims
> warranty and liability.
>
> In other words, the same license and the same disclaimers apply to
> source (which we seem to agree is part of the ASF release) and to
> binaries.
>
> So again I urge the IPMC to mind the seductive appeal of mere labeling
> and instead consider whether there is any actual constraints on
> activities and behavior for Podlings (or TLP's for that matter) based
> on whether something is a source or binary, e.g.:
>
> 1) Is there some required (or forbidden) way in which a distinction
> must be acknowledged in a release vote?
>
> 2) Is there some required (or forbidden) language on the download webpage?
>
> 3) Any required (or forbidden) language on release announcements?
>
> 4) Is there some required (or forbidden) constraint with distribution?
>
> So far I have heard some on this list suggest the AOO podling is doing
> something incorrect, something against ASF policy. But dispute
> repeated queries, no one has stated what exactly this is. This is
> extremely unfair to the podling, to any podling. It denies us the
> opportunity of addressing issues. Is this really how the IPMC
> operates? It reminds me of tactics practiced by Microsoft against
> open source -- intimate that something is wrong, but never offer
> specifics. We call it FUD there. What do we call it at the ASF?
>
>> It would be very useful if that paragraph were amended to say so
>> explicitly. I've had no end of trouble trying to explain to managers
> and
>> customers that any binaries that come from the ASF are not
> "official".
>
> That may be true for your users, but for mine they would just come
> back with, "What does that mean in practice?"
>
>> Regardless of the policy stated numerous times in this thread and on
>> this list, this is not clear anywhere in the bylaws or other online
>> documentation (that I can find).
>>
>
> I agree.
>
>> -- Brane
>>
>> P.S.: I asked this same question on legal-discuss a week ago. My post
>> has not even been moderated through as of today, so referring people to
>> that list doesn't appear to be too helpful.
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>> For additional commands, e-mail: general-help@incubator.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Rob Weir <ro...@apache.org>.
On Sun, Aug 26, 2012 at 7:26 AM, Branko Čibej <br...@apache.org> wrote:
> On 26.08.2012 13:15, Tim Williams wrote:
>> Marvin gave the link earlier in this thread. 4th para is the relevant bit.
>>
>> http://www.apache.org/dev/release.html#what
>
> The relevant part is in the last paragraph. However, that says
> "convenience" and defines version numbering requirements, but it does
> /not/ state that the binaries are not sanctioned by the ASF and are not
> part of the official ASF release.
>
And again, as I and others have stated, this is merely a label with no
content to it. What does "sanctioned (or not sanctioned) by the ASF
mean"? Anything specific?
Remember, the binaries (or "Object form" in the words of the license)
are also covered by the Apache License 2.0, and sections 7 and 8 of
that license already say that it is provided as-is, and disclaims
warranty and liability.
In other words, the same license and the same disclaimers apply to
source (which we seem to agree is part of the ASF release) and to
binaries.
So again I urge the IPMC to mind the seductive appeal of mere labeling
and instead consider whether there is any actual constraints on
activities and behavior for Podlings (or TLP's for that matter) based
on whether something is a source or binary, e.g.:
1) Is there some required (or forbidden) way in which a distinction
must be acknowledged in a release vote?
2) Is there some required (or forbidden) language on the download webpage?
3) Any required (or forbidden) language on release announcements?
4) Is there some required (or forbidden) constraint with distribution?
So far I have heard some on this list suggest the AOO podling is doing
something incorrect, something against ASF policy. But dispute
repeated queries, no one has stated what exactly this is. This is
extremely unfair to the podling, to any podling. It denies us the
opportunity of addressing issues. Is this really how the IPMC
operates? It reminds me of tactics practiced by Microsoft against
open source -- intimate that something is wrong, but never offer
specifics. We call it FUD there. What do we call it at the ASF?
> It would be very useful if that paragraph were amended to say so
> explicitly. I've had no end of trouble trying to explain to managers and
> customers that any binaries that come from the ASF are not "official".
That may be true for your users, but for mine they would just come
back with, "What does that mean in practice?"
> Regardless of the policy stated numerous times in this thread and on
> this list, this is not clear anywhere in the bylaws or other online
> documentation (that I can find).
>
I agree.
> -- Brane
>
> P.S.: I asked this same question on legal-discuss a week ago. My post
> has not even been moderated through as of today, so referring people to
> that list doesn't appear to be too helpful.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Daniel Shahaf <da...@apache.org>.
Jim Jagielski wrote on Mon, Aug 27, 2012 at 10:38:15 -0400:
> After this, please drop general@
>
> On Aug 27, 2012, at 10:16 AM, Rob Weir <ro...@apache.org> wrote:
>
> >>
> >> A signature does 2 things:
> >>
> >> 1. Ensures that no bits have been changed
> >> 2. That the bits come from a known (and trusted) entity.
> >>
> >
> > Almost. It doesn't guarantee trust.
>
> Sure it does. If something is signed by Bill or Ross, etc I
> trust that it came from them. Anything else is tangential to
> what a signature provides.
A signature ties a file to a public key, and then "trusted?" is an
attribute of the public key. Signatures do not provide trust by
themselves (i.e., without some means to establish trust in the public
keys).
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Daniel Shahaf <da...@apache.org>.
Jim Jagielski wrote on Mon, Aug 27, 2012 at 10:38:15 -0400:
> After this, please drop general@
>
> On Aug 27, 2012, at 10:16 AM, Rob Weir <ro...@apache.org> wrote:
>
> >>
> >> A signature does 2 things:
> >>
> >> 1. Ensures that no bits have been changed
> >> 2. That the bits come from a known (and trusted) entity.
> >>
> >
> > Almost. It doesn't guarantee trust.
>
> Sure it does. If something is signed by Bill or Ross, etc I
> trust that it came from them. Anything else is tangential to
> what a signature provides.
A signature ties a file to a public key, and then "trusted?" is an
attribute of the public key. Signatures do not provide trust by
themselves (i.e., without some means to establish trust in the public
keys).
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Ross Gardler <rg...@opendirective.com>.
There are, as many have pointed out, two issues. The first is, can AOO do
what it is doing - the answer to this one is yes and has been clearly
expressed a number of times in this thread. The second is whether AOO can
go a step further than what it is already doing. The answer to this is No,
as has been expressed a number of times in this thread.
If we separate these issues out then we can proceed. The first issue is
resolved (the release vote passed with the original objection being
withdrawn). The second issue remains open. It is for the AOO PPMC to find a
solution to this.
I can see two potential solutions to the problem. Which is right for the
AOO project is not the concern of gernal@. So let's drop general@ from this
discussion so we can focus on the actual problem rather than this never
ending circular thread.
On Aug 27, 2012 8:56 AM, <do...@us.ibm.com> wrote:
> Jim Jagielski <ji...@jaguNET.com> wrote on 08/27/2012 08:43:35 AM:
>
> > From: Jim Jagielski <ji...@jaguNET.com>
> > To: general@incubator.apache.org, Joe Schaefer
> > <jo...@yahoo.com>, Rob Weir <ro...@apache.org>,
> > Cc: "ooo-dev@incubator.apache.org" <oo...@incubator.apache.org>
> > Date: 08/27/2012 08:44 AM
> > Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
> >
> >
> > On Aug 26, 2012, at 10:26 AM, Joe Schaefer <jo...@yahoo.com>
> wrote:
> >
> > > No. There is NO WAY IN HELL the org can indemnify
> > > a volunteer who produces a binary build themselves.
> > >
> > > Please don't bother asking legal-discuss to tackle this.
> > >
> >
> > Here's an analogy: for a long, long time Bill Rowe has taken
> > it upon himself to create binary builds of Apache httpd for
> > the large Windows community. Netware binary builds are also
> > occasionally released (see http://httpd.apache.org/download.cgi).
> >
> > These are available right from the official httpd download
> > page and located right next to the official source code,
> > yet they are artifacts NOT released (officially) by the
> > ASF or the httpd PMC, but are available from a "trusted"
> > source.
> >
> > Isn't that all the end-user cares about? And isn't that
> > sufficient for AOO?
>
> Yes, that's what end users care about. But it's not sufficient for AOO
> since we are seeking alternative distribution channels. Effort to
> exponentially expand distribution channels require code signing. These
> discussions were started on legal@ with no resolution. Sorry I don't have
> the reference for that handy.
>
>
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> > For additional commands, e-mail: general-help@incubator.apache.org
> >
>
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Rob Weir <ro...@apache.org>.
On Mon, Aug 27, 2012 at 8:56 AM, <do...@us.ibm.com> wrote:
> Jim Jagielski <ji...@jaguNET.com> wrote on 08/27/2012 08:43:35 AM:
>
>> From: Jim Jagielski <ji...@jaguNET.com>
>> To: general@incubator.apache.org, Joe Schaefer
>> <jo...@yahoo.com>, Rob Weir <ro...@apache.org>,
>> Cc: "ooo-dev@incubator.apache.org" <oo...@incubator.apache.org>
>> Date: 08/27/2012 08:44 AM
>> Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
>>
>>
>> On Aug 26, 2012, at 10:26 AM, Joe Schaefer <jo...@yahoo.com>
> wrote:
>>
>> > No. There is NO WAY IN HELL the org can indemnify
>> > a volunteer who produces a binary build themselves.
>> >
>> > Please don't bother asking legal-discuss to tackle this.
>> >
>>
>> Here's an analogy: for a long, long time Bill Rowe has taken
>> it upon himself to create binary builds of Apache httpd for
>> the large Windows community. Netware binary builds are also
>> occasionally released (see http://httpd.apache.org/download.cgi).
>>
>> These are available right from the official httpd download
>> page and located right next to the official source code,
>> yet they are artifacts NOT released (officially) by the
>> ASF or the httpd PMC, but are available from a "trusted"
>> source.
>>
>> Isn't that all the end-user cares about? And isn't that
>> sufficient for AOO?
>
> Yes, that's what end users care about. But it's not sufficient for AOO
> since we are seeking alternative distribution channels. Effort to
> exponentially expand distribution channels require code signing. These
> discussions were started on legal@ with no resolution. Sorry I don't have
> the reference for that handy.
>
Can't we just get a signing certificate that says "ASF unofficial
convenience binary" or similar language? This gives us (and more
importantly our users) the desired authentication and integrity
protections of a digital signature, without implying any additional
status.
-Rob
>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>> For additional commands, e-mail: general-help@incubator.apache.org
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Ross Gardler <rg...@opendirective.com>.
There are, as many have pointed out, two issues. The first is, can AOO do
what it is doing - the answer to this one is yes and has been clearly
expressed a number of times in this thread. The second is whether AOO can
go a step further than what it is already doing. The answer to this is No,
as has been expressed a number of times in this thread.
If we separate these issues out then we can proceed. The first issue is
resolved (the release vote passed with the original objection being
withdrawn). The second issue remains open. It is for the AOO PPMC to find a
solution to this.
I can see two potential solutions to the problem. Which is right for the
AOO project is not the concern of gernal@. So let's drop general@ from this
discussion so we can focus on the actual problem rather than this never
ending circular thread.
On Aug 27, 2012 8:56 AM, <do...@us.ibm.com> wrote:
> Jim Jagielski <ji...@jaguNET.com> wrote on 08/27/2012 08:43:35 AM:
>
> > From: Jim Jagielski <ji...@jaguNET.com>
> > To: general@incubator.apache.org, Joe Schaefer
> > <jo...@yahoo.com>, Rob Weir <ro...@apache.org>,
> > Cc: "ooo-dev@incubator.apache.org" <oo...@incubator.apache.org>
> > Date: 08/27/2012 08:44 AM
> > Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
> >
> >
> > On Aug 26, 2012, at 10:26 AM, Joe Schaefer <jo...@yahoo.com>
> wrote:
> >
> > > No. There is NO WAY IN HELL the org can indemnify
> > > a volunteer who produces a binary build themselves.
> > >
> > > Please don't bother asking legal-discuss to tackle this.
> > >
> >
> > Here's an analogy: for a long, long time Bill Rowe has taken
> > it upon himself to create binary builds of Apache httpd for
> > the large Windows community. Netware binary builds are also
> > occasionally released (see http://httpd.apache.org/download.cgi).
> >
> > These are available right from the official httpd download
> > page and located right next to the official source code,
> > yet they are artifacts NOT released (officially) by the
> > ASF or the httpd PMC, but are available from a "trusted"
> > source.
> >
> > Isn't that all the end-user cares about? And isn't that
> > sufficient for AOO?
>
> Yes, that's what end users care about. But it's not sufficient for AOO
> since we are seeking alternative distribution channels. Effort to
> exponentially expand distribution channels require code signing. These
> discussions were started on legal@ with no resolution. Sorry I don't have
> the reference for that handy.
>
>
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> > For additional commands, e-mail: general-help@incubator.apache.org
> >
>
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Joe Schaefer <jo...@yahoo.com>.
----- Original Message -----
> From: Benson Margulies <bi...@gmail.com>
> To: general@incubator.apache.org
> Cc:
> Sent: Monday, August 27, 2012 9:16 AM
> Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
>
> Jim,
>
> Two points:
>
> 1: you skip over the liability question. Is Bill legally exposed?
Short answer: yes he assumes some liability for those httpd windows builds,
but it is probably limited to any negligence on his part in ensuring the
build environment was properly secured. Going forward if the org wants
to produce such production-quality builds itself it will need to invest in
an audits produced by an Intrusion Detection System on such build hosts,
and we'll need to have an auditable means of controlling 3rd party software
involved in the builds (think maven repo, CPAN, etc). It's a serious
change from the level of paranoia currently deployed in our existing build
farms.
HTH
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Jim Jagielski <ji...@jaguNET.com>.
On Aug 27, 2012, at 9:16 AM, Benson Margulies <bi...@gmail.com> wrote:
>
> But can't you drag this whole matter back to the AOO list, being a
> mentor and all?
>
Trying to do that with ccing ooo-dev@
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Benson Margulies <bi...@gmail.com>.
Jim,
Two points:
1: you skip over the liability question. Is Bill legally exposed?
2: You can't distribute a binary application to the Mac App store, or
other places, without a signature.
Some complex requirements for using an Apache signature have been
posed; I don't know why Donald characterized them as 'unresolved.'
But can't you drag this whole matter back to the AOO list, being a
mentor and all?
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Dave Fisher <da...@comcast.net>.
On Aug 27, 2012, at 10:38 AM, Jim Jagielski wrote:
> The ASF releases code. PMCs vote on a SVN tag and on a release tarball
> (distribution) made from that tag. There is a direct and easily
> followed path between the bits the end-user gets and the bits that
> the PMC has determined as "the release."
>
> The issue with voting on "just" a binary release is how is the
> providence of the code ensured... If I get a binary how can I,
> as an end-user, ensure that the binary was based on the official bits
> and was built in a way that didn't much around with those bits.
> *THAT* is what the AOO PPMC needs to work thru, since most end-user
> of AOO couldn't care a fig about the bits. But just because end-users
> don't care, or shouldn't care, doesn't mean that the PMC/PPMC
> can just wing it. Nor can it consider the binaries as "more important"
> than the code.
>
> One possible scenario: The AOO PPMC/PMC is ready for a release
> and someone steps up to RM. He/she does the normal process and
> a release tag is created. At that point, binary RM's step up
> and, using that tag and a well-defined (and trackable) process,
> creates binaries and then sign that binary. In fact, that was/is
> my intent on wanting to be on the AOO PMC is to be the Apple OSX
> RM (that is, take on that responsibility).
Exactly!
And if you are doing this, it would make sense to address the Apple CA questions regarding Mountain Lion and digital certs.
Regards,
Dave
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Ross Gardler <rg...@opendirective.com>.
On 27 August 2012 19:03, drew <dr...@baseanswers.com> wrote:
> So - if I may be so bold. Reading email this morning my gut feeling is
> that there is a lot of violent agreement going on..
I agree. If everyone will just step away from their keyboards for a
couple of days, then come back with a precise statement of what needs
to be done over and above the current binary artefacts then we will be
able to move forward. Give it a couple of days though. Let the points
being made here sink in a little. Stop the gut reaction emails. It's a
waste of everyone's time.
Ross
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by drew <dr...@baseanswers.com>.
On Mon, 2012-08-27 at 13:38 -0400, Jim Jagielski wrote:
> On Aug 27, 2012, at 11:21 AM, Rob Weir <ro...@apache.org> wrote:
>
> >
> > Identity != Trust.
> >
> > Identity + Reputation == Trust.
> >
> > The signature only guarantees identity.
>
> Signature does not guarantee reputation though. The point
> is that reputation is dependent upon identity. And
> identity is ensured via some sort of signature. And
> a signature does *nothing* to guarantee "trust" in
> and of itself.
>
> >
> > End users know absolutely nothing about Apache release process. They
> > know brands. So their view of trust is brand-based, not informed by
> > the technical minutia of Apache release process. Of course, given a
> > suboptimal process, if bad releases result from this, then the brand
> > reputation will suffer over time.
> >
>
> Again, I have no idea what you are talking about.
>
> People trust the Apache brand.
> They download Apache "stuff" from somewhere.
> That stuff is signed by an entity that is associated
> with the Apache brand.
>
> What the "release process is" is moot.
>
> >
> > Today it is more likely that they see a binary called "OpenOffice",
> > with or without the Apache name, and without verifying the signature,
> > the user just installs it. That is the sad state of end-user security
> > awareness today.
> >
> > This is not going to get better by technology alone. It will require
> > user education as well.
> >
>
> Agreed...
>
> >
> > 1) The AOO 3.4.1 release ballot is defective because it refers to
> > binaries and Apache does not release binaries
>
> The ASF releases code. PMCs vote on a SVN tag and on a release tarball
> (distribution) made from that tag. There is a direct and easily
> followed path between the bits the end-user gets and the bits that
> the PMC has determined as "the release."
>
> The issue with voting on "just" a binary release is how is the
> providence of the code ensured... If I get a binary how can I,
> as an end-user, ensure that the binary was based on the official bits
> and was built in a way that didn't much around with those bits.
> *THAT* is what the AOO PPMC needs to work thru, since most end-user
> of AOO couldn't care a fig about the bits. But just because end-users
> don't care, or shouldn't care, doesn't mean that the PMC/PPMC
> can just wing it. Nor can it consider the binaries as "more important"
> than the code.
>
> One possible scenario: The AOO PPMC/PMC is ready for a release
> and someone steps up to RM. He/she does the normal process and
> a release tag is created. At that point, binary RM's step up
> and, using that tag and a well-defined (and trackable) process,
> creates binaries and then sign that binary. In fact, that was/is
> my intent on wanting to be on the AOO PMC is to be the Apple OSX
> RM (that is, take on that responsibility).
Hello Jim,
YES
AOO as ASF project, from ASF's perspective, must conform to the current
- well defined I think - steps for the source release. No argument here.
Jim's use of the term binary RM's and brief explanation, I believe, gets
to the crux of my concerns. I would add that I see some role of
responsibility for AOO PMC with regards to supporting the artifacts it
oversees - but this is in the context of how it affects on going
decisions on things such as LTS or bug/Security releases and the like
and I don't see anything in looking at other ASF projects that leads me
to believe any of that will be anything other then welcomed.
So - if I may be so bold. Reading email this morning my gut feeling is
that there is a lot of violent agreement going on.. I'm personally a bit
lost as to why the animation on the subject of the signature - is the
disagreement over who will own the signature file?
Thanks,
Drew
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Jim Jagielski <ji...@jaguNET.com>.
On Aug 27, 2012, at 11:21 AM, Rob Weir <ro...@apache.org> wrote:
>
> Identity != Trust.
>
> Identity + Reputation == Trust.
>
> The signature only guarantees identity.
Signature does not guarantee reputation though. The point
is that reputation is dependent upon identity. And
identity is ensured via some sort of signature. And
a signature does *nothing* to guarantee "trust" in
and of itself.
>
> End users know absolutely nothing about Apache release process. They
> know brands. So their view of trust is brand-based, not informed by
> the technical minutia of Apache release process. Of course, given a
> suboptimal process, if bad releases result from this, then the brand
> reputation will suffer over time.
>
Again, I have no idea what you are talking about.
People trust the Apache brand.
They download Apache "stuff" from somewhere.
That stuff is signed by an entity that is associated
with the Apache brand.
What the "release process is" is moot.
>
> Today it is more likely that they see a binary called "OpenOffice",
> with or without the Apache name, and without verifying the signature,
> the user just installs it. That is the sad state of end-user security
> awareness today.
>
> This is not going to get better by technology alone. It will require
> user education as well.
>
Agreed...
>
> 1) The AOO 3.4.1 release ballot is defective because it refers to
> binaries and Apache does not release binaries
The ASF releases code. PMCs vote on a SVN tag and on a release tarball
(distribution) made from that tag. There is a direct and easily
followed path between the bits the end-user gets and the bits that
the PMC has determined as "the release."
The issue with voting on "just" a binary release is how is the
providence of the code ensured... If I get a binary how can I,
as an end-user, ensure that the binary was based on the official bits
and was built in a way that didn't much around with those bits.
*THAT* is what the AOO PPMC needs to work thru, since most end-user
of AOO couldn't care a fig about the bits. But just because end-users
don't care, or shouldn't care, doesn't mean that the PMC/PPMC
can just wing it. Nor can it consider the binaries as "more important"
than the code.
One possible scenario: The AOO PPMC/PMC is ready for a release
and someone steps up to RM. He/she does the normal process and
a release tag is created. At that point, binary RM's step up
and, using that tag and a well-defined (and trackable) process,
creates binaries and then sign that binary. In fact, that was/is
my intent on wanting to be on the AOO PMC is to be the Apple OSX
RM (that is, take on that responsibility).
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Joe Schaefer <jo...@yahoo.com>.
I oppose anything that generates more off-topic mailing list traffic.
Collaborative discussions surrounding documented policy belong on site-dev@.
Everything else is a waste of time for all concerned.
----- Original Message -----
> From: Rob Weir <ro...@apache.org>
> To: ooo-dev@incubator.apache.org; Joe Schaefer <jo...@yahoo.com>
> Cc:
> Sent: Monday, August 27, 2012 1:02 PM
> Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
>
> On Mon, Aug 27, 2012 at 12:45 PM, Joe Schaefer <jo...@yahoo.com>
> wrote:
>> The release documentation has far more precision in it than
>> a casual glance would indicate. There is no good reason to
>> write about every associated topic in a policy document.
>> I'm not going to read /dev/release.html to you personally Rob
>> but I will point out that several people including the IPMC
>> chair have been consistently referencing and quoting the doc
>> to you so that you may better equip yourself to reason about
>> the policy through the document.
>>
>
> Joe, this isn't about my knowledge. I believe I have accurate
> knowledge of ASF release-related policies. The issues that I listed
> -- the open questions -- they were not from me. These were from IPMC
> members, those who were voted in as ASF Members and then accepted as
> IPMC members. Those were their assertions. You might be able to
> dismiss their concerns easily. As a PPMC member I cannot. They all
> have a vote on AOO. I need to treat their concerns with some degree
> of respect.
>
> So the question is not what I know, but how to respond to IPMC members
> who raise points of the variety that you eloquently termed "bullshit"?
>
> One way is to simply yell them down, say repeatedly that this is not
> an issue, that policy is crystal clear, that anyone who disagrees has
> subhuman mental capabilities, etc. That is the route that some took
>
> Another way is to first agree with precision on what the policy
> actually is and to ask for specific concerns with regards to AOO and
> that policy. That was the route I was taking.
>
> So I think we have the same view of some of the nonsense that was
> expressed on the list, as well as a similar view on what ASF policy
> actually is.
>
> Perhaps we differ on how to resolve conflicts when they occur? In
> any case what works for you probably would not work for me. So I'll
> continue, in situations like these, to calmly seek clarity and
> consensus.
>
> Good cop, bad cop?
>
> Regards,
>
> -Rob
>
>>
>> Yes there is a reason newspapers are written to an 8th grade
>> level but laws are written for experts in the field. Different
>> target audiences with totally different fields of applicability.
>>
>>
>>
>>
>> ----- Original Message -----
>>> From: Rob Weir <ro...@apache.org>
>>> To: ooo-dev@incubator.apache.org
>>> Cc:
>>> Sent: Monday, August 27, 2012 12:34 PM
>>> Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
>>>
>>> On Mon, Aug 27, 2012 at 12:10 PM, Joe Schaefer
> <jo...@yahoo.com>
>>> wrote:
>>>> Bullshit. The policy is as old as the org itself and applies
> equally
>>>>
>>>
>>> The problem is that when someone questions what the policy is, as
>>> several IPMC members have already, the response goes no further than
>>> yelling that the policy is well-known, obvious, unambiguous, clear,
>>> etc. No one is questioning the age or the equal application of the
>>> policy.
>>>
>>> Shutting down the discussion, without resolving the issue, just leads
>>> to it emerging later at another point. In fact, if you go back to the
>>> general.i.a.o discussion from June 2011, when the AOO podling was
>>> first proposed, some of the same concerns were raised by some of the
>>> same IPMC members. They were not resolved then. They were not
>>> resolved this time. What do you think happens next? Do you really
>>> think that there is clarity now and this will not just come back
>>> again, weeks or months later?
>>>
>>> The IPMC is welcome to run themselves as they wish. But I sincerely
>>> hope that the AOO project will not emulate or tolerate this kind of
>>> behavior and interaction. It is very unwelcoming to newcomers to have
>>> that mixture of condescension and bullying when questions are asked.
>>>
>>>> to every project in the org including this one. Rob, if you had
> the
>>> vaguest
>>>> clue about the history of what the httpd project produces you
> would have
>>>> some idea of what the written policy is meant to cover. People
> who
>>> don't bother
>>>> to look often wind up making ignorant remarks about the written
> policy;
>>>> such is the nature of orgs which have zero educational standards
> for
>>>> participation at any level.
>>>>
>>>
>>> Certainly unwritten policies are even more susceptible to ignorant
> remarks.
>>>
>>>> Policy writing itself is a long and painful process in a bottom-up
> org.
>>>> Very few people have enough experience with the diversity of our
> projects
>>>> to ensure the policy accurately reflects current activity. The
> only person
>>>> who I've seen be consistently successful is Roy, and even then
> not
>>> without
>>>> input from others.
>>>>
>>>
>>> I appreciate the challenges of writing organizational policies.
> I've
>>> done this in other organizations. But as you say, this policy "is
> as
>>> old as the org itself ", and yet when it is shown that those who
> are
>>> charged with implementing the policy for podlings (IPMC members)
>>> cannot agree on what the policy is, there is still great resistance to
>>> writing it down, amounting to even personal attacks against those who
>>> even suggest doing this.
>>>
>>>> Your are welcome to get off your armchair and participate
> constructively
>>>> with others who care about the policy documentation over on
> site-dev@.
>>>
>>> Indeed I did propose a statement of the policy. I believe I'm the
>>> only one who did. But at the same time others posted that it would be
>>> unwelcome to make any website changes without further discussion.
>>>
>>>> Otherwise I suggest you drop the antagonistic and over-the-top
> prose.
>>>
>>> I sincerely hope that nothing I said is taken as antagonistic.
>>>
>>> Regards,
>>>
>>> -Rob
>>>
>
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Rob Weir <ro...@apache.org>.
On Mon, Aug 27, 2012 at 12:45 PM, Joe Schaefer <jo...@yahoo.com> wrote:
> The release documentation has far more precision in it than
> a casual glance would indicate. There is no good reason to
> write about every associated topic in a policy document.
> I'm not going to read /dev/release.html to you personally Rob
> but I will point out that several people including the IPMC
> chair have been consistently referencing and quoting the doc
> to you so that you may better equip yourself to reason about
> the policy through the document.
>
Joe, this isn't about my knowledge. I believe I have accurate
knowledge of ASF release-related policies. The issues that I listed
-- the open questions -- they were not from me. These were from IPMC
members, those who were voted in as ASF Members and then accepted as
IPMC members. Those were their assertions. You might be able to
dismiss their concerns easily. As a PPMC member I cannot. They all
have a vote on AOO. I need to treat their concerns with some degree
of respect.
So the question is not what I know, but how to respond to IPMC members
who raise points of the variety that you eloquently termed "bullshit"?
One way is to simply yell them down, say repeatedly that this is not
an issue, that policy is crystal clear, that anyone who disagrees has
subhuman mental capabilities, etc. That is the route that some took
Another way is to first agree with precision on what the policy
actually is and to ask for specific concerns with regards to AOO and
that policy. That was the route I was taking.
So I think we have the same view of some of the nonsense that was
expressed on the list, as well as a similar view on what ASF policy
actually is.
Perhaps we differ on how to resolve conflicts when they occur? In
any case what works for you probably would not work for me. So I'll
continue, in situations like these, to calmly seek clarity and
consensus.
Good cop, bad cop?
Regards,
-Rob
>
> Yes there is a reason newspapers are written to an 8th grade
> level but laws are written for experts in the field. Different
> target audiences with totally different fields of applicability.
>
>
>
>
> ----- Original Message -----
>> From: Rob Weir <ro...@apache.org>
>> To: ooo-dev@incubator.apache.org
>> Cc:
>> Sent: Monday, August 27, 2012 12:34 PM
>> Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
>>
>> On Mon, Aug 27, 2012 at 12:10 PM, Joe Schaefer <jo...@yahoo.com>
>> wrote:
>>> Bullshit. The policy is as old as the org itself and applies equally
>>>
>>
>> The problem is that when someone questions what the policy is, as
>> several IPMC members have already, the response goes no further than
>> yelling that the policy is well-known, obvious, unambiguous, clear,
>> etc. No one is questioning the age or the equal application of the
>> policy.
>>
>> Shutting down the discussion, without resolving the issue, just leads
>> to it emerging later at another point. In fact, if you go back to the
>> general.i.a.o discussion from June 2011, when the AOO podling was
>> first proposed, some of the same concerns were raised by some of the
>> same IPMC members. They were not resolved then. They were not
>> resolved this time. What do you think happens next? Do you really
>> think that there is clarity now and this will not just come back
>> again, weeks or months later?
>>
>> The IPMC is welcome to run themselves as they wish. But I sincerely
>> hope that the AOO project will not emulate or tolerate this kind of
>> behavior and interaction. It is very unwelcoming to newcomers to have
>> that mixture of condescension and bullying when questions are asked.
>>
>>> to every project in the org including this one. Rob, if you had the
>> vaguest
>>> clue about the history of what the httpd project produces you would have
>>> some idea of what the written policy is meant to cover. People who
>> don't bother
>>> to look often wind up making ignorant remarks about the written policy;
>>> such is the nature of orgs which have zero educational standards for
>>> participation at any level.
>>>
>>
>> Certainly unwritten policies are even more susceptible to ignorant remarks.
>>
>>> Policy writing itself is a long and painful process in a bottom-up org.
>>> Very few people have enough experience with the diversity of our projects
>>> to ensure the policy accurately reflects current activity. The only person
>>> who I've seen be consistently successful is Roy, and even then not
>> without
>>> input from others.
>>>
>>
>> I appreciate the challenges of writing organizational policies. I've
>> done this in other organizations. But as you say, this policy "is as
>> old as the org itself ", and yet when it is shown that those who are
>> charged with implementing the policy for podlings (IPMC members)
>> cannot agree on what the policy is, there is still great resistance to
>> writing it down, amounting to even personal attacks against those who
>> even suggest doing this.
>>
>>> Your are welcome to get off your armchair and participate constructively
>>> with others who care about the policy documentation over on site-dev@.
>>
>> Indeed I did propose a statement of the policy. I believe I'm the
>> only one who did. But at the same time others posted that it would be
>> unwelcome to make any website changes without further discussion.
>>
>>> Otherwise I suggest you drop the antagonistic and over-the-top prose.
>>
>> I sincerely hope that nothing I said is taken as antagonistic.
>>
>> Regards,
>>
>> -Rob
>>
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Joe Schaefer <jo...@yahoo.com>.
The release documentation has far more precision in it than
a casual glance would indicate. There is no good reason to
write about every associated topic in a policy document.
I'm not going to read /dev/release.html to you personally Rob
but I will point out that several people including the IPMC
chair have been consistently referencing and quoting the doc
to you so that you may better equip yourself to reason about
the policy through the document.
Yes there is a reason newspapers are written to an 8th grade
level but laws are written for experts in the field. Different
target audiences with totally different fields of applicability.
----- Original Message -----
> From: Rob Weir <ro...@apache.org>
> To: ooo-dev@incubator.apache.org
> Cc:
> Sent: Monday, August 27, 2012 12:34 PM
> Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
>
> On Mon, Aug 27, 2012 at 12:10 PM, Joe Schaefer <jo...@yahoo.com>
> wrote:
>> Bullshit. The policy is as old as the org itself and applies equally
>>
>
> The problem is that when someone questions what the policy is, as
> several IPMC members have already, the response goes no further than
> yelling that the policy is well-known, obvious, unambiguous, clear,
> etc. No one is questioning the age or the equal application of the
> policy.
>
> Shutting down the discussion, without resolving the issue, just leads
> to it emerging later at another point. In fact, if you go back to the
> general.i.a.o discussion from June 2011, when the AOO podling was
> first proposed, some of the same concerns were raised by some of the
> same IPMC members. They were not resolved then. They were not
> resolved this time. What do you think happens next? Do you really
> think that there is clarity now and this will not just come back
> again, weeks or months later?
>
> The IPMC is welcome to run themselves as they wish. But I sincerely
> hope that the AOO project will not emulate or tolerate this kind of
> behavior and interaction. It is very unwelcoming to newcomers to have
> that mixture of condescension and bullying when questions are asked.
>
>> to every project in the org including this one. Rob, if you had the
> vaguest
>> clue about the history of what the httpd project produces you would have
>> some idea of what the written policy is meant to cover. People who
> don't bother
>> to look often wind up making ignorant remarks about the written policy;
>> such is the nature of orgs which have zero educational standards for
>> participation at any level.
>>
>
> Certainly unwritten policies are even more susceptible to ignorant remarks.
>
>> Policy writing itself is a long and painful process in a bottom-up org.
>> Very few people have enough experience with the diversity of our projects
>> to ensure the policy accurately reflects current activity. The only person
>> who I've seen be consistently successful is Roy, and even then not
> without
>> input from others.
>>
>
> I appreciate the challenges of writing organizational policies. I've
> done this in other organizations. But as you say, this policy "is as
> old as the org itself ", and yet when it is shown that those who are
> charged with implementing the policy for podlings (IPMC members)
> cannot agree on what the policy is, there is still great resistance to
> writing it down, amounting to even personal attacks against those who
> even suggest doing this.
>
>> Your are welcome to get off your armchair and participate constructively
>> with others who care about the policy documentation over on site-dev@.
>
> Indeed I did propose a statement of the policy. I believe I'm the
> only one who did. But at the same time others posted that it would be
> unwelcome to make any website changes without further discussion.
>
>> Otherwise I suggest you drop the antagonistic and over-the-top prose.
>
> I sincerely hope that nothing I said is taken as antagonistic.
>
> Regards,
>
> -Rob
>
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Rob Weir <ro...@apache.org>.
On Mon, Aug 27, 2012 at 12:10 PM, Joe Schaefer <jo...@yahoo.com> wrote:
> Bullshit. The policy is as old as the org itself and applies equally
>
The problem is that when someone questions what the policy is, as
several IPMC members have already, the response goes no further than
yelling that the policy is well-known, obvious, unambiguous, clear,
etc. No one is questioning the age or the equal application of the
policy.
Shutting down the discussion, without resolving the issue, just leads
to it emerging later at another point. In fact, if you go back to the
general.i.a.o discussion from June 2011, when the AOO podling was
first proposed, some of the same concerns were raised by some of the
same IPMC members. They were not resolved then. They were not
resolved this time. What do you think happens next? Do you really
think that there is clarity now and this will not just come back
again, weeks or months later?
The IPMC is welcome to run themselves as they wish. But I sincerely
hope that the AOO project will not emulate or tolerate this kind of
behavior and interaction. It is very unwelcoming to newcomers to have
that mixture of condescension and bullying when questions are asked.
> to every project in the org including this one. Rob, if you had the vaguest
> clue about the history of what the httpd project produces you would have
> some idea of what the written policy is meant to cover. People who don't bother
> to look often wind up making ignorant remarks about the written policy;
> such is the nature of orgs which have zero educational standards for
> participation at any level.
>
Certainly unwritten policies are even more susceptible to ignorant remarks.
> Policy writing itself is a long and painful process in a bottom-up org.
> Very few people have enough experience with the diversity of our projects
> to ensure the policy accurately reflects current activity. The only person
> who I've seen be consistently successful is Roy, and even then not without
> input from others.
>
I appreciate the challenges of writing organizational policies. I've
done this in other organizations. But as you say, this policy "is as
old as the org itself ", and yet when it is shown that those who are
charged with implementing the policy for podlings (IPMC members)
cannot agree on what the policy is, there is still great resistance to
writing it down, amounting to even personal attacks against those who
even suggest doing this.
> Your are welcome to get off your armchair and participate constructively
> with others who care about the policy documentation over on site-dev@.
Indeed I did propose a statement of the policy. I believe I'm the
only one who did. But at the same time others posted that it would be
unwelcome to make any website changes without further discussion.
> Otherwise I suggest you drop the antagonistic and over-the-top prose.
I sincerely hope that nothing I said is taken as antagonistic.
Regards,
-Rob
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Joe Schaefer <jo...@yahoo.com>.
Bullshit. The policy is as old as the org itself and applies equally
to every project in the org including this one. Rob, if you had the vaguest
clue about the history of what the httpd project produces you would have
some idea of what the written policy is meant to cover. People who don't bother
to look often wind up making ignorant remarks about the written policy;
such is the nature of orgs which have zero educational standards for
participation at any level.
Policy writing itself is a long and painful process in a bottom-up org.
Very few people have enough experience with the diversity of our projects
to ensure the policy accurately reflects current activity. The only person
who I've seen be consistently successful is Roy, and even then not without
input from others.
Your are welcome to get off your armchair and participate constructively
with others who care about the policy documentation over on site-dev@.
Otherwise I suggest you drop the antagonistic and over-the-top prose.
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Rob Weir <ro...@apache.org>.
On Mon, Aug 27, 2012 at 10:38 AM, Jim Jagielski <ji...@jagunet.com> wrote:
> After this, please drop general@
>
> On Aug 27, 2012, at 10:16 AM, Rob Weir <ro...@apache.org> wrote:
>
>>>
>>> A signature does 2 things:
>>>
>>> 1. Ensures that no bits have been changed
>>> 2. That the bits come from a known (and trusted) entity.
>>>
>>
>> Almost. It doesn't guarantee trust.
>
> Sure it does. If something is signed by Bill or Ross, etc I
> trust that it came from them. Anything else is tangential to
> what a signature provides.
>
Identity != Trust.
Identity + Reputation == Trust.
The signature only guarantees identity.
>
>> CA's don't require any specific
>> level of software quality assurance before they issue a certificate.
>> Any trust is implied by association with the identity of the signer.
>> So it is a brand association. This is similar to the association that
>> comes with association with a project's release announcement, or from
>> distribution via Apache mirrors, or links from Apache websites. These
>> all imply -- in one degree or another -- an association with Apache,
>> and the trust that flows from that.
>>
>> But what code signing does do is help protect ASF reputation.
>
> Huh? All it says is that these bits originated from this entity.
> If you trust that entity, then you can trust those bits. The
> "reputation" stuff is part of the release process, not the signing
> process.
>
End users know absolutely nothing about Apache release process. They
know brands. So their view of trust is brand-based, not informed by
the technical minutia of Apache release process. Of course, given a
suboptimal process, if bad releases result from this, then the brand
reputation will suffer over time.
>> By
>> having the binaries signed we can distance ourselves from those who
>> distribute versions of AOO with virus and malware attached. Again,
>> this is something you probably don't see in the server world, but it
>> is quite common with popular end-user open source software.
>
> Again... Huh??? WTF do you think we sign code, esp stuff destined for
> the server? So the end-user is ensured that the bits came from a
> trusted source.
>
End-users ascribe trust to brands. With education they might learn to
ascribe trust to validated/signed binaries based on the identity of
the signer. But this has not been a great success in the web world,
with SSL certificates, etc. Phishing is an industry now.
This is why the OS vendors are now close to mandating signed code.
End-users cannot be trusted to verify trust on their own. If you
want to wear a tin foil hat, you can also see this probably leading to
the U.S. Government holding a "kill switch" on software, via
certification revocations, based on any malware that comes out with a
signature.
> "Oh look, I found the Apache 2.4.3 source tarball on some warez site
> signed by 'Ben Dover' who has an unknown key. Looks good to me. Think
> I'll install it on my website"
>
Today it is more likely that they see a binary called "OpenOffice",
with or without the Apache name, and without verifying the signature,
the user just installs it. That is the sad state of end-user security
awareness today.
This is not going to get better by technology alone. It will require
user education as well.
>>
>> So trust (reputation) is important. But we're already seeing that
>> trust and reputation can be hurt by lack of code signing.
>
> We. Sign. Code.
>
AOO does not currently do this, at least not in a form that end users
can verify with their tool and skill set. But we're working in it.
> So I'm again unsure what the issue is... it sounds like we're talking
> in circles. Can we have a real-world example? From my understanding,
> Apple's App Store is likely the most onerous situation. So what, right
> now, is "broken" with the AOO release process as related to the App
> Store and what would need to be done to "fix" it?
>
Honestly? I never said there was an issue. I merely forwarded, as
required, the community graduation vote post to the IPMC. But since I
did that I've heard no end of criticisms. A quick summary is:
1) The AOO 3.4.1 release ballot is defective because it refers to
binaries and Apache does not release binaries
2) Something (unspecified, though I asked on numerous occasions) about
the AOO binaries does not confirm with unwritten (though I asked on
numerous occasions) ASF policy on binaries.
3) The AOO podling should not graduate because it has an ungodly
emphasis on binaries
4) The AOO podling has some unresolved issues regarding their binaries
that they need to resolve before graduation
5) The AOO podling should bring up some (unstated, though I asked on
numerous occasions) questions to legal-discuss
6) 5) The AOO podling should bring up some (unstated, though I asked
on numerous occasions) questions to Infra
7) The AOO podling is going to ignore ASF policy and do whatever it
wants when it graduates.
8) Inchoate FUD about liability and indemnification
9) Then it morphed into a code signing discussion. I'm not sure how
that happened.
10) Finally, in a bizarre fashion, we were then accused of not
understanding how the ASF works or decide issues. This is bizarre
since we never raised the code signing question on general.i.a.o.
We've been working that question through infra-dev for over a month
now. The fact that approximately equal numbers of IPMC members are
shouting that there is no problem while another group is asking
questions, does not help. But I think that is an IPMC
disfunctionality, not an AOO podling concern.
So what's the issue? Honestly, the meta issue is that ASF policy in
this area is not written down. You would not have 3-4 IPMC members
asking for clarifications, suggesting various opposing
interpretations, if this basic ASF policy concern was documented.
Having still other IPMC members shouting that it is clear and obvious
what the policy is does not help, of course. What is clear and
unambiguous is judged from the perspective of the listener, not the
speaker.
-Rob
> If that's the wrong example, I'll take any other one.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Jim Jagielski <ji...@jaguNET.com>.
After this, please drop general@
On Aug 27, 2012, at 10:16 AM, Rob Weir <ro...@apache.org> wrote:
>>
>> A signature does 2 things:
>>
>> 1. Ensures that no bits have been changed
>> 2. That the bits come from a known (and trusted) entity.
>>
>
> Almost. It doesn't guarantee trust.
Sure it does. If something is signed by Bill or Ross, etc I
trust that it came from them. Anything else is tangential to
what a signature provides.
> CA's don't require any specific
> level of software quality assurance before they issue a certificate.
> Any trust is implied by association with the identity of the signer.
> So it is a brand association. This is similar to the association that
> comes with association with a project's release announcement, or from
> distribution via Apache mirrors, or links from Apache websites. These
> all imply -- in one degree or another -- an association with Apache,
> and the trust that flows from that.
>
> But what code signing does do is help protect ASF reputation.
Huh? All it says is that these bits originated from this entity.
If you trust that entity, then you can trust those bits. The
"reputation" stuff is part of the release process, not the signing
process.
> By
> having the binaries signed we can distance ourselves from those who
> distribute versions of AOO with virus and malware attached. Again,
> this is something you probably don't see in the server world, but it
> is quite common with popular end-user open source software.
Again... Huh??? WTF do you think we sign code, esp stuff destined for
the server? So the end-user is ensured that the bits came from a
trusted source.
"Oh look, I found the Apache 2.4.3 source tarball on some warez site
signed by 'Ben Dover' who has an unknown key. Looks good to me. Think
I'll install it on my website"
>
> So trust (reputation) is important. But we're already seeing that
> trust and reputation can be hurt by lack of code signing.
We. Sign. Code.
So I'm again unsure what the issue is... it sounds like we're talking
in circles. Can we have a real-world example? From my understanding,
Apple's App Store is likely the most onerous situation. So what, right
now, is "broken" with the AOO release process as related to the App
Store and what would need to be done to "fix" it?
If that's the wrong example, I'll take any other one.
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Jim Jagielski <ji...@jaguNET.com>.
After this, please drop general@
On Aug 27, 2012, at 10:16 AM, Rob Weir <ro...@apache.org> wrote:
>>
>> A signature does 2 things:
>>
>> 1. Ensures that no bits have been changed
>> 2. That the bits come from a known (and trusted) entity.
>>
>
> Almost. It doesn't guarantee trust.
Sure it does. If something is signed by Bill or Ross, etc I
trust that it came from them. Anything else is tangential to
what a signature provides.
> CA's don't require any specific
> level of software quality assurance before they issue a certificate.
> Any trust is implied by association with the identity of the signer.
> So it is a brand association. This is similar to the association that
> comes with association with a project's release announcement, or from
> distribution via Apache mirrors, or links from Apache websites. These
> all imply -- in one degree or another -- an association with Apache,
> and the trust that flows from that.
>
> But what code signing does do is help protect ASF reputation.
Huh? All it says is that these bits originated from this entity.
If you trust that entity, then you can trust those bits. The
"reputation" stuff is part of the release process, not the signing
process.
> By
> having the binaries signed we can distance ourselves from those who
> distribute versions of AOO with virus and malware attached. Again,
> this is something you probably don't see in the server world, but it
> is quite common with popular end-user open source software.
Again... Huh??? WTF do you think we sign code, esp stuff destined for
the server? So the end-user is ensured that the bits came from a
trusted source.
"Oh look, I found the Apache 2.4.3 source tarball on some warez site
signed by 'Ben Dover' who has an unknown key. Looks good to me. Think
I'll install it on my website"
>
> So trust (reputation) is important. But we're already seeing that
> trust and reputation can be hurt by lack of code signing.
We. Sign. Code.
So I'm again unsure what the issue is... it sounds like we're talking
in circles. Can we have a real-world example? From my understanding,
Apple's App Store is likely the most onerous situation. So what, right
now, is "broken" with the AOO release process as related to the App
Store and what would need to be done to "fix" it?
If that's the wrong example, I'll take any other one.
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Rob Weir <ro...@apache.org>.
On Mon, Aug 27, 2012 at 9:57 AM, Jim Jagielski <ji...@jagunet.com> wrote:
> Re adding ooo-dev@ since this is STILL an AOO issue.
>
> On Aug 27, 2012, at 9:38 AM, Rob Weir <ro...@apache.org> wrote:
>
>> On Mon, Aug 27, 2012 at 8:59 AM, Jim Jagielski <ji...@jagunet.com> wrote:
>>>
>>> On Aug 27, 2012, at 8:56 AM, donald_harbison@us.ibm.com wrote:
>>>>
>>>> Yes, that's what end users care about. But it's not sufficient for AOO
>>>> since we are seeking alternative distribution channels.
>>>
>>> What does that mean? Can I grok "alternative distribution channels"
>>> as "more mirrors" or something else?
>>>
>>
>> You probably don't see this on the server yet, but end-user operating
>> systems, both desktop and devices, both at OS level as well as in
>> browsers and with antivirus software, are shifting over to excluding
>> non-signed executable by default.
>
> Believe it or not, I actually use end-user OSs. I am right now! Wow!
>
I did not mean to imply otherwise. But I am quite confident that few,
if any other Apache projects are developing end-user software, so they
might not be aware of this trend from the software development
perspective.
>> This is equally true of software
>> distributed on CD's, via downloads, or listed in OS-vendor "stores".
>> That is the direction that the industry is going. Any desktop
>> application that ignores this trend will become unusable by most
>> users. Instead of detached digital signatures that Apache releases
>> already carry, the OS vendors expect integrated signatures via code
>> signing.
>>
>> Where I hear the churning is over whether the technological change -
>> code signing rather than detached PGP/GPG signatures -- means anything
>> different from a liability standpoint. One could argue that a
>> signatures merely vouches for authentication, integrity and
>> non-repudiation -- the classic guarantees of a digital signature. But
>> I'm hearing others suggest that the move from one technology to
>> another technology for signing suggests additional guarantees about
>> the content of the signed artifact, above and beyond what the ASF
>> normally offers. But of course, any additional liability is
>> explicitly disclaimed by the Apache License.
>>
>> So given that other Apache projects distribute binaries that are....
>>
>> 1) approved by the PMC's
>>
>> 2) distributed on Apache mirrors
>>
>> 3) linked to as ASF products by project websites
>>
>> 4) accompanied by PGP/GPG detached signatures
>>
>> ...what additional liability do we believe comes from the
>> technological change from one signature mechanism to another? Or
>> specifically, what liability is added that is not already explicitly
>> disclaimed by ALv2?
>>
>
> A signature does 2 things:
>
> 1. Ensures that no bits have been changed
> 2. That the bits come from a known (and trusted) entity.
>
Almost. It doesn't guarantee trust. CA's don't require any specific
level of software quality assurance before they issue a certificate.
Any trust is implied by association with the identity of the signer.
So it is a brand association. This is similar to the association that
comes with association with a project's release announcement, or from
distribution via Apache mirrors, or links from Apache websites. These
all imply -- in one degree or another -- an association with Apache,
and the trust that flows from that.
But what code signing does do is help protect ASF reputation. By
having the binaries signed we can distance ourselves from those who
distribute versions of AOO with virus and malware attached. Again,
this is something you probably don't see in the server world, but it
is quite common with popular end-user open source software.
So trust (reputation) is important. But we're already seeing that
trust and reputation can be hurt by lack of code signing.
> The fact that we've used GPG-signed artifacts is immaterial, imo.
>
To a savvy user the use of the detached digital signature can provide
exactly the same assurances that code signing would do. Exactly the
same thing. It just happens to be that the industry has moved toward
a CA model rather than a web of trust model.
> But recall in all this that even when the PMC releases code, it is
> signed by the individual RM, and not by the PMC itself.
>
Correct. But the concerns in the thread were about individual
liability. Having an individual signature (whether GPG/PGP or
Authenticode) certainly doesn't make the story any better.
So I wonder if the best solution here is to make it clear in the
language of the certificate that it is an "unofficial, convenience
binary"?
-Rob
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Rob Weir <ro...@apache.org>.
On Mon, Aug 27, 2012 at 9:57 AM, Jim Jagielski <ji...@jagunet.com> wrote:
> Re adding ooo-dev@ since this is STILL an AOO issue.
>
> On Aug 27, 2012, at 9:38 AM, Rob Weir <ro...@apache.org> wrote:
>
>> On Mon, Aug 27, 2012 at 8:59 AM, Jim Jagielski <ji...@jagunet.com> wrote:
>>>
>>> On Aug 27, 2012, at 8:56 AM, donald_harbison@us.ibm.com wrote:
>>>>
>>>> Yes, that's what end users care about. But it's not sufficient for AOO
>>>> since we are seeking alternative distribution channels.
>>>
>>> What does that mean? Can I grok "alternative distribution channels"
>>> as "more mirrors" or something else?
>>>
>>
>> You probably don't see this on the server yet, but end-user operating
>> systems, both desktop and devices, both at OS level as well as in
>> browsers and with antivirus software, are shifting over to excluding
>> non-signed executable by default.
>
> Believe it or not, I actually use end-user OSs. I am right now! Wow!
>
I did not mean to imply otherwise. But I am quite confident that few,
if any other Apache projects are developing end-user software, so they
might not be aware of this trend from the software development
perspective.
>> This is equally true of software
>> distributed on CD's, via downloads, or listed in OS-vendor "stores".
>> That is the direction that the industry is going. Any desktop
>> application that ignores this trend will become unusable by most
>> users. Instead of detached digital signatures that Apache releases
>> already carry, the OS vendors expect integrated signatures via code
>> signing.
>>
>> Where I hear the churning is over whether the technological change -
>> code signing rather than detached PGP/GPG signatures -- means anything
>> different from a liability standpoint. One could argue that a
>> signatures merely vouches for authentication, integrity and
>> non-repudiation -- the classic guarantees of a digital signature. But
>> I'm hearing others suggest that the move from one technology to
>> another technology for signing suggests additional guarantees about
>> the content of the signed artifact, above and beyond what the ASF
>> normally offers. But of course, any additional liability is
>> explicitly disclaimed by the Apache License.
>>
>> So given that other Apache projects distribute binaries that are....
>>
>> 1) approved by the PMC's
>>
>> 2) distributed on Apache mirrors
>>
>> 3) linked to as ASF products by project websites
>>
>> 4) accompanied by PGP/GPG detached signatures
>>
>> ...what additional liability do we believe comes from the
>> technological change from one signature mechanism to another? Or
>> specifically, what liability is added that is not already explicitly
>> disclaimed by ALv2?
>>
>
> A signature does 2 things:
>
> 1. Ensures that no bits have been changed
> 2. That the bits come from a known (and trusted) entity.
>
Almost. It doesn't guarantee trust. CA's don't require any specific
level of software quality assurance before they issue a certificate.
Any trust is implied by association with the identity of the signer.
So it is a brand association. This is similar to the association that
comes with association with a project's release announcement, or from
distribution via Apache mirrors, or links from Apache websites. These
all imply -- in one degree or another -- an association with Apache,
and the trust that flows from that.
But what code signing does do is help protect ASF reputation. By
having the binaries signed we can distance ourselves from those who
distribute versions of AOO with virus and malware attached. Again,
this is something you probably don't see in the server world, but it
is quite common with popular end-user open source software.
So trust (reputation) is important. But we're already seeing that
trust and reputation can be hurt by lack of code signing.
> The fact that we've used GPG-signed artifacts is immaterial, imo.
>
To a savvy user the use of the detached digital signature can provide
exactly the same assurances that code signing would do. Exactly the
same thing. It just happens to be that the industry has moved toward
a CA model rather than a web of trust model.
> But recall in all this that even when the PMC releases code, it is
> signed by the individual RM, and not by the PMC itself.
>
Correct. But the concerns in the thread were about individual
liability. Having an individual signature (whether GPG/PGP or
Authenticode) certainly doesn't make the story any better.
So I wonder if the best solution here is to make it clear in the
language of the certificate that it is an "unofficial, convenience
binary"?
-Rob
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Andre Fischer <aw...@gmail.com>.
On 27.08.2012 20:02, Jim Jagielski wrote:
> And so I get back to my question... How is this new "requirement" substantially
> different from the kind of signing we do today?
My mother could do one but not the other.
-Andre
>
> And please notice the word "substantially".
>
> On Aug 27, 2012, at 1:52 PM, Dennis E. Hamilton <or...@apache.org> wrote:
>
>> There is a missing distinction here.
>>
>> The discussion about signed binaries is not about external signatures of the kind used by release managers and others, nor about the external digests and signatures that might be obtained in conjunction with a download.
>>
>> The signing of code that I am talking about, and that others are talking about (at least in part), has to do with embedded signatures that consumer operating systems notice and check and that are part of the artifact. These signatures are used (and typically required for application certification) by Microsoft, Apple, Adobe, and others. The requirement for them is not decreasing.
>>
>> The discussion with regard to trust and the presumed reputation of the signer has merit, but it is not satisfied by external signatures in the case of download distributions to modern consumer platforms.
>>
>> - Dennis
>>
>> PS: I love it that when recognized authorities ask that a discussion be moved off of a particular list and then everyone piles on that list with a vengeance. This message is *not* being copied to general@ i.a.o.
>>
>> -----Original Message-----
>> From: Joe Schaefer [mailto:joe_schaefer@yahoo.com]
>> Sent: Monday, August 27, 2012 10:07
>> To: general@incubator.apache.org
>> Cc: ooo-dev@incubator.apache.org
>> Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
>>
>> Which better agrees with written policy anyway- the sigs
>> are part of the release package to be voted on and voted on
>> by the PMC, so even tho it constitutes individual sigs
>> those sigs (well at least the RM's sig) are PMC-approved.
>>
>>
>>
>>
>> ----- Original Message -----
>>> From: Greg Stein <gs...@gmail.com>
>>> To: general@incubator.apache.org
>>> Cc: "ooo-dev@incubator.apache.org" <oo...@incubator.apache.org>
>>> Sent: Monday, August 27, 2012 1:03 PM
>>> Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
>>>
>>> On Aug 27, 2012 9:57 AM, "Jim Jagielski" <ji...@jagunet.com>
>>> wrote:
>>>> ...
>>>> But recall in all this that even when the PMC releases code, it is
>>>> signed by the individual RM, and not by the PMC itself.
>>>
>>> Apache Subversion releases tend to have a half-dozen signatures. Thus, I'd
>>> say they are signed by the PMC. For example:
>>>
>>> https://dist.apache.org/repos/dist/release/subversion/subversion-1.7.6.tar.bz2.asc
>>>
>>> Cheers,
>>> -g
>>>
>>
>
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Jim Jagielski <ji...@jaguNET.com>.
And so I get back to my question... How is this new "requirement" substantially
different from the kind of signing we do today?
And please notice the word "substantially".
On Aug 27, 2012, at 1:52 PM, Dennis E. Hamilton <or...@apache.org> wrote:
> There is a missing distinction here.
>
> The discussion about signed binaries is not about external signatures of the kind used by release managers and others, nor about the external digests and signatures that might be obtained in conjunction with a download.
>
> The signing of code that I am talking about, and that others are talking about (at least in part), has to do with embedded signatures that consumer operating systems notice and check and that are part of the artifact. These signatures are used (and typically required for application certification) by Microsoft, Apple, Adobe, and others. The requirement for them is not decreasing.
>
> The discussion with regard to trust and the presumed reputation of the signer has merit, but it is not satisfied by external signatures in the case of download distributions to modern consumer platforms.
>
> - Dennis
>
> PS: I love it that when recognized authorities ask that a discussion be moved off of a particular list and then everyone piles on that list with a vengeance. This message is *not* being copied to general@ i.a.o.
>
> -----Original Message-----
> From: Joe Schaefer [mailto:joe_schaefer@yahoo.com]
> Sent: Monday, August 27, 2012 10:07
> To: general@incubator.apache.org
> Cc: ooo-dev@incubator.apache.org
> Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
>
> Which better agrees with written policy anyway- the sigs
> are part of the release package to be voted on and voted on
> by the PMC, so even tho it constitutes individual sigs
> those sigs (well at least the RM's sig) are PMC-approved.
>
>
>
>
> ----- Original Message -----
>> From: Greg Stein <gs...@gmail.com>
>> To: general@incubator.apache.org
>> Cc: "ooo-dev@incubator.apache.org" <oo...@incubator.apache.org>
>> Sent: Monday, August 27, 2012 1:03 PM
>> Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
>>
>> On Aug 27, 2012 9:57 AM, "Jim Jagielski" <ji...@jagunet.com>
>> wrote:
>>> ...
>>> But recall in all this that even when the PMC releases code, it is
>>> signed by the individual RM, and not by the PMC itself.
>>
>> Apache Subversion releases tend to have a half-dozen signatures. Thus, I'd
>> say they are signed by the PMC. For example:
>>
>> https://dist.apache.org/repos/dist/release/subversion/subversion-1.7.6.tar.bz2.asc
>>
>> Cheers,
>> -g
>>
>
RE: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by "Dennis E. Hamilton" <or...@apache.org>.
I'm not asking for anything. I am simply attempting to clarify what the considerations are. Also, I did not inject the issue about binaries into the discussion on general@ i.a.o.
Why do you find it necessary to put my contributions down rather than let them go by if you see no value in them?
- Dennis
-----Original Message-----
From: Joe Schaefer [mailto:joe_schaefer@yahoo.com]
Sent: Monday, August 27, 2012 10:58
To: ooo-dev@incubator.apache.org; orcmid@apache.org
Cc: jim@jagunet.com
Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
Why do persist in hijacking this thread Dennis?
Read the Subject again and ask yourself why you
are pursuing this line of inquiry here again-
it's just confusing people because you're asking
for new policy to be written and adopted at the
same time other people are arguing with each other
about current policy and how it applies to AOO.
Just let this discussion die please without further
ado- you need not reply again here to acknowledge
my request.
________________________________
From: Dennis E. Hamilton <or...@apache.org>
To: ooo-dev@incubator.apache.org
Cc: jim@jagunet.com
Sent: Monday, August 27, 2012 1:52 PM
Subject: RE: [VOTE] Apache OpenOffice Community Graduation Vote
There is a missing distinction here.
The discussion about signed binaries is not about external signatures of the kind used by release managers and others, nor about the external digests and signatures that might be obtained in conjunction with a download.
The signing of code that I am talking about, and that others are talking about (at least in part), has to do with embedded signatures that consumer operating systems notice and check and that are part of the artifact. These signatures are used (and typically required for application certification) by Microsoft, Apple, Adobe, and others. The requirement for them is not decreasing.
The discussion with regard to trust and the presumed reputation of the signer has merit, but it is not satisfied by external signatures in the case of download distributions to modern consumer platforms.
- Dennis
PS: I love it that when recognized authorities ask that a discussion be moved off of a particular list and then everyone piles on that list with a vengeance. This message is *not* being copied to general@ i.a.o.
-----Original Message-----
From: Joe Schaefer [mailto:joe_schaefer@yahoo.com]
Sent: Monday, August 27, 2012 10:07
To: general@incubator.apache.org
Cc: ooo-dev@incubator.apache.org
Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
Which better agrees with written policy anyway- the sigs
are part of the release package to be voted on and voted on
by the PMC, so even tho it constitutes individual sigs
those sigs (well at least the RM's sig) are PMC-approved.
----- Original Message -----
> From: Greg Stein <gs...@gmail.com>
> To: general@incubator.apache.org
> Cc: "ooo-dev@incubator.apache.org" <oo...@incubator.apache.org>
> Sent: Monday, August 27, 2012 1:03 PM
> Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
>
> On Aug 27, 2012 9:57 AM, "Jim Jagielski" <ji...@jagunet.com>
> wrote:
>> ...
>> But recall in all this that even when the PMC releases code, it is
>> signed by the individual RM, and not by the PMC itself.
>
> Apache Subversion releases tend to have a half-dozen signatures. Thus, I'd
> say they are signed by the PMC. For example:
>
> https://dist.apache.org/repos/dist/release/subversion/subversion-1.7.6.tar.bz2.asc
>
> Cheers,
> -g
>
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Joe Schaefer <jo...@yahoo.com>.
Why do persist in hijacking this thread Dennis?
Read the Subject again and ask yourself why you
are pursuing this line of inquiry here again-
it's just confusing people because you're asking
for new policy to be written and adopted at the
same time other people are arguing with each other
about current policy and how it applies to AOO.
Just let this discussion die please without further
ado- you need not reply again here to acknowledge
my request.
>________________________________
> From: Dennis E. Hamilton <or...@apache.org>
>To: ooo-dev@incubator.apache.org
>Cc: jim@jagunet.com
>Sent: Monday, August 27, 2012 1:52 PM
>Subject: RE: [VOTE] Apache OpenOffice Community Graduation Vote
>
>There is a missing distinction here.
>
>The discussion about signed binaries is not about external signatures of the kind used by release managers and others, nor about the external digests and signatures that might be obtained in conjunction with a download.
>
>The signing of code that I am talking about, and that others are talking about (at least in part), has to do with embedded signatures that consumer operating systems notice and check and that are part of the artifact. These signatures are used (and typically required for application certification) by Microsoft, Apple, Adobe, and others. The requirement for them is not decreasing.
>
>The discussion with regard to trust and the presumed reputation of the signer has merit, but it is not satisfied by external signatures in the case of download distributions to modern consumer platforms.
>
>- Dennis
>
>PS: I love it that when recognized authorities ask that a discussion be moved off of a particular list and then everyone piles on that list with a vengeance. This message is *not* being copied to general@ i.a.o.
>
>-----Original Message-----
>From: Joe Schaefer [mailto:joe_schaefer@yahoo.com]
>Sent: Monday, August 27, 2012 10:07
>To: general@incubator.apache.org
>Cc: ooo-dev@incubator.apache.org
>Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
>
>Which better agrees with written policy anyway- the sigs
>are part of the release package to be voted on and voted on
>by the PMC, so even tho it constitutes individual sigs
>those sigs (well at least the RM's sig) are PMC-approved.
>
>
>
>
>----- Original Message -----
>> From: Greg Stein <gs...@gmail.com>
>> To: general@incubator.apache.org
>> Cc: "ooo-dev@incubator.apache.org" <oo...@incubator.apache.org>
>> Sent: Monday, August 27, 2012 1:03 PM
>> Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
>>
>> On Aug 27, 2012 9:57 AM, "Jim Jagielski" <ji...@jagunet.com>
>> wrote:
>>> ...
>>> But recall in all this that even when the PMC releases code, it is
>>> signed by the individual RM, and not by the PMC itself.
>>
>> Apache Subversion releases tend to have a half-dozen signatures. Thus, I'd
>> say they are signed by the PMC. For example:
>>
>> https://dist.apache.org/repos/dist/release/subversion/subversion-1.7.6.tar.bz2.asc
>>
>> Cheers,
>> -g
>>
>
>
>
>
RE: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by "Dennis E. Hamilton" <or...@apache.org>.
There is a missing distinction here.
The discussion about signed binaries is not about external signatures of the kind used by release managers and others, nor about the external digests and signatures that might be obtained in conjunction with a download.
The signing of code that I am talking about, and that others are talking about (at least in part), has to do with embedded signatures that consumer operating systems notice and check and that are part of the artifact. These signatures are used (and typically required for application certification) by Microsoft, Apple, Adobe, and others. The requirement for them is not decreasing.
The discussion with regard to trust and the presumed reputation of the signer has merit, but it is not satisfied by external signatures in the case of download distributions to modern consumer platforms.
- Dennis
PS: I love it that when recognized authorities ask that a discussion be moved off of a particular list and then everyone piles on that list with a vengeance. This message is *not* being copied to general@ i.a.o.
-----Original Message-----
From: Joe Schaefer [mailto:joe_schaefer@yahoo.com]
Sent: Monday, August 27, 2012 10:07
To: general@incubator.apache.org
Cc: ooo-dev@incubator.apache.org
Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
Which better agrees with written policy anyway- the sigs
are part of the release package to be voted on and voted on
by the PMC, so even tho it constitutes individual sigs
those sigs (well at least the RM's sig) are PMC-approved.
----- Original Message -----
> From: Greg Stein <gs...@gmail.com>
> To: general@incubator.apache.org
> Cc: "ooo-dev@incubator.apache.org" <oo...@incubator.apache.org>
> Sent: Monday, August 27, 2012 1:03 PM
> Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
>
> On Aug 27, 2012 9:57 AM, "Jim Jagielski" <ji...@jagunet.com>
> wrote:
>> ...
>> But recall in all this that even when the PMC releases code, it is
>> signed by the individual RM, and not by the PMC itself.
>
> Apache Subversion releases tend to have a half-dozen signatures. Thus, I'd
> say they are signed by the PMC. For example:
>
> https://dist.apache.org/repos/dist/release/subversion/subversion-1.7.6.tar.bz2.asc
>
> Cheers,
> -g
>
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Jim Jagielski <ji...@jaguNET.com>.
+1.
On Aug 27, 2012, at 1:07 PM, Joe Schaefer <jo...@yahoo.com> wrote:
> Which better agrees with written policy anyway- the sigs
> are part of the release package to be voted on and voted on
> by the PMC, so even tho it constitutes individual sigs
> those sigs (well at least the RM's sig) are PMC-approved.
>
>
>
>
> ----- Original Message -----
>> From: Greg Stein <gs...@gmail.com>
>> To: general@incubator.apache.org
>> Cc: "ooo-dev@incubator.apache.org" <oo...@incubator.apache.org>
>> Sent: Monday, August 27, 2012 1:03 PM
>> Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
>>
>> On Aug 27, 2012 9:57 AM, "Jim Jagielski" <ji...@jagunet.com>
>> wrote:
>>> ...
>>> But recall in all this that even when the PMC releases code, it is
>>> signed by the individual RM, and not by the PMC itself.
>>
>> Apache Subversion releases tend to have a half-dozen signatures. Thus, I'd
>> say they are signed by the PMC. For example:
>>
>> https://dist.apache.org/repos/dist/release/subversion/subversion-1.7.6.tar.bz2.asc
>>
>> Cheers,
>> -g
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Jim Jagielski <ji...@jaguNET.com>.
+1.
On Aug 27, 2012, at 1:07 PM, Joe Schaefer <jo...@yahoo.com> wrote:
> Which better agrees with written policy anyway- the sigs
> are part of the release package to be voted on and voted on
> by the PMC, so even tho it constitutes individual sigs
> those sigs (well at least the RM's sig) are PMC-approved.
>
>
>
>
> ----- Original Message -----
>> From: Greg Stein <gs...@gmail.com>
>> To: general@incubator.apache.org
>> Cc: "ooo-dev@incubator.apache.org" <oo...@incubator.apache.org>
>> Sent: Monday, August 27, 2012 1:03 PM
>> Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
>>
>> On Aug 27, 2012 9:57 AM, "Jim Jagielski" <ji...@jagunet.com>
>> wrote:
>>> ...
>>> But recall in all this that even when the PMC releases code, it is
>>> signed by the individual RM, and not by the PMC itself.
>>
>> Apache Subversion releases tend to have a half-dozen signatures. Thus, I'd
>> say they are signed by the PMC. For example:
>>
>> https://dist.apache.org/repos/dist/release/subversion/subversion-1.7.6.tar.bz2.asc
>>
>> Cheers,
>> -g
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Joe Schaefer <jo...@yahoo.com>.
Which better agrees with written policy anyway- the sigs
are part of the release package to be voted on and voted on
by the PMC, so even tho it constitutes individual sigs
those sigs (well at least the RM's sig) are PMC-approved.
----- Original Message -----
> From: Greg Stein <gs...@gmail.com>
> To: general@incubator.apache.org
> Cc: "ooo-dev@incubator.apache.org" <oo...@incubator.apache.org>
> Sent: Monday, August 27, 2012 1:03 PM
> Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
>
> On Aug 27, 2012 9:57 AM, "Jim Jagielski" <ji...@jagunet.com>
> wrote:
>> ...
>> But recall in all this that even when the PMC releases code, it is
>> signed by the individual RM, and not by the PMC itself.
>
> Apache Subversion releases tend to have a half-dozen signatures. Thus, I'd
> say they are signed by the PMC. For example:
>
> https://dist.apache.org/repos/dist/release/subversion/subversion-1.7.6.tar.bz2.asc
>
> Cheers,
> -g
>
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Joe Schaefer <jo...@yahoo.com>.
Which better agrees with written policy anyway- the sigs
are part of the release package to be voted on and voted on
by the PMC, so even tho it constitutes individual sigs
those sigs (well at least the RM's sig) are PMC-approved.
----- Original Message -----
> From: Greg Stein <gs...@gmail.com>
> To: general@incubator.apache.org
> Cc: "ooo-dev@incubator.apache.org" <oo...@incubator.apache.org>
> Sent: Monday, August 27, 2012 1:03 PM
> Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
>
> On Aug 27, 2012 9:57 AM, "Jim Jagielski" <ji...@jagunet.com>
> wrote:
>> ...
>> But recall in all this that even when the PMC releases code, it is
>> signed by the individual RM, and not by the PMC itself.
>
> Apache Subversion releases tend to have a half-dozen signatures. Thus, I'd
> say they are signed by the PMC. For example:
>
> https://dist.apache.org/repos/dist/release/subversion/subversion-1.7.6.tar.bz2.asc
>
> Cheers,
> -g
>
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Greg Stein <gs...@gmail.com>.
On Aug 27, 2012 9:57 AM, "Jim Jagielski" <ji...@jagunet.com> wrote:
>...
> But recall in all this that even when the PMC releases code, it is
> signed by the individual RM, and not by the PMC itself.
Apache Subversion releases tend to have a half-dozen signatures. Thus, I'd
say they are signed by the PMC. For example:
https://dist.apache.org/repos/dist/release/subversion/subversion-1.7.6.tar.bz2.asc
Cheers,
-g
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Greg Stein <gs...@gmail.com>.
On Aug 27, 2012 9:57 AM, "Jim Jagielski" <ji...@jagunet.com> wrote:
>...
> But recall in all this that even when the PMC releases code, it is
> signed by the individual RM, and not by the PMC itself.
Apache Subversion releases tend to have a half-dozen signatures. Thus, I'd
say they are signed by the PMC. For example:
https://dist.apache.org/repos/dist/release/subversion/subversion-1.7.6.tar.bz2.asc
Cheers,
-g
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Jim Jagielski <ji...@jaguNET.com>.
Re adding ooo-dev@ since this is STILL an AOO issue.
On Aug 27, 2012, at 9:38 AM, Rob Weir <ro...@apache.org> wrote:
> On Mon, Aug 27, 2012 at 8:59 AM, Jim Jagielski <ji...@jagunet.com> wrote:
>>
>> On Aug 27, 2012, at 8:56 AM, donald_harbison@us.ibm.com wrote:
>>>
>>> Yes, that's what end users care about. But it's not sufficient for AOO
>>> since we are seeking alternative distribution channels.
>>
>> What does that mean? Can I grok "alternative distribution channels"
>> as "more mirrors" or something else?
>>
>
> You probably don't see this on the server yet, but end-user operating
> systems, both desktop and devices, both at OS level as well as in
> browsers and with antivirus software, are shifting over to excluding
> non-signed executable by default.
Believe it or not, I actually use end-user OSs. I am right now! Wow!
> This is equally true of software
> distributed on CD's, via downloads, or listed in OS-vendor "stores".
> That is the direction that the industry is going. Any desktop
> application that ignores this trend will become unusable by most
> users. Instead of detached digital signatures that Apache releases
> already carry, the OS vendors expect integrated signatures via code
> signing.
>
> Where I hear the churning is over whether the technological change -
> code signing rather than detached PGP/GPG signatures -- means anything
> different from a liability standpoint. One could argue that a
> signatures merely vouches for authentication, integrity and
> non-repudiation -- the classic guarantees of a digital signature. But
> I'm hearing others suggest that the move from one technology to
> another technology for signing suggests additional guarantees about
> the content of the signed artifact, above and beyond what the ASF
> normally offers. But of course, any additional liability is
> explicitly disclaimed by the Apache License.
>
> So given that other Apache projects distribute binaries that are....
>
> 1) approved by the PMC's
>
> 2) distributed on Apache mirrors
>
> 3) linked to as ASF products by project websites
>
> 4) accompanied by PGP/GPG detached signatures
>
> ...what additional liability do we believe comes from the
> technological change from one signature mechanism to another? Or
> specifically, what liability is added that is not already explicitly
> disclaimed by ALv2?
>
A signature does 2 things:
1. Ensures that no bits have been changed
2. That the bits come from a known (and trusted) entity.
The fact that we've used GPG-signed artifacts is immaterial, imo.
But recall in all this that even when the PMC releases code, it is
signed by the individual RM, and not by the PMC itself.
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Jim Jagielski <ji...@jaguNET.com>.
Re adding ooo-dev@ since this is STILL an AOO issue.
On Aug 27, 2012, at 9:38 AM, Rob Weir <ro...@apache.org> wrote:
> On Mon, Aug 27, 2012 at 8:59 AM, Jim Jagielski <ji...@jagunet.com> wrote:
>>
>> On Aug 27, 2012, at 8:56 AM, donald_harbison@us.ibm.com wrote:
>>>
>>> Yes, that's what end users care about. But it's not sufficient for AOO
>>> since we are seeking alternative distribution channels.
>>
>> What does that mean? Can I grok "alternative distribution channels"
>> as "more mirrors" or something else?
>>
>
> You probably don't see this on the server yet, but end-user operating
> systems, both desktop and devices, both at OS level as well as in
> browsers and with antivirus software, are shifting over to excluding
> non-signed executable by default.
Believe it or not, I actually use end-user OSs. I am right now! Wow!
> This is equally true of software
> distributed on CD's, via downloads, or listed in OS-vendor "stores".
> That is the direction that the industry is going. Any desktop
> application that ignores this trend will become unusable by most
> users. Instead of detached digital signatures that Apache releases
> already carry, the OS vendors expect integrated signatures via code
> signing.
>
> Where I hear the churning is over whether the technological change -
> code signing rather than detached PGP/GPG signatures -- means anything
> different from a liability standpoint. One could argue that a
> signatures merely vouches for authentication, integrity and
> non-repudiation -- the classic guarantees of a digital signature. But
> I'm hearing others suggest that the move from one technology to
> another technology for signing suggests additional guarantees about
> the content of the signed artifact, above and beyond what the ASF
> normally offers. But of course, any additional liability is
> explicitly disclaimed by the Apache License.
>
> So given that other Apache projects distribute binaries that are....
>
> 1) approved by the PMC's
>
> 2) distributed on Apache mirrors
>
> 3) linked to as ASF products by project websites
>
> 4) accompanied by PGP/GPG detached signatures
>
> ...what additional liability do we believe comes from the
> technological change from one signature mechanism to another? Or
> specifically, what liability is added that is not already explicitly
> disclaimed by ALv2?
>
A signature does 2 things:
1. Ensures that no bits have been changed
2. That the bits come from a known (and trusted) entity.
The fact that we've used GPG-signed artifacts is immaterial, imo.
But recall in all this that even when the PMC releases code, it is
signed by the individual RM, and not by the PMC itself.
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: "end-user operating systems" Re: [VOTE] Apache OpenOffice Community
Graduation Vote
Posted by Herbert Duerr <hd...@apache.org>.
On 27.08.2012 23:11, Andreas Kuckartz wrote:
> Rob Weir:
>> You probably don't see this on the server yet, but end-user operating
>> systems, both desktop and devices, both at OS level as well as in
>> browsers and with antivirus software, are shifting over to excluding
>> non-signed executable by default. This is equally true of software
>> distributed on CD's, via downloads, or listed in OS-vendor "stores".
>> That is the direction that the industry is going. Any desktop
>> application that ignores this trend will become unusable by most
>> users. Instead of detached digital signatures that Apache releases
>> already carry, the OS vendors expect integrated signatures via code
>> signing.
>
> Sorry for extending this thread, but I am curious:
>
> Which "OS vendors" and "end-user operating systems" are you talking about?
For Windows 8 please see e.g.
http://msdn.microsoft.com/en-us/library/windows/desktop/hh749939.aspx
"6.1 All executable files (.exe, .dll, .ocx, .sys, .cpl, .drv, .scr)
must be signed with an Authenticode certificate"
For Mac OSX 10.8 please see e.g.
https://developer.apple.com/resources/developer-id/
"Gatekeeper is a new feature in OS X Mountain Lion that helps protect
users from downloading and installing malicious software. Signing your
applications, plug-ins, and installer packages with a Developer ID
certificate lets Gatekeeper verify that they are not known malware and
have not been tampered with."
and
http://macperformanceguide.com/MountainLion-application-signing.html
"By default, Mac OS X Mountain Lion disables the ability to run
applications which are not signed, the idea being to prevent hackers
from persuading you to run a nefarious application.
This is an excellent security precaution, but also a headache until all
apps are signed"
> The end-user operating system Debian does not require integrated signatures:
> http://wiki.debian.org/SecureApt
Debian is a great end-user operating system and I'm using it for my main
computing needs. Other contenders in the market for end-user operating
systems like Microsoft and Apple are still relevant though so the
requirements they impose on applications cannot be easily ignored.
Herbert
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
"end-user operating systems" Re: [VOTE] Apache OpenOffice Community
Graduation Vote
Posted by Andreas Kuckartz <A....@ping.de>.
Rob Weir:
> You probably don't see this on the server yet, but end-user operating
> systems, both desktop and devices, both at OS level as well as in
> browsers and with antivirus software, are shifting over to excluding
> non-signed executable by default. This is equally true of software
> distributed on CD's, via downloads, or listed in OS-vendor "stores".
> That is the direction that the industry is going. Any desktop
> application that ignores this trend will become unusable by most
> users. Instead of detached digital signatures that Apache releases
> already carry, the OS vendors expect integrated signatures via code
> signing.
Sorry for extending this thread, but I am curious:
Which "OS vendors" and "end-user operating systems" are you talking about?
The end-user operating system Debian does not require integrated signatures:
http://wiki.debian.org/SecureApt
Cheers,
Andreas
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Rob Weir <ro...@apache.org>.
On Mon, Aug 27, 2012 at 8:59 AM, Jim Jagielski <ji...@jagunet.com> wrote:
>
> On Aug 27, 2012, at 8:56 AM, donald_harbison@us.ibm.com wrote:
>>
>> Yes, that's what end users care about. But it's not sufficient for AOO
>> since we are seeking alternative distribution channels.
>
> What does that mean? Can I grok "alternative distribution channels"
> as "more mirrors" or something else?
>
You probably don't see this on the server yet, but end-user operating
systems, both desktop and devices, both at OS level as well as in
browsers and with antivirus software, are shifting over to excluding
non-signed executable by default. This is equally true of software
distributed on CD's, via downloads, or listed in OS-vendor "stores".
That is the direction that the industry is going. Any desktop
application that ignores this trend will become unusable by most
users. Instead of detached digital signatures that Apache releases
already carry, the OS vendors expect integrated signatures via code
signing.
Where I hear the churning is over whether the technological change -
code signing rather than detached PGP/GPG signatures -- means anything
different from a liability standpoint. One could argue that a
signatures merely vouches for authentication, integrity and
non-repudiation -- the classic guarantees of a digital signature. But
I'm hearing others suggest that the move from one technology to
another technology for signing suggests additional guarantees about
the content of the signed artifact, above and beyond what the ASF
normally offers. But of course, any additional liability is
explicitly disclaimed by the Apache License.
So given that other Apache projects distribute binaries that are....
1) approved by the PMC's
2) distributed on Apache mirrors
3) linked to as ASF products by project websites
4) accompanied by PGP/GPG detached signatures
...what additional liability do we believe comes from the
technological change from one signature mechanism to another? Or
specifically, what liability is added that is not already explicitly
disclaimed by ALv2?
-Rob
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Jim Jagielski <ji...@jaguNET.com>.
On Aug 27, 2012, at 8:56 AM, donald_harbison@us.ibm.com wrote:
>
> Yes, that's what end users care about. But it's not sufficient for AOO
> since we are seeking alternative distribution channels.
What does that mean? Can I grok "alternative distribution channels"
as "more mirrors" or something else?
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Jim Jagielski <ji...@jaguNET.com>.
On Aug 27, 2012, at 8:56 AM, donald_harbison@us.ibm.com wrote:
>
> Yes, that's what end users care about. But it's not sufficient for AOO
> since we are seeking alternative distribution channels.
What does that mean? Can I grok "alternative distribution channels"
as "more mirrors" or something else?
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by do...@us.ibm.com.
Jim Jagielski <ji...@jaguNET.com> wrote on 08/27/2012 08:43:35 AM:
> From: Jim Jagielski <ji...@jaguNET.com>
> To: general@incubator.apache.org, Joe Schaefer
> <jo...@yahoo.com>, Rob Weir <ro...@apache.org>,
> Cc: "ooo-dev@incubator.apache.org" <oo...@incubator.apache.org>
> Date: 08/27/2012 08:44 AM
> Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
>
>
> On Aug 26, 2012, at 10:26 AM, Joe Schaefer <jo...@yahoo.com>
wrote:
>
> > No. There is NO WAY IN HELL the org can indemnify
> > a volunteer who produces a binary build themselves.
> >
> > Please don't bother asking legal-discuss to tackle this.
> >
>
> Here's an analogy: for a long, long time Bill Rowe has taken
> it upon himself to create binary builds of Apache httpd for
> the large Windows community. Netware binary builds are also
> occasionally released (see http://httpd.apache.org/download.cgi).
>
> These are available right from the official httpd download
> page and located right next to the official source code,
> yet they are artifacts NOT released (officially) by the
> ASF or the httpd PMC, but are available from a "trusted"
> source.
>
> Isn't that all the end-user cares about? And isn't that
> sufficient for AOO?
Yes, that's what end users care about. But it's not sufficient for AOO
since we are seeking alternative distribution channels. Effort to
exponentially expand distribution channels require code signing. These
discussions were started on legal@ with no resolution. Sorry I don't have
the reference for that handy.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by do...@us.ibm.com.
Jim Jagielski <ji...@jaguNET.com> wrote on 08/27/2012 08:43:35 AM:
> From: Jim Jagielski <ji...@jaguNET.com>
> To: general@incubator.apache.org, Joe Schaefer
> <jo...@yahoo.com>, Rob Weir <ro...@apache.org>,
> Cc: "ooo-dev@incubator.apache.org" <oo...@incubator.apache.org>
> Date: 08/27/2012 08:44 AM
> Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
>
>
> On Aug 26, 2012, at 10:26 AM, Joe Schaefer <jo...@yahoo.com>
wrote:
>
> > No. There is NO WAY IN HELL the org can indemnify
> > a volunteer who produces a binary build themselves.
> >
> > Please don't bother asking legal-discuss to tackle this.
> >
>
> Here's an analogy: for a long, long time Bill Rowe has taken
> it upon himself to create binary builds of Apache httpd for
> the large Windows community. Netware binary builds are also
> occasionally released (see http://httpd.apache.org/download.cgi).
>
> These are available right from the official httpd download
> page and located right next to the official source code,
> yet they are artifacts NOT released (officially) by the
> ASF or the httpd PMC, but are available from a "trusted"
> source.
>
> Isn't that all the end-user cares about? And isn't that
> sufficient for AOO?
Yes, that's what end users care about. But it's not sufficient for AOO
since we are seeking alternative distribution channels. Effort to
exponentially expand distribution channels require code signing. These
discussions were started on legal@ with no resolution. Sorry I don't have
the reference for that handy.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Jim Jagielski <ji...@jaguNET.com>.
On Aug 26, 2012, at 10:26 AM, Joe Schaefer <jo...@yahoo.com> wrote:
> No. There is NO WAY IN HELL the org can indemnify
> a volunteer who produces a binary build themselves.
>
> Please don't bother asking legal-discuss to tackle this.
>
Here's an analogy: for a long, long time Bill Rowe has taken
it upon himself to create binary builds of Apache httpd for
the large Windows community. Netware binary builds are also
occasionally released (see http://httpd.apache.org/download.cgi).
These are available right from the official httpd download
page and located right next to the official source code,
yet they are artifacts NOT released (officially) by the
ASF or the httpd PMC, but are available from a "trusted"
source.
Isn't that all the end-user cares about? And isn't that
sufficient for AOO?
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Jim Jagielski <ji...@jaguNET.com>.
On Aug 26, 2012, at 10:26 AM, Joe Schaefer <jo...@yahoo.com> wrote:
> No. There is NO WAY IN HELL the org can indemnify
> a volunteer who produces a binary build themselves.
>
> Please don't bother asking legal-discuss to tackle this.
>
Here's an analogy: for a long, long time Bill Rowe has taken
it upon himself to create binary builds of Apache httpd for
the large Windows community. Netware binary builds are also
occasionally released (see http://httpd.apache.org/download.cgi).
These are available right from the official httpd download
page and located right next to the official source code,
yet they are artifacts NOT released (officially) by the
ASF or the httpd PMC, but are available from a "trusted"
source.
Isn't that all the end-user cares about? And isn't that
sufficient for AOO?
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Joe Schaefer <jo...@yahoo.com>.
No. There is NO WAY IN HELL the org can indemnify
a volunteer who produces a binary build themselves.
Please don't bother asking legal-discuss to tackle this.
The way liability works in an incorporated volunteer
charity is that you are not liable for "club" activities
performed without negligence on your part. IANAL but
this is the whole point of the law surrounding this
area of human activity in the US.
Building software on 3rd party hosts which are not
operated by the org exposes you to the possibility
that your system may be compromised beyond what
is in source, and should you publish those artifacts
to ASF mirrors you could be held liable for any damages
your inattentiveness towards the system that produced
those packages may have caused. Nothing the org can
do other than adopt an insane indemnity policy will
absolve a volunteer of that personal risk at this point.
However, if the org decides on a method of producing
production-quality builds itself and signs off on them itself
as an org, then clearly only the ASF, and any malicious or negligent
party, is exposed to any risks associated with widescale distribution.
If the software is built by an ASF host using ASF-maintained
software, you might be able to make the case before a judge
that is was the ASF's fault for producing vulnerable builds
on a compromised host. But you will have to plead that
before a judge at this point should you be named in a suit,
because we don't currently offer that level of management
in our build farms.
HTH
>________________________________
> From: Marvin Humphrey <ma...@rectangular.com>
>To: general@incubator.apache.org
>Sent: Sunday, August 26, 2012 10:09 AM
>Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
>
>On Sun, Aug 26, 2012 at 4:26 AM, Branko Čibej <br...@apache.org> wrote:
>> On 26.08.2012 13:15, Tim Williams wrote:
>>> Marvin gave the link earlier in this thread. 4th para is the relevant bit.
>>>
>>> http://www.apache.org/dev/release.html#what
>>
>> The relevant part is in the last paragraph. However, that says
>> "convenience" and defines version numbering requirements, but it does
>> /not/ state that the binaries are not sanctioned by the ASF and are not
>> part of the official ASF release.
>>
>> It would be very useful if that paragraph were amended to say so
>> explicitly. I've had no end of trouble trying to explain to managers and
>> customers that any binaries that come from the ASF are not "official".
>> Regardless of the policy stated numerous times in this thread and on
>> this list, this is not clear anywhere in the bylaws or other online
>> documentation (that I can find).
>
>The possibility exists that when the question is put to legal-discuss, we will
>find that Roy's missives have been misinterpreted, and that so long as the
>imperative of a clean source release (uncontaminated by e.g. embedded jar
>files) is satisfied, it is permissible for a PMC to sanction accompanying
>binary artifacts which are wholly derived from said clean source.
>
>It is also possible that the V.P. of Legal (who is a Board member) will kick
>the question up to the Board and that they will take up a full-blown
>resolution clarifying the policy. Perhaps they will impose restrictions going
>forward such as the requirement that binaries to be blessed must be created
>via automatic processes kicked off by Infra on sterile build machines. Or
>perhaps there won't be a resolution, but the discussion will produce a new
>common understanding that PMCs have so much autonomy they can "release" a
>peanut butter and jelly sandwich alongside the source code as an "act of the
>corporation".
>
>And yet another possibility is that the Legal VP will issue a narrowly
>tailored rulying stating that AOO may release blessed binaries while
>incubating, but that after graduation only binaries produced on sterile build
>machines may be blessed.
>
>Who knows? We aren't going to resolve these questions on this list.
>
>In any case, I do not believe that it is in the best interests of either the
>ASF or the AOO podling (particularly those contributing towards the binary
>artifacts) for ambiguity to persist around issues of indemnification, and I
>don't think it's good for the ASF to walk backwards into a policy on binary
>releases accidentally.
>
>Apologies for keeping the zombie thread alive. If it were up to me, it would
>have hopped forums some time ago.
>
>Marvin Humphrey
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>For additional commands, e-mail: general-help@incubator.apache.org
>
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Marvin Humphrey <ma...@rectangular.com>.
On Sun, Aug 26, 2012 at 4:26 AM, Branko Čibej <br...@apache.org> wrote:
> On 26.08.2012 13:15, Tim Williams wrote:
>> Marvin gave the link earlier in this thread. 4th para is the relevant bit.
>>
>> http://www.apache.org/dev/release.html#what
>
> The relevant part is in the last paragraph. However, that says
> "convenience" and defines version numbering requirements, but it does
> /not/ state that the binaries are not sanctioned by the ASF and are not
> part of the official ASF release.
>
> It would be very useful if that paragraph were amended to say so
> explicitly. I've had no end of trouble trying to explain to managers and
> customers that any binaries that come from the ASF are not "official".
> Regardless of the policy stated numerous times in this thread and on
> this list, this is not clear anywhere in the bylaws or other online
> documentation (that I can find).
The possibility exists that when the question is put to legal-discuss, we will
find that Roy's missives have been misinterpreted, and that so long as the
imperative of a clean source release (uncontaminated by e.g. embedded jar
files) is satisfied, it is permissible for a PMC to sanction accompanying
binary artifacts which are wholly derived from said clean source.
It is also possible that the V.P. of Legal (who is a Board member) will kick
the question up to the Board and that they will take up a full-blown
resolution clarifying the policy. Perhaps they will impose restrictions going
forward such as the requirement that binaries to be blessed must be created
via automatic processes kicked off by Infra on sterile build machines. Or
perhaps there won't be a resolution, but the discussion will produce a new
common understanding that PMCs have so much autonomy they can "release" a
peanut butter and jelly sandwich alongside the source code as an "act of the
corporation".
And yet another possibility is that the Legal VP will issue a narrowly
tailored rulying stating that AOO may release blessed binaries while
incubating, but that after graduation only binaries produced on sterile build
machines may be blessed.
Who knows? We aren't going to resolve these questions on this list.
In any case, I do not believe that it is in the best interests of either the
ASF or the AOO podling (particularly those contributing towards the binary
artifacts) for ambiguity to persist around issues of indemnification, and I
don't think it's good for the ASF to walk backwards into a policy on binary
releases accidentally.
Apologies for keeping the zombie thread alive. If it were up to me, it would
have hopped forums some time ago.
Marvin Humphrey
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Branko Čibej <br...@apache.org>.
On 26.08.2012 13:15, Tim Williams wrote:
> Marvin gave the link earlier in this thread. 4th para is the relevant bit.
>
> http://www.apache.org/dev/release.html#what
The relevant part is in the last paragraph. However, that says
"convenience" and defines version numbering requirements, but it does
/not/ state that the binaries are not sanctioned by the ASF and are not
part of the official ASF release.
It would be very useful if that paragraph were amended to say so
explicitly. I've had no end of trouble trying to explain to managers and
customers that any binaries that come from the ASF are not "official".
Regardless of the policy stated numerous times in this thread and on
this list, this is not clear anywhere in the bylaws or other online
documentation (that I can find).
-- Brane
P.S.: I asked this same question on legal-discuss a week ago. My post
has not even been moderated through as of today, so referring people to
that list doesn't appear to be too helpful.
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Tim Williams <wi...@gmail.com>.
On Sat, Aug 25, 2012 at 10:53 PM, Rob Weir <ro...@apache.org> wrote:
> On Fri, Aug 24, 2012 at 4:35 PM, Greg Stein <gs...@gmail.com> wrote:
>> On Fri, Aug 24, 2012 at 4:00 PM, Rob Weir <ro...@apache.org> wrote:
>
> <snip>
>
>>> I can give the IPMC a hand here, if my point is too obscure. A policy
>>> might look like this:
>>>
>>> Resolved: An Apache project's release consists of a canonical source
>>> artifact, voted on and approved by the PMC. A PMC can also distribute
>>> additional, non-source artifacts, including documentation, binaries,
>>> samples, etc., that are provided for the convenience of the user.
>>> These non-source artifacts must must be buildable from the canonical
>>> source artifact. Additional 3rd party libraries may be included
>>> solely in compliance with license policies defined by Apache Legal
>>> Affairs. Additionally the non-source artifacts (or the PMC) must
>>> ____________ and must not _________________.
>>
>> That's existing policy. As people keep saying (most recently, Joe, in
>> no uncertain terms).
>>
>
> Hi Greg,
>
> And Joe, as I'm sure you noticed, also said:
>
> "THERE IS NO PROBLEM HERE,
> CURRENT POLICY FULLY COVERS WHAT AOO ACTUALLY
> DOES. END OF DISCUSSION."
>
> This is my understanding as well.
>
> In any case, you seem to agree with the wording that I gave above,
> since you say it represents existing policy. Since I can find no
> place on the IPMC or ASF website where this policy is actually stated
> (and please correct me if I missed it), it might be good if we took my
> summary from above and put it into the Podling Release Guide. I know
> there is an ongoing effort to clean up the IPMC website. I'd be happy
> to submit a patch.
Marvin gave the link earlier in this thread. 4th para is the relevant bit.
http://www.apache.org/dev/release.html#what
--tim
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Rob Weir <ro...@apache.org>.
On Fri, Aug 24, 2012 at 4:35 PM, Greg Stein <gs...@gmail.com> wrote:
> On Fri, Aug 24, 2012 at 4:00 PM, Rob Weir <ro...@apache.org> wrote:
<snip>
>> I can give the IPMC a hand here, if my point is too obscure. A policy
>> might look like this:
>>
>> Resolved: An Apache project's release consists of a canonical source
>> artifact, voted on and approved by the PMC. A PMC can also distribute
>> additional, non-source artifacts, including documentation, binaries,
>> samples, etc., that are provided for the convenience of the user.
>> These non-source artifacts must must be buildable from the canonical
>> source artifact. Additional 3rd party libraries may be included
>> solely in compliance with license policies defined by Apache Legal
>> Affairs. Additionally the non-source artifacts (or the PMC) must
>> ____________ and must not _________________.
>
> That's existing policy. As people keep saying (most recently, Joe, in
> no uncertain terms).
>
Hi Greg,
And Joe, as I'm sure you noticed, also said:
"THERE IS NO PROBLEM HERE,
CURRENT POLICY FULLY COVERS WHAT AOO ACTUALLY
DOES. END OF DISCUSSION."
This is my understanding as well.
In any case, you seem to agree with the wording that I gave above,
since you say it represents existing policy. Since I can find no
place on the IPMC or ASF website where this policy is actually stated
(and please correct me if I missed it), it might be good if we took my
summary from above and put it into the Podling Release Guide. I know
there is an ongoing effort to clean up the IPMC website. I'd be happy
to submit a patch.
Regards,
-Rob
> -g
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Greg Stein <gs...@gmail.com>.
On Fri, Aug 24, 2012 at 4:00 PM, Rob Weir <ro...@apache.org> wrote:
>...
> Or if someone who cared sufficiently about this policy area took
> ownership and proposed a wording of the policy, either as a Board
> resolution, or on legal-discuss, and had that policy approved and
> recorded via the ordinary means.
That's why people keep saying: go to legal-discuss. Stop worrying about it here.
And to be clear: we're talked about authenticated/blessed binaries.
Not convenience artifacts. I think you're well aware of this, yet you
keep conflating the two. I don't know why, except maybe to aggravate
people. It certainly isn't engendering good will.
> Right now is is unfair to say that I, or anyone else in the podling,
> is "rebellious" or opposes ASF Policy in this area, since no one seems
> to be able to say what the policy actually is, in specific and
> actionable terms, and why they think AOO podling is or is not in
> compliance.
It is totally fair when everybody keeps telling you: no blessed
binaries, and you refuse to listen.
> I can give the IPMC a hand here, if my point is too obscure. A policy
> might look like this:
>
> Resolved: An Apache project's release consists of a canonical source
> artifact, voted on and approved by the PMC. A PMC can also distribute
> additional, non-source artifacts, including documentation, binaries,
> samples, etc., that are provided for the convenience of the user.
> These non-source artifacts must must be buildable from the canonical
> source artifact. Additional 3rd party libraries may be included
> solely in compliance with license policies defined by Apache Legal
> Affairs. Additionally the non-source artifacts (or the PMC) must
> ____________ and must not _________________.
That's existing policy. As people keep saying (most recently, Joe, in
no uncertain terms).
-g
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Convenience signatures Re: [VOTE] Apache OpenOffice Community Graduation
Vote
Posted by Andreas Kuckartz <A....@ping.de>.
Benson Margulies:
> In the mean time, AOO releases can continue to have 'convenience
> binaries', sans signatures.
If they can have 'convenience binaries' they should also be able to
provide 'convenience signatures".
Cheers,
Andreas
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by drew <dr...@baseanswers.com>.
On Sat, 2012-08-25 at 06:45 -0700, Benson Margulies wrote:
> I submit that this sub-thread has reached the end of its useful lifetime.
Howdy,
After a re-read of this thread, along with similar on the AOO dev/priv
list and referenced ASF policy, or best practices, docs., I fully agree.
Honestly, after this review my thinking has changed somewhat and there
seems value still to be had in assuring that everyone is chasing the
same ends. I'd like to address this in a context of project goals and
best way to attain them, as an ASF project, so will move the general
discussion back to AOO dev.
I think the group can come to a reasonable consensus from that approach
quickly. Then, _if_ (or which) specific changes to current ASF norms
truly are needed, to best attain those goals, can go through the proper
steps - which isn't this thread ;)
Also - It may very well be that what needs addressing is already in the
pipeline, IMO.
Thanks,
//drew
>
> The IPMC's view of binaries is clear, and the IPMC believes that its
> views reflect the will of the board. 'Official' binaries, like
> binaries signed with a certificate with the Foundation's name on it,
> are not currently permissible. Roughly, the same questions of how the
> voting members of a PMC could meaningfully check a release before
> voting apply to both questions.
>
> If you want to engage with the board on this, by all means, there is
> board@. It's a complete waste of time to argue on this list and this
> thread about the Foundation's governance.
>
> In the mean time, AOO releases can continue to have 'convenience
> binaries', sans signatures.
>
> Since this is a community vote thread (!) and not an IPMC vote thread,
> I further submit that all of us IPMC members should get out of the way
> and leave it to the mentors to sort out the disconnect between
> Foundation policy and AOO needs/wants. To quote the mentors from a
> previous conversation, if people want to join in the process, they
> should become mentors and fully engage.
>
> Of course, a discussion thread started here to solicit the IPMC's
> opinion on graduation would be another matter entirely.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Andre Fischer <aw...@gmail.com>.
On 26.08.2012 00:21, Greg Stein wrote:
> On Aug 25, 2012 9:46 AM, "Benson Margulies" <bi...@gmail.com> wrote:
>> ...
>> Of course, a discussion thread started here to solicit the IPMC's
>> opinion on graduation would be another matter entirely.
>
> If Rob is representative of AOO, then no. They need more time to learn
> about the ASF.
He is representative for some of us, among them me.
-Andre
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Greg Stein <gs...@gmail.com>.
On Aug 25, 2012 9:46 AM, "Benson Margulies" <bi...@gmail.com> wrote:
>...
> Of course, a discussion thread started here to solicit the IPMC's
> opinion on graduation would be another matter entirely.
If Rob is representative of AOO, then no. They need more time to learn
about the ASF.
-g
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Benson Margulies <bi...@gmail.com>.
I submit that this sub-thread has reached the end of its useful lifetime.
The IPMC's view of binaries is clear, and the IPMC believes that its
views reflect the will of the board. 'Official' binaries, like
binaries signed with a certificate with the Foundation's name on it,
are not currently permissible. Roughly, the same questions of how the
voting members of a PMC could meaningfully check a release before
voting apply to both questions.
If you want to engage with the board on this, by all means, there is
board@. It's a complete waste of time to argue on this list and this
thread about the Foundation's governance.
In the mean time, AOO releases can continue to have 'convenience
binaries', sans signatures.
Since this is a community vote thread (!) and not an IPMC vote thread,
I further submit that all of us IPMC members should get out of the way
and leave it to the mentors to sort out the disconnect between
Foundation policy and AOO needs/wants. To quote the mentors from a
previous conversation, if people want to join in the process, they
should become mentors and fully engage.
Of course, a discussion thread started here to solicit the IPMC's
opinion on graduation would be another matter entirely.
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Rob Weir <ro...@apache.org>.
On Fri, Aug 24, 2012 at 7:42 PM, Marvin Humphrey <ma...@rectangular.com> wrote:
> On Fri, Aug 24, 2012 at 1:00 PM, Rob Weir <ro...@apache.org> wrote:
>> Or if someone who cared sufficiently about this policy area took
>> ownership and proposed a wording of the policy, either as a Board
>> resolution, or on legal-discuss, and had that policy approved and
>> recorded via the ordinary means.
>
> As a member of the Incubator PMC, I am willing to submit the following
> question via <https://issues.apache.org/jira/browse/LEGAL>:
>
> "AOO official binary artifacts"
>
> May the Apache Open Office podling consider binary artifacts prepared as
> described in this passage "official", in the sense that their sense that
> their release is an "act of the corporation" and their contributors are
> indemnified?
>
The correct reference is to Bylaws 12.1. That clause does not use the
undefined term "official" or "unofficial" or "binary" or "source" or
or "act of the corporation" indeed any mention of releases at all. It
refers to all acts done by covered persons , "...in good faith and in
a manner that such person reasonably believed to be in or not be
opposed to the best interests of the corporation".
This would be a question not only of AOO, but of any project that
currently distributes binaries.
Are PMC's when distributing binaries acting "...in good faith and in a
manner that such person reasonably believed to be in or not be opposed
to the best interests of the corporation" ?
IMHO, the "best interests of the corporation" is best determined by
the Board, not Legal Affairs. Of course, they could choose to punt
the question to anywhere, including Legal Affairs. But it should
start with them.
At that point we could also ask about all other non-source things that
PMCs do, including maintaining website, where there is always risk of
copyright infringements, data privacy laws, etc, or charges of
discrimination in selection or rating of student performance in Google
Summer of Code, or any of a number of risks that occur in the
operation of any corporate entity. I think once we start poking we
find that there are many things a PMC does today, beyond the direct
distribution of source code, that brings risk. I don't think the
Board has ever enumerated which of these other activities are covered
by 12.1 and which are not. I have no opinion on whether doing this is
a good use of their time. It seems doing so would tie their arms
somewhat, and it might be better to leave these questions unanswered
until such time as they arise in context. That preserves flexibility.
-Rob
> http://www.apache.org/dev/release.html#what
>
> The Apache Software Foundation produces open source software. All
> releases are in the form of the source materials needed to make
> changes to the software being released. In some cases, binary/bytecode
> packages are also produced as a convenience to users that might not
> have the appropriate tools to build a compiled version of the source.
> In all such cases, the binary/bytecode package must have the same
> version number as the source release and may only add binary/bytecode
> files that are the result of compiling that version of the source code
> release.
>
> My preference would be to have someone more invested in AOO serve as advocate,
> but I will do it if no one else steps forward.
>
> Marvin Humphrey
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Marvin Humphrey <ma...@rectangular.com>.
On Fri, Aug 24, 2012 at 1:00 PM, Rob Weir <ro...@apache.org> wrote:
> Or if someone who cared sufficiently about this policy area took
> ownership and proposed a wording of the policy, either as a Board
> resolution, or on legal-discuss, and had that policy approved and
> recorded via the ordinary means.
As a member of the Incubator PMC, I am willing to submit the following
question via <https://issues.apache.org/jira/browse/LEGAL>:
"AOO official binary artifacts"
May the Apache Open Office podling consider binary artifacts prepared as
described in this passage "official", in the sense that their sense that
their release is an "act of the corporation" and their contributors are
indemnified?
http://www.apache.org/dev/release.html#what
The Apache Software Foundation produces open source software. All
releases are in the form of the source materials needed to make
changes to the software being released. In some cases, binary/bytecode
packages are also produced as a convenience to users that might not
have the appropriate tools to build a compiled version of the source.
In all such cases, the binary/bytecode package must have the same
version number as the source release and may only add binary/bytecode
files that are the result of compiling that version of the source code
release.
My preference would be to have someone more invested in AOO serve as advocate,
but I will do it if no one else steps forward.
Marvin Humphrey
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Rob Weir <ro...@apache.org>.
On Fri, Aug 24, 2012 at 2:11 PM, Dave Fisher <da...@comcast.net> wrote:
>
> On Aug 24, 2012, at 9:32 AM, Marvin Humphrey wrote:
>
>> Returning to this topic after an intermission...
>>
>> On Tue, Aug 21, 2012 at 6:18 AM, Bertrand Delacretaz
>> <bd...@apache.org> wrote:
>>> On Tue, Aug 21, 2012 at 11:54 AM, Jürgen Schmidt <jo...@gmail.com> wrote:
>>>> ...As one of the active developers I would have a serious problem if we as
>>>> project couldn't provide binary releases for our users. And I thought
>>>> the ASF is a serious enough institution that can ensure to deliver
>>>> binaries of these very popular end user oriented software and can of
>>>> course protect the very valuable brand OpenOffice that the ASF now owns
>>>> as well...
>>>
>>> As has been repeatedly mentioned in this thread and elsewhere, at the
>>> moment ASF releases consist of source code, not binaries.
>>
>> My impression from this discussion is that many podling contributors are
>> dismayed by this policy, and that there is an element within the PPMC which
>> remains convinced that it is actually up to individual PMCs within the ASF to
>> set policy as to whether binaries are official or not.
>
> It is a consequence of 10 years of official openoffice.org binary releases from both Sun and Oracle.
>
> It is a consequence of a large market share.
>
Or stated in less commercial terms, the vast amount of public good
that comes from this project.
See: http://incubator.apache.org/openofficeorg/mission.html
>>
>>> OTOH I don't think anybody said the ASF will never allow projects to
>>> distribute binaries - but people who want to do that need to get
>>> together (*) and come up with a proposal that's compatible with the
>>> ASF's goals and constraints, so that a clear policy can be set.
>>
>> I'm concerned that such an effort may not be completed, and that once the
>> podling graduates, AOO binaries will once again be advertised as official,
>> placing the project in conflict with ASF-wide policy. It may be that some
>> within the newly formed PMC will speak out in favor of the ASF status quo, but
>> as their position will likely be inexpedient and unpopular, it may be
>> difficult to prevail.
>
>> Of course I don't know how things will play out, but it seems to me that
>> reactions from podling contributors have ranged from discouraged to skeptical
>> to antagonistic and that there is limited enthusisasm for working within the ASF
>> on this matter.
>>
>> Gaming out this pessimistic scenario, what would it look like if the Board
>> were forced to clamp down on a rebellious AOO PMC to enforce ASF policy
>> regarding binary releases?
>
>> If we believe that we are adequately prepared for such circumstances, then I
>> think that's good enough and that fully resolving the issue of binary
>> releases prior to AOO's graduation is not required.
>
> One way to help assure proper policy would be to insist that there are several Apache Members on the future PMC.
>
Or if someone who cared sufficiently about this policy area took
ownership and proposed a wording of the policy, either as a Board
resolution, or on legal-discuss, and had that policy approved and
recorded via the ordinary means.
Right now is is unfair to say that I, or anyone else in the podling,
is "rebellious" or opposes ASF Policy in this area, since no one seems
to be able to say what the policy actually is, in specific and
actionable terms, and why they think AOO podling is or is not in
compliance.
I can give the IPMC a hand here, if my point is too obscure. A policy
might look like this:
Resolved: An Apache project's release consists of a canonical source
artifact, voted on and approved by the PMC. A PMC can also distribute
additional, non-source artifacts, including documentation, binaries,
samples, etc., that are provided for the convenience of the user.
These non-source artifacts must must be buildable from the canonical
source artifact. Additional 3rd party libraries may be included
solely in compliance with license policies defined by Apache Legal
Affairs. Additionally the non-source artifacts (or the PMC) must
____________ and must not _________________.
Fill in the blanks, get approval via normal procedures, and you have
something resembling a policy.
Regards,
-Rob
> As of now it looks like Jim and I are the only ones on the prospective PMC. That's not enough. I'm going to need a vacation from AOO soon.
>
> Regards,
> Dave
>
>>
>
>
>>
>>
>> Marvin Humphrey
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>> For additional commands, e-mail: general-help@incubator.apache.org
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Joe Schaefer <jo...@yahoo.com>.
>________________________________
> From: Greg Stein <gs...@gmail.com>
>To: general@incubator.apache.org; Joe Schaefer <jo...@yahoo.com>
>Sent: Friday, August 24, 2012 3:40 PM
>Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
>
>Joe: that is what is being discussed. Blessed binaries.
>
>Go back to Dennis' email for the need for these.
See that yes, but this thread is all over the map and that
element only appears in a fraction of the actual posts.
I will agree with you tho that the way forward with org-signed binaries
(as opposed to committer-PGP signed binaries constituting existing
policy) goes through legal-discuss and involves infrastructure participation.
Being caustic and accusatory is no way to make progress.
In any case this thread should just die now.
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Greg Stein <gs...@gmail.com>.
Joe: that is what is being discussed. Blessed binaries.
Go back to Dennis' email for the need for these.
On Fri, Aug 24, 2012 at 3:11 PM, Joe Schaefer <jo...@yahoo.com> wrote:
> WHAT PROBLEM? THERE IS NO PROBLEM HERE,
> CURRENT POLICY FULLY COVERS WHAT AOO ACTUALLY
> DOES. END OF DISCUSSION.
>
>
> A discussion about blessing binaries with
> cryptographic signatures supplied by the org
> is totally out ofscope for this thread.
>
>
>
>
>>________________________________
>> From: Benson Margulies <bi...@gmail.com>
>>To: general@incubator.apache.org
>>Sent: Friday, August 24, 2012 3:08 PM
>>Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
>>
>>This policy is enshrined in the original foundation articles of
>>incorporation, and has been restated, over and over, by board members.
>>Most colorfully by Roy T. Fielding, who was 'present at the birth.'
>>
>>Many are sympathetic to the AOO situation, and this is why the
>>suggestion from the VP legal was to start a discussion about how to
>>evolve to accomodate AOO rather than simply a flat refusal to consider
>>the problem.
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>>For additional commands, e-mail: general-help@incubator.apache.org
>>
>>
>>
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Joe Schaefer <jo...@yahoo.com>.
WHAT PROBLEM? THERE IS NO PROBLEM HERE,
CURRENT POLICY FULLY COVERS WHAT AOO ACTUALLY
DOES. END OF DISCUSSION.
A discussion about blessing binaries with
cryptographic signatures supplied by the org
is totally out ofscope for this thread.
>________________________________
> From: Benson Margulies <bi...@gmail.com>
>To: general@incubator.apache.org
>Sent: Friday, August 24, 2012 3:08 PM
>Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
>
>This policy is enshrined in the original foundation articles of
>incorporation, and has been restated, over and over, by board members.
>Most colorfully by Roy T. Fielding, who was 'present at the birth.'
>
>Many are sympathetic to the AOO situation, and this is why the
>suggestion from the VP legal was to start a discussion about how to
>evolve to accomodate AOO rather than simply a flat refusal to consider
>the problem.
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>For additional commands, e-mail: general-help@incubator.apache.org
>
>
>
>
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Benson Margulies <bi...@gmail.com>.
This policy is enshrined in the original foundation articles of
incorporation, and has been restated, over and over, by board members.
Most colorfully by Roy T. Fielding, who was 'present at the birth.'
Many are sympathetic to the AOO situation, and this is why the
suggestion from the VP legal was to start a discussion about how to
evolve to accomodate AOO rather than simply a flat refusal to consider
the problem.
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Dave Fisher <da...@comcast.net>.
On Aug 24, 2012, at 9:32 AM, Marvin Humphrey wrote:
> Returning to this topic after an intermission...
>
> On Tue, Aug 21, 2012 at 6:18 AM, Bertrand Delacretaz
> <bd...@apache.org> wrote:
>> On Tue, Aug 21, 2012 at 11:54 AM, Jürgen Schmidt <jo...@gmail.com> wrote:
>>> ...As one of the active developers I would have a serious problem if we as
>>> project couldn't provide binary releases for our users. And I thought
>>> the ASF is a serious enough institution that can ensure to deliver
>>> binaries of these very popular end user oriented software and can of
>>> course protect the very valuable brand OpenOffice that the ASF now owns
>>> as well...
>>
>> As has been repeatedly mentioned in this thread and elsewhere, at the
>> moment ASF releases consist of source code, not binaries.
>
> My impression from this discussion is that many podling contributors are
> dismayed by this policy, and that there is an element within the PPMC which
> remains convinced that it is actually up to individual PMCs within the ASF to
> set policy as to whether binaries are official or not.
It is a consequence of 10 years of official openoffice.org binary releases from both Sun and Oracle.
It is a consequence of a large market share.
>
>> OTOH I don't think anybody said the ASF will never allow projects to
>> distribute binaries - but people who want to do that need to get
>> together (*) and come up with a proposal that's compatible with the
>> ASF's goals and constraints, so that a clear policy can be set.
>
> I'm concerned that such an effort may not be completed, and that once the
> podling graduates, AOO binaries will once again be advertised as official,
> placing the project in conflict with ASF-wide policy. It may be that some
> within the newly formed PMC will speak out in favor of the ASF status quo, but
> as their position will likely be inexpedient and unpopular, it may be
> difficult to prevail.
> Of course I don't know how things will play out, but it seems to me that
> reactions from podling contributors have ranged from discouraged to skeptical
> to antagonistic and that there is limited enthusisasm for working within the ASF
> on this matter.
>
> Gaming out this pessimistic scenario, what would it look like if the Board
> were forced to clamp down on a rebellious AOO PMC to enforce ASF policy
> regarding binary releases?
> If we believe that we are adequately prepared for such circumstances, then I
> think that's good enough and that fully resolving the issue of binary
> releases prior to AOO's graduation is not required.
One way to help assure proper policy would be to insist that there are several Apache Members on the future PMC.
As of now it looks like Jim and I are the only ones on the prospective PMC. That's not enough. I'm going to need a vacation from AOO soon.
Regards,
Dave
>
>
>
> Marvin Humphrey
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Jim Jagielski <ji...@jaguNET.com>.
The ASF releases source code. We produce it, we develop it, we license it
and we release it.
We have also, as a courtesy to the community, released binaries (read: pre-
compiled and built s/w) as well. The binaries MUST be based on
the actual released code. But the s/w itself is what is produced and
released by the PMC.
This is not a new or unique question. Heck, httpd for *years*
released pre-built binaries as a courtesy to the community (mostly
the windows builds).
At issue is whether or not binaries can fall under the same
"protection" and "authority" as the source code. The question
to answer is "what exactly do you want". Do you want the builds
done on ASF hardware to be deemed "official" to the exclusion of
all other builds? What exactly does "official" mean anyway?
IMO, what is important is that the end-user obtains a binary that
he/she knows is (1) build from the actual, unadulterated office
source code release and (2) was built by someone trustworthy.
So having some sort of "build release manager" or takes
these binaries, checks that they were built correctly, and
then signing the binaries seems, to me, to be enough to cover
what we, and the end-users, need.
On Aug 24, 2012, at 2:49 PM, Joe Schaefer <jo...@yahoo.com> wrote:
> Exactly- just work within the constraints
> and there is no practical problem whatsoever.
>
>
>
>
>
>> ________________________________
>> From: Andrew Rist <an...@oracle.com>
>> To: general@incubator.apache.org
>> Sent: Friday, August 24, 2012 2:44 PM
>> Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
>>
>>
>> On 8/24/2012 11:19 AM, Joe Schaefer wrote:
>>> Really, all this fuss over the LABELLING of
>>> a file being distributed does not add value
>>> to either the org, the podling, or the users
>>> of the software. Nowhere is it written that
>>> you CANNOT DISTRIBUTE BINARIES, however it
>>> has always been clear that they are provided
>>> for the convenience of our users, not as part
>>> of an "official" release. That however does
>>> not mean that things like release announcements
>>> cannot refer users to those binaries, it simply
>>> means those announcements need to reference the
>>> sources as "the thing that was formally voted on
>>> and approved by the ASF".
>>
>> Thus...
>>
>> Binaries created /from /the Official Release?
>>>
>>>
>>>
>>>
>>>
>>>
>>>> ________________________________
>>>> From: Dave Fisher <da...@comcast.net>
>>>> To: general@incubator.apache.org
>>>> Sent: Friday, August 24, 2012 1:56 PM
>>>> Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
>>>>
>>>>
>>>> On Aug 24, 2012, at 10:09 AM, Rob Weir wrote:
>>>>
>>>>> On Fri, Aug 24, 2012 at 12:45 PM, Rob Weir <ro...@apache.org> wrote:
>>>>>> On Fri, Aug 24, 2012 at 12:32 PM, Marvin Humphrey
>>>>>> <ma...@rectangular.com> wrote:
>>>>>>> Returning to this topic after an intermission...
>>>>>>>
>>>>>>> On Tue, Aug 21, 2012 at 6:18 AM, Bertrand Delacretaz
>>>>>>> <bd...@apache.org> wrote:
>>>>>>>> On Tue, Aug 21, 2012 at 11:54 AM, Jürgen Schmidt <jo...@gmail.com> wrote:
>>>>>>>>> ...As one of the active developers I would have a serious problem if we as
>>>>>>>>> project couldn't provide binary releases for our users. And I thought
>>>>>>>>> the ASF is a serious enough institution that can ensure to deliver
>>>>>>>>> binaries of these very popular end user oriented software and can of
>>>>>>>>> course protect the very valuable brand OpenOffice that the ASF now owns
>>>>>>>>> as well...
>>>>>>>> As has been repeatedly mentioned in this thread and elsewhere, at the
>>>>>>>> moment ASF releases consist of source code, not binaries.
>>>>>>> My impression from this discussion is that many podling contributors are
>>>>>>> dismayed by this policy, and that there is an element within the PPMC which
>>>>>>> remains convinced that it is actually up to individual PMCs within the ASF to
>>>>>>> set policy as to whether binaries are official or not.
>>>>>>>
>>>>>> If there actually is an ASF-wide Policy concerning binaries then I
>>>>>> would expect that:
>>>>>>
>>>>>> 1) It would come from the ASF Board, or from a Legal Affairs, not as
>>>>>> individual opinions on the IPMC list
>>>>>>
>>>>>> 2) It would be documented someplace, as other important ASF policies
>>>>>> are documented
>>>>>>
>>>>> And 2a) Actually state the constraints of the policy, i.e., what is
>>>>> allowed or disallowed by the policy. Merely inventing a label like
>>>>> "convenience" or "unofficial" gives absolutely zero direction to
>>>>> PMC's. It is just a label. Consider what the IPMC's Release Guide
>>>>> gives with regards to the source artifact. It is labeled "canonical",
>>>>> but that level is backed up with requirements, e.g., that every
>>>>> release must include it, that it must be signed, etc. Similarly,
>>>>> podling releases are not merely labeled "podling releases", but policy
>>>>> defines requirements, e.g., a disclaimer, a required IPMC vote, etc.
>>>>>
>>>>> I hope I am not being too pedantic here. But I would like to have a
>>>>> policy defined here so any PMC can determine whether they are in
>>>>> compliance. But so far I just hear strongly held opinions that amount
>>>>> to applying labels, but not mandating or forbidden any actions with
>>>>> regards to artifacts that bear these labels.
>>>>>
>>>>> Consider: If some IPMC members declared loudly that "It is ASF policy
>>>>> that binary artifacts are 'Umbabuga'", what exactly would you expect a
>>>>> Podling to do, given that Umbabuga is an undefined term with no policy
>>>>> mandated or forbidden actions?
>>>>>
>>>>> There is a seductive appeal to reaching consensus on a label. But it
>>>>> avoids the hard part of policy development, the useful part: reaching
>>>>> consensus on constraints to actions.
>>>> The AOO PPMC was asked to take this discussion along with digital signature issue to legal-discuss to get advice. Whether or not this becomes guidance for AOO or official foundation wide policy is ultimately up to the Board and the Membership.
>>>>
>>>> Regards,
>>>> Dave
>>>>
>>>>
>>>>>
>>>>>> 3) That the policies is applied not only to AOO, but to other podlings
>>>>>> and to TLP's as well.
>>>>>>
>>>>>> Until that happens, I hear only opinions. But opinions, even widely
>>>>>> held opinions, even Roy opinions, are not the same as policy.
>>>>>>
>>>>>> -Rob
>>>>>>
>>>>>>>> OTOH I don't think anybody said the ASF will never allow projects to
>>>>>>>> distribute binaries - but people who want to do that need to get
>>>>>>>> together (*) and come up with a proposal that's compatible with the
>>>>>>>> ASF's goals and constraints, so that a clear policy can be set.
>>>>>>> I'm concerned that such an effort may not be completed, and that once the
>>>>>>> podling graduates, AOO binaries will once again be advertised as official,
>>>>>>> placing the project in conflict with ASF-wide policy. It may be that some
>>>>>>> within the newly formed PMC will speak out in favor of the ASF status quo, but
>>>>>>> as their position will likely be inexpedient and unpopular, it may be
>>>>>>> difficult to prevail.
>>>>>>>
>>>>>>> Of course I don't know how things will play out, but it seems to me that
>>>>>>> reactions from podling contributors have ranged from discouraged to skeptical
>>>>>>> to antagonistic and that there is limited enthusisasm for working within the ASF
>>>>>>> on this matter.
>>>>>>>
>>>>>>> Gaming out this pessimistic scenario, what would it look like if the Board
>>>>>>> were forced to clamp down on a rebellious AOO PMC to enforce ASF policy
>>>>>>> regarding binary releases?
>>>>>>>
>>>>>>> If we believe that we are adequately prepared for such circumstances, then I
>>>>>>> think that's good enough and that fully resolving the issue of binary
>>>>>>> releases prior to AOO's graduation is not required.
>>>>>>>
>>>>>>> Marvin Humphrey
>>>>>>>
>>>>>>> ---------------------------------------------------------------------
>>>>>>> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>>>>>>> For additional commands, e-mail: general-help@incubator.apache.org
>>>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>>>>> For additional commands, e-mail: general-help@incubator.apache.org
>>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>>>> For additional commands, e-mail: general-help@incubator.apache.org
>>>>
>>>>
>>>>
>>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>> For additional commands, e-mail: general-help@incubator.apache.org
>>
>>
>>
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Jim Jagielski <ji...@jaguNET.com>.
The ASF releases source code. We produce it, we develop it, we license it
and we release it.
We have also, as a courtesy to the community, released binaries (read: pre-
compiled and built s/w) as well. The binaries MUST be based on
the actual released code. But the s/w itself is what is produced and
released by the PMC.
This is not a new or unique question. Heck, httpd for *years*
released pre-built binaries as a courtesy to the community (mostly
the windows builds).
At issue is whether or not binaries can fall under the same
"protection" and "authority" as the source code. The question
to answer is "what exactly do you want". Do you want the builds
done on ASF hardware to be deemed "official" to the exclusion of
all other builds? What exactly does "official" mean anyway?
IMO, what is important is that the end-user obtains a binary that
he/she knows is (1) build from the actual, unadulterated office
source code release and (2) was built by someone trustworthy.
So having some sort of "build release manager" or takes
these binaries, checks that they were built correctly, and
then signing the binaries seems, to me, to be enough to cover
what we, and the end-users, need.
On Aug 24, 2012, at 2:49 PM, Joe Schaefer <jo...@yahoo.com> wrote:
> Exactly- just work within the constraints
> and there is no practical problem whatsoever.
>
>
>
>
>
>> ________________________________
>> From: Andrew Rist <an...@oracle.com>
>> To: general@incubator.apache.org
>> Sent: Friday, August 24, 2012 2:44 PM
>> Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
>>
>>
>> On 8/24/2012 11:19 AM, Joe Schaefer wrote:
>>> Really, all this fuss over the LABELLING of
>>> a file being distributed does not add value
>>> to either the org, the podling, or the users
>>> of the software. Nowhere is it written that
>>> you CANNOT DISTRIBUTE BINARIES, however it
>>> has always been clear that they are provided
>>> for the convenience of our users, not as part
>>> of an "official" release. That however does
>>> not mean that things like release announcements
>>> cannot refer users to those binaries, it simply
>>> means those announcements need to reference the
>>> sources as "the thing that was formally voted on
>>> and approved by the ASF".
>>
>> Thus...
>>
>> Binaries created /from /the Official Release?
>>>
>>>
>>>
>>>
>>>
>>>
>>>> ________________________________
>>>> From: Dave Fisher <da...@comcast.net>
>>>> To: general@incubator.apache.org
>>>> Sent: Friday, August 24, 2012 1:56 PM
>>>> Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
>>>>
>>>>
>>>> On Aug 24, 2012, at 10:09 AM, Rob Weir wrote:
>>>>
>>>>> On Fri, Aug 24, 2012 at 12:45 PM, Rob Weir <ro...@apache.org> wrote:
>>>>>> On Fri, Aug 24, 2012 at 12:32 PM, Marvin Humphrey
>>>>>> <ma...@rectangular.com> wrote:
>>>>>>> Returning to this topic after an intermission...
>>>>>>>
>>>>>>> On Tue, Aug 21, 2012 at 6:18 AM, Bertrand Delacretaz
>>>>>>> <bd...@apache.org> wrote:
>>>>>>>> On Tue, Aug 21, 2012 at 11:54 AM, Jürgen Schmidt <jo...@gmail.com> wrote:
>>>>>>>>> ...As one of the active developers I would have a serious problem if we as
>>>>>>>>> project couldn't provide binary releases for our users. And I thought
>>>>>>>>> the ASF is a serious enough institution that can ensure to deliver
>>>>>>>>> binaries of these very popular end user oriented software and can of
>>>>>>>>> course protect the very valuable brand OpenOffice that the ASF now owns
>>>>>>>>> as well...
>>>>>>>> As has been repeatedly mentioned in this thread and elsewhere, at the
>>>>>>>> moment ASF releases consist of source code, not binaries.
>>>>>>> My impression from this discussion is that many podling contributors are
>>>>>>> dismayed by this policy, and that there is an element within the PPMC which
>>>>>>> remains convinced that it is actually up to individual PMCs within the ASF to
>>>>>>> set policy as to whether binaries are official or not.
>>>>>>>
>>>>>> If there actually is an ASF-wide Policy concerning binaries then I
>>>>>> would expect that:
>>>>>>
>>>>>> 1) It would come from the ASF Board, or from a Legal Affairs, not as
>>>>>> individual opinions on the IPMC list
>>>>>>
>>>>>> 2) It would be documented someplace, as other important ASF policies
>>>>>> are documented
>>>>>>
>>>>> And 2a) Actually state the constraints of the policy, i.e., what is
>>>>> allowed or disallowed by the policy. Merely inventing a label like
>>>>> "convenience" or "unofficial" gives absolutely zero direction to
>>>>> PMC's. It is just a label. Consider what the IPMC's Release Guide
>>>>> gives with regards to the source artifact. It is labeled "canonical",
>>>>> but that level is backed up with requirements, e.g., that every
>>>>> release must include it, that it must be signed, etc. Similarly,
>>>>> podling releases are not merely labeled "podling releases", but policy
>>>>> defines requirements, e.g., a disclaimer, a required IPMC vote, etc.
>>>>>
>>>>> I hope I am not being too pedantic here. But I would like to have a
>>>>> policy defined here so any PMC can determine whether they are in
>>>>> compliance. But so far I just hear strongly held opinions that amount
>>>>> to applying labels, but not mandating or forbidden any actions with
>>>>> regards to artifacts that bear these labels.
>>>>>
>>>>> Consider: If some IPMC members declared loudly that "It is ASF policy
>>>>> that binary artifacts are 'Umbabuga'", what exactly would you expect a
>>>>> Podling to do, given that Umbabuga is an undefined term with no policy
>>>>> mandated or forbidden actions?
>>>>>
>>>>> There is a seductive appeal to reaching consensus on a label. But it
>>>>> avoids the hard part of policy development, the useful part: reaching
>>>>> consensus on constraints to actions.
>>>> The AOO PPMC was asked to take this discussion along with digital signature issue to legal-discuss to get advice. Whether or not this becomes guidance for AOO or official foundation wide policy is ultimately up to the Board and the Membership.
>>>>
>>>> Regards,
>>>> Dave
>>>>
>>>>
>>>>>
>>>>>> 3) That the policies is applied not only to AOO, but to other podlings
>>>>>> and to TLP's as well.
>>>>>>
>>>>>> Until that happens, I hear only opinions. But opinions, even widely
>>>>>> held opinions, even Roy opinions, are not the same as policy.
>>>>>>
>>>>>> -Rob
>>>>>>
>>>>>>>> OTOH I don't think anybody said the ASF will never allow projects to
>>>>>>>> distribute binaries - but people who want to do that need to get
>>>>>>>> together (*) and come up with a proposal that's compatible with the
>>>>>>>> ASF's goals and constraints, so that a clear policy can be set.
>>>>>>> I'm concerned that such an effort may not be completed, and that once the
>>>>>>> podling graduates, AOO binaries will once again be advertised as official,
>>>>>>> placing the project in conflict with ASF-wide policy. It may be that some
>>>>>>> within the newly formed PMC will speak out in favor of the ASF status quo, but
>>>>>>> as their position will likely be inexpedient and unpopular, it may be
>>>>>>> difficult to prevail.
>>>>>>>
>>>>>>> Of course I don't know how things will play out, but it seems to me that
>>>>>>> reactions from podling contributors have ranged from discouraged to skeptical
>>>>>>> to antagonistic and that there is limited enthusisasm for working within the ASF
>>>>>>> on this matter.
>>>>>>>
>>>>>>> Gaming out this pessimistic scenario, what would it look like if the Board
>>>>>>> were forced to clamp down on a rebellious AOO PMC to enforce ASF policy
>>>>>>> regarding binary releases?
>>>>>>>
>>>>>>> If we believe that we are adequately prepared for such circumstances, then I
>>>>>>> think that's good enough and that fully resolving the issue of binary
>>>>>>> releases prior to AOO's graduation is not required.
>>>>>>>
>>>>>>> Marvin Humphrey
>>>>>>>
>>>>>>> ---------------------------------------------------------------------
>>>>>>> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>>>>>>> For additional commands, e-mail: general-help@incubator.apache.org
>>>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>>>>> For additional commands, e-mail: general-help@incubator.apache.org
>>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>>>> For additional commands, e-mail: general-help@incubator.apache.org
>>>>
>>>>
>>>>
>>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>> For additional commands, e-mail: general-help@incubator.apache.org
>>
>>
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Joe Schaefer <jo...@yahoo.com>.
Exactly- just work within the constraints
and there is no practical problem whatsoever.
>________________________________
> From: Andrew Rist <an...@oracle.com>
>To: general@incubator.apache.org
>Sent: Friday, August 24, 2012 2:44 PM
>Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
>
>
>On 8/24/2012 11:19 AM, Joe Schaefer wrote:
>> Really, all this fuss over the LABELLING of
>> a file being distributed does not add value
>> to either the org, the podling, or the users
>> of the software. Nowhere is it written that
>> you CANNOT DISTRIBUTE BINARIES, however it
>> has always been clear that they are provided
>> for the convenience of our users, not as part
>> of an "official" release. That however does
>> not mean that things like release announcements
>> cannot refer users to those binaries, it simply
>> means those announcements need to reference the
>> sources as "the thing that was formally voted on
>> and approved by the ASF".
>
>Thus...
>
>Binaries created /from /the Official Release?
>>
>>
>>
>>
>>
>>
>>> ________________________________
>>> From: Dave Fisher <da...@comcast.net>
>>> To: general@incubator.apache.org
>>> Sent: Friday, August 24, 2012 1:56 PM
>>> Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
>>>
>>>
>>> On Aug 24, 2012, at 10:09 AM, Rob Weir wrote:
>>>
>>>> On Fri, Aug 24, 2012 at 12:45 PM, Rob Weir <ro...@apache.org> wrote:
>>>>> On Fri, Aug 24, 2012 at 12:32 PM, Marvin Humphrey
>>>>> <ma...@rectangular.com> wrote:
>>>>>> Returning to this topic after an intermission...
>>>>>>
>>>>>> On Tue, Aug 21, 2012 at 6:18 AM, Bertrand Delacretaz
>>>>>> <bd...@apache.org> wrote:
>>>>>>> On Tue, Aug 21, 2012 at 11:54 AM, Jürgen Schmidt <jo...@gmail.com> wrote:
>>>>>>>> ...As one of the active developers I would have a serious problem if we as
>>>>>>>> project couldn't provide binary releases for our users. And I thought
>>>>>>>> the ASF is a serious enough institution that can ensure to deliver
>>>>>>>> binaries of these very popular end user oriented software and can of
>>>>>>>> course protect the very valuable brand OpenOffice that the ASF now owns
>>>>>>>> as well...
>>>>>>> As has been repeatedly mentioned in this thread and elsewhere, at the
>>>>>>> moment ASF releases consist of source code, not binaries.
>>>>>> My impression from this discussion is that many podling contributors are
>>>>>> dismayed by this policy, and that there is an element within the PPMC which
>>>>>> remains convinced that it is actually up to individual PMCs within the ASF to
>>>>>> set policy as to whether binaries are official or not.
>>>>>>
>>>>> If there actually is an ASF-wide Policy concerning binaries then I
>>>>> would expect that:
>>>>>
>>>>> 1) It would come from the ASF Board, or from a Legal Affairs, not as
>>>>> individual opinions on the IPMC list
>>>>>
>>>>> 2) It would be documented someplace, as other important ASF policies
>>>>> are documented
>>>>>
>>>> And 2a) Actually state the constraints of the policy, i.e., what is
>>>> allowed or disallowed by the policy. Merely inventing a label like
>>>> "convenience" or "unofficial" gives absolutely zero direction to
>>>> PMC's. It is just a label. Consider what the IPMC's Release Guide
>>>> gives with regards to the source artifact. It is labeled "canonical",
>>>> but that level is backed up with requirements, e.g., that every
>>>> release must include it, that it must be signed, etc. Similarly,
>>>> podling releases are not merely labeled "podling releases", but policy
>>>> defines requirements, e.g., a disclaimer, a required IPMC vote, etc.
>>>>
>>>> I hope I am not being too pedantic here. But I would like to have a
>>>> policy defined here so any PMC can determine whether they are in
>>>> compliance. But so far I just hear strongly held opinions that amount
>>>> to applying labels, but not mandating or forbidden any actions with
>>>> regards to artifacts that bear these labels.
>>>>
>>>> Consider: If some IPMC members declared loudly that "It is ASF policy
>>>> that binary artifacts are 'Umbabuga'", what exactly would you expect a
>>>> Podling to do, given that Umbabuga is an undefined term with no policy
>>>> mandated or forbidden actions?
>>>>
>>>> There is a seductive appeal to reaching consensus on a label. But it
>>>> avoids the hard part of policy development, the useful part: reaching
>>>> consensus on constraints to actions.
>>> The AOO PPMC was asked to take this discussion along with digital signature issue to legal-discuss to get advice. Whether or not this becomes guidance for AOO or official foundation wide policy is ultimately up to the Board and the Membership.
>>>
>>> Regards,
>>> Dave
>>>
>>>
>>>>
>>>>> 3) That the policies is applied not only to AOO, but to other podlings
>>>>> and to TLP's as well.
>>>>>
>>>>> Until that happens, I hear only opinions. But opinions, even widely
>>>>> held opinions, even Roy opinions, are not the same as policy.
>>>>>
>>>>> -Rob
>>>>>
>>>>>>> OTOH I don't think anybody said the ASF will never allow projects to
>>>>>>> distribute binaries - but people who want to do that need to get
>>>>>>> together (*) and come up with a proposal that's compatible with the
>>>>>>> ASF's goals and constraints, so that a clear policy can be set.
>>>>>> I'm concerned that such an effort may not be completed, and that once the
>>>>>> podling graduates, AOO binaries will once again be advertised as official,
>>>>>> placing the project in conflict with ASF-wide policy. It may be that some
>>>>>> within the newly formed PMC will speak out in favor of the ASF status quo, but
>>>>>> as their position will likely be inexpedient and unpopular, it may be
>>>>>> difficult to prevail.
>>>>>>
>>>>>> Of course I don't know how things will play out, but it seems to me that
>>>>>> reactions from podling contributors have ranged from discouraged to skeptical
>>>>>> to antagonistic and that there is limited enthusisasm for working within the ASF
>>>>>> on this matter.
>>>>>>
>>>>>> Gaming out this pessimistic scenario, what would it look like if the Board
>>>>>> were forced to clamp down on a rebellious AOO PMC to enforce ASF policy
>>>>>> regarding binary releases?
>>>>>>
>>>>>> If we believe that we are adequately prepared for such circumstances, then I
>>>>>> think that's good enough and that fully resolving the issue of binary
>>>>>> releases prior to AOO's graduation is not required.
>>>>>>
>>>>>> Marvin Humphrey
>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>>>>>> For additional commands, e-mail: general-help@incubator.apache.org
>>>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>>>> For additional commands, e-mail: general-help@incubator.apache.org
>>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>>> For additional commands, e-mail: general-help@incubator.apache.org
>>>
>>>
>>>
>>>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>For additional commands, e-mail: general-help@incubator.apache.org
>
>
>
>
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Andrew Rist <an...@oracle.com>.
On 8/24/2012 11:19 AM, Joe Schaefer wrote:
> Really, all this fuss over the LABELLING of
> a file being distributed does not add value
> to either the org, the podling, or the users
> of the software. Nowhere is it written that
> you CANNOT DISTRIBUTE BINARIES, however it
> has always been clear that they are provided
> for the convenience of our users, not as part
> of an "official" release. That however does
> not mean that things like release announcements
> cannot refer users to those binaries, it simply
> means those announcements need to reference the
> sources as "the thing that was formally voted on
> and approved by the ASF".
Thus...
Binaries created /from /the Official Release?
>
>
>
>
>
>
>> ________________________________
>> From: Dave Fisher <da...@comcast.net>
>> To: general@incubator.apache.org
>> Sent: Friday, August 24, 2012 1:56 PM
>> Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
>>
>>
>> On Aug 24, 2012, at 10:09 AM, Rob Weir wrote:
>>
>>> On Fri, Aug 24, 2012 at 12:45 PM, Rob Weir <ro...@apache.org> wrote:
>>>> On Fri, Aug 24, 2012 at 12:32 PM, Marvin Humphrey
>>>> <ma...@rectangular.com> wrote:
>>>>> Returning to this topic after an intermission...
>>>>>
>>>>> On Tue, Aug 21, 2012 at 6:18 AM, Bertrand Delacretaz
>>>>> <bd...@apache.org> wrote:
>>>>>> On Tue, Aug 21, 2012 at 11:54 AM, Jürgen Schmidt <jo...@gmail.com> wrote:
>>>>>>> ...As one of the active developers I would have a serious problem if we as
>>>>>>> project couldn't provide binary releases for our users. And I thought
>>>>>>> the ASF is a serious enough institution that can ensure to deliver
>>>>>>> binaries of these very popular end user oriented software and can of
>>>>>>> course protect the very valuable brand OpenOffice that the ASF now owns
>>>>>>> as well...
>>>>>> As has been repeatedly mentioned in this thread and elsewhere, at the
>>>>>> moment ASF releases consist of source code, not binaries.
>>>>> My impression from this discussion is that many podling contributors are
>>>>> dismayed by this policy, and that there is an element within the PPMC which
>>>>> remains convinced that it is actually up to individual PMCs within the ASF to
>>>>> set policy as to whether binaries are official or not.
>>>>>
>>>> If there actually is an ASF-wide Policy concerning binaries then I
>>>> would expect that:
>>>>
>>>> 1) It would come from the ASF Board, or from a Legal Affairs, not as
>>>> individual opinions on the IPMC list
>>>>
>>>> 2) It would be documented someplace, as other important ASF policies
>>>> are documented
>>>>
>>> And 2a) Actually state the constraints of the policy, i.e., what is
>>> allowed or disallowed by the policy. Merely inventing a label like
>>> "convenience" or "unofficial" gives absolutely zero direction to
>>> PMC's. It is just a label. Consider what the IPMC's Release Guide
>>> gives with regards to the source artifact. It is labeled "canonical",
>>> but that level is backed up with requirements, e.g., that every
>>> release must include it, that it must be signed, etc. Similarly,
>>> podling releases are not merely labeled "podling releases", but policy
>>> defines requirements, e.g., a disclaimer, a required IPMC vote, etc.
>>>
>>> I hope I am not being too pedantic here. But I would like to have a
>>> policy defined here so any PMC can determine whether they are in
>>> compliance. But so far I just hear strongly held opinions that amount
>>> to applying labels, but not mandating or forbidden any actions with
>>> regards to artifacts that bear these labels.
>>>
>>> Consider: If some IPMC members declared loudly that "It is ASF policy
>>> that binary artifacts are 'Umbabuga'", what exactly would you expect a
>>> Podling to do, given that Umbabuga is an undefined term with no policy
>>> mandated or forbidden actions?
>>>
>>> There is a seductive appeal to reaching consensus on a label. But it
>>> avoids the hard part of policy development, the useful part: reaching
>>> consensus on constraints to actions.
>> The AOO PPMC was asked to take this discussion along with digital signature issue to legal-discuss to get advice. Whether or not this becomes guidance for AOO or official foundation wide policy is ultimately up to the Board and the Membership.
>>
>> Regards,
>> Dave
>>
>>
>>>
>>>> 3) That the policies is applied not only to AOO, but to other podlings
>>>> and to TLP's as well.
>>>>
>>>> Until that happens, I hear only opinions. But opinions, even widely
>>>> held opinions, even Roy opinions, are not the same as policy.
>>>>
>>>> -Rob
>>>>
>>>>>> OTOH I don't think anybody said the ASF will never allow projects to
>>>>>> distribute binaries - but people who want to do that need to get
>>>>>> together (*) and come up with a proposal that's compatible with the
>>>>>> ASF's goals and constraints, so that a clear policy can be set.
>>>>> I'm concerned that such an effort may not be completed, and that once the
>>>>> podling graduates, AOO binaries will once again be advertised as official,
>>>>> placing the project in conflict with ASF-wide policy. It may be that some
>>>>> within the newly formed PMC will speak out in favor of the ASF status quo, but
>>>>> as their position will likely be inexpedient and unpopular, it may be
>>>>> difficult to prevail.
>>>>>
>>>>> Of course I don't know how things will play out, but it seems to me that
>>>>> reactions from podling contributors have ranged from discouraged to skeptical
>>>>> to antagonistic and that there is limited enthusisasm for working within the ASF
>>>>> on this matter.
>>>>>
>>>>> Gaming out this pessimistic scenario, what would it look like if the Board
>>>>> were forced to clamp down on a rebellious AOO PMC to enforce ASF policy
>>>>> regarding binary releases?
>>>>>
>>>>> If we believe that we are adequately prepared for such circumstances, then I
>>>>> think that's good enough and that fully resolving the issue of binary
>>>>> releases prior to AOO's graduation is not required.
>>>>>
>>>>> Marvin Humphrey
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>>>>> For additional commands, e-mail: general-help@incubator.apache.org
>>>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>>> For additional commands, e-mail: general-help@incubator.apache.org
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>> For additional commands, e-mail: general-help@incubator.apache.org
>>
>>
>>
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Joe Schaefer <jo...@yahoo.com>.
Really, all this fuss over the LABELLING of
a file being distributed does not add value
to either the org, the podling, or the users
of the software. Nowhere is it written that
you CANNOT DISTRIBUTE BINARIES, however it
has always been clear that they are provided
for the convenience of our users, not as part
of an "official" release. That however does
not mean that things like release announcements
cannot refer users to those binaries, it simply
means those announcements need to reference the
sources as "the thing that was formally voted on
and approved by the ASF".
>________________________________
> From: Dave Fisher <da...@comcast.net>
>To: general@incubator.apache.org
>Sent: Friday, August 24, 2012 1:56 PM
>Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
>
>
>On Aug 24, 2012, at 10:09 AM, Rob Weir wrote:
>
>> On Fri, Aug 24, 2012 at 12:45 PM, Rob Weir <ro...@apache.org> wrote:
>>> On Fri, Aug 24, 2012 at 12:32 PM, Marvin Humphrey
>>> <ma...@rectangular.com> wrote:
>>>> Returning to this topic after an intermission...
>>>>
>>>> On Tue, Aug 21, 2012 at 6:18 AM, Bertrand Delacretaz
>>>> <bd...@apache.org> wrote:
>>>>> On Tue, Aug 21, 2012 at 11:54 AM, Jürgen Schmidt <jo...@gmail.com> wrote:
>>>>>> ...As one of the active developers I would have a serious problem if we as
>>>>>> project couldn't provide binary releases for our users. And I thought
>>>>>> the ASF is a serious enough institution that can ensure to deliver
>>>>>> binaries of these very popular end user oriented software and can of
>>>>>> course protect the very valuable brand OpenOffice that the ASF now owns
>>>>>> as well...
>>>>>
>>>>> As has been repeatedly mentioned in this thread and elsewhere, at the
>>>>> moment ASF releases consist of source code, not binaries.
>>>>
>>>> My impression from this discussion is that many podling contributors are
>>>> dismayed by this policy, and that there is an element within the PPMC which
>>>> remains convinced that it is actually up to individual PMCs within the ASF to
>>>> set policy as to whether binaries are official or not.
>>>>
>>>
>>> If there actually is an ASF-wide Policy concerning binaries then I
>>> would expect that:
>>>
>>> 1) It would come from the ASF Board, or from a Legal Affairs, not as
>>> individual opinions on the IPMC list
>>>
>>> 2) It would be documented someplace, as other important ASF policies
>>> are documented
>>>
>>
>> And 2a) Actually state the constraints of the policy, i.e., what is
>> allowed or disallowed by the policy. Merely inventing a label like
>> "convenience" or "unofficial" gives absolutely zero direction to
>> PMC's. It is just a label. Consider what the IPMC's Release Guide
>> gives with regards to the source artifact. It is labeled "canonical",
>> but that level is backed up with requirements, e.g., that every
>> release must include it, that it must be signed, etc. Similarly,
>> podling releases are not merely labeled "podling releases", but policy
>> defines requirements, e.g., a disclaimer, a required IPMC vote, etc.
>>
>> I hope I am not being too pedantic here. But I would like to have a
>> policy defined here so any PMC can determine whether they are in
>> compliance. But so far I just hear strongly held opinions that amount
>> to applying labels, but not mandating or forbidden any actions with
>> regards to artifacts that bear these labels.
>>
>> Consider: If some IPMC members declared loudly that "It is ASF policy
>> that binary artifacts are 'Umbabuga'", what exactly would you expect a
>> Podling to do, given that Umbabuga is an undefined term with no policy
>> mandated or forbidden actions?
>>
>> There is a seductive appeal to reaching consensus on a label. But it
>> avoids the hard part of policy development, the useful part: reaching
>> consensus on constraints to actions.
>
>The AOO PPMC was asked to take this discussion along with digital signature issue to legal-discuss to get advice. Whether or not this becomes guidance for AOO or official foundation wide policy is ultimately up to the Board and the Membership.
>
>Regards,
>Dave
>
>
>>
>>
>>> 3) That the policies is applied not only to AOO, but to other podlings
>>> and to TLP's as well.
>>>
>>> Until that happens, I hear only opinions. But opinions, even widely
>>> held opinions, even Roy opinions, are not the same as policy.
>>>
>>> -Rob
>>>
>>>>> OTOH I don't think anybody said the ASF will never allow projects to
>>>>> distribute binaries - but people who want to do that need to get
>>>>> together (*) and come up with a proposal that's compatible with the
>>>>> ASF's goals and constraints, so that a clear policy can be set.
>>>>
>>>> I'm concerned that such an effort may not be completed, and that once the
>>>> podling graduates, AOO binaries will once again be advertised as official,
>>>> placing the project in conflict with ASF-wide policy. It may be that some
>>>> within the newly formed PMC will speak out in favor of the ASF status quo, but
>>>> as their position will likely be inexpedient and unpopular, it may be
>>>> difficult to prevail.
>>>>
>>>> Of course I don't know how things will play out, but it seems to me that
>>>> reactions from podling contributors have ranged from discouraged to skeptical
>>>> to antagonistic and that there is limited enthusisasm for working within the ASF
>>>> on this matter.
>>>>
>>>> Gaming out this pessimistic scenario, what would it look like if the Board
>>>> were forced to clamp down on a rebellious AOO PMC to enforce ASF policy
>>>> regarding binary releases?
>>>>
>>>> If we believe that we are adequately prepared for such circumstances, then I
>>>> think that's good enough and that fully resolving the issue of binary
>>>> releases prior to AOO's graduation is not required.
>>>>
>>>> Marvin Humphrey
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>>>> For additional commands, e-mail: general-help@incubator.apache.org
>>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>> For additional commands, e-mail: general-help@incubator.apache.org
>>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>For additional commands, e-mail: general-help@incubator.apache.org
>
>
>
>
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Dave Fisher <da...@comcast.net>.
On Aug 24, 2012, at 10:09 AM, Rob Weir wrote:
> On Fri, Aug 24, 2012 at 12:45 PM, Rob Weir <ro...@apache.org> wrote:
>> On Fri, Aug 24, 2012 at 12:32 PM, Marvin Humphrey
>> <ma...@rectangular.com> wrote:
>>> Returning to this topic after an intermission...
>>>
>>> On Tue, Aug 21, 2012 at 6:18 AM, Bertrand Delacretaz
>>> <bd...@apache.org> wrote:
>>>> On Tue, Aug 21, 2012 at 11:54 AM, Jürgen Schmidt <jo...@gmail.com> wrote:
>>>>> ...As one of the active developers I would have a serious problem if we as
>>>>> project couldn't provide binary releases for our users. And I thought
>>>>> the ASF is a serious enough institution that can ensure to deliver
>>>>> binaries of these very popular end user oriented software and can of
>>>>> course protect the very valuable brand OpenOffice that the ASF now owns
>>>>> as well...
>>>>
>>>> As has been repeatedly mentioned in this thread and elsewhere, at the
>>>> moment ASF releases consist of source code, not binaries.
>>>
>>> My impression from this discussion is that many podling contributors are
>>> dismayed by this policy, and that there is an element within the PPMC which
>>> remains convinced that it is actually up to individual PMCs within the ASF to
>>> set policy as to whether binaries are official or not.
>>>
>>
>> If there actually is an ASF-wide Policy concerning binaries then I
>> would expect that:
>>
>> 1) It would come from the ASF Board, or from a Legal Affairs, not as
>> individual opinions on the IPMC list
>>
>> 2) It would be documented someplace, as other important ASF policies
>> are documented
>>
>
> And 2a) Actually state the constraints of the policy, i.e., what is
> allowed or disallowed by the policy. Merely inventing a label like
> "convenience" or "unofficial" gives absolutely zero direction to
> PMC's. It is just a label. Consider what the IPMC's Release Guide
> gives with regards to the source artifact. It is labeled "canonical",
> but that level is backed up with requirements, e.g., that every
> release must include it, that it must be signed, etc. Similarly,
> podling releases are not merely labeled "podling releases", but policy
> defines requirements, e.g., a disclaimer, a required IPMC vote, etc.
>
> I hope I am not being too pedantic here. But I would like to have a
> policy defined here so any PMC can determine whether they are in
> compliance. But so far I just hear strongly held opinions that amount
> to applying labels, but not mandating or forbidden any actions with
> regards to artifacts that bear these labels.
>
> Consider: If some IPMC members declared loudly that "It is ASF policy
> that binary artifacts are 'Umbabuga'", what exactly would you expect a
> Podling to do, given that Umbabuga is an undefined term with no policy
> mandated or forbidden actions?
>
> There is a seductive appeal to reaching consensus on a label. But it
> avoids the hard part of policy development, the useful part: reaching
> consensus on constraints to actions.
The AOO PPMC was asked to take this discussion along with digital signature issue to legal-discuss to get advice. Whether or not this becomes guidance for AOO or official foundation wide policy is ultimately up to the Board and the Membership.
Regards,
Dave
>
>
>> 3) That the policies is applied not only to AOO, but to other podlings
>> and to TLP's as well.
>>
>> Until that happens, I hear only opinions. But opinions, even widely
>> held opinions, even Roy opinions, are not the same as policy.
>>
>> -Rob
>>
>>>> OTOH I don't think anybody said the ASF will never allow projects to
>>>> distribute binaries - but people who want to do that need to get
>>>> together (*) and come up with a proposal that's compatible with the
>>>> ASF's goals and constraints, so that a clear policy can be set.
>>>
>>> I'm concerned that such an effort may not be completed, and that once the
>>> podling graduates, AOO binaries will once again be advertised as official,
>>> placing the project in conflict with ASF-wide policy. It may be that some
>>> within the newly formed PMC will speak out in favor of the ASF status quo, but
>>> as their position will likely be inexpedient and unpopular, it may be
>>> difficult to prevail.
>>>
>>> Of course I don't know how things will play out, but it seems to me that
>>> reactions from podling contributors have ranged from discouraged to skeptical
>>> to antagonistic and that there is limited enthusisasm for working within the ASF
>>> on this matter.
>>>
>>> Gaming out this pessimistic scenario, what would it look like if the Board
>>> were forced to clamp down on a rebellious AOO PMC to enforce ASF policy
>>> regarding binary releases?
>>>
>>> If we believe that we are adequately prepared for such circumstances, then I
>>> think that's good enough and that fully resolving the issue of binary
>>> releases prior to AOO's graduation is not required.
>>>
>>> Marvin Humphrey
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>>> For additional commands, e-mail: general-help@incubator.apache.org
>>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Rob Weir <ro...@apache.org>.
On Fri, Aug 24, 2012 at 12:45 PM, Rob Weir <ro...@apache.org> wrote:
> On Fri, Aug 24, 2012 at 12:32 PM, Marvin Humphrey
> <ma...@rectangular.com> wrote:
>> Returning to this topic after an intermission...
>>
>> On Tue, Aug 21, 2012 at 6:18 AM, Bertrand Delacretaz
>> <bd...@apache.org> wrote:
>>> On Tue, Aug 21, 2012 at 11:54 AM, Jürgen Schmidt <jo...@gmail.com> wrote:
>>>> ...As one of the active developers I would have a serious problem if we as
>>>> project couldn't provide binary releases for our users. And I thought
>>>> the ASF is a serious enough institution that can ensure to deliver
>>>> binaries of these very popular end user oriented software and can of
>>>> course protect the very valuable brand OpenOffice that the ASF now owns
>>>> as well...
>>>
>>> As has been repeatedly mentioned in this thread and elsewhere, at the
>>> moment ASF releases consist of source code, not binaries.
>>
>> My impression from this discussion is that many podling contributors are
>> dismayed by this policy, and that there is an element within the PPMC which
>> remains convinced that it is actually up to individual PMCs within the ASF to
>> set policy as to whether binaries are official or not.
>>
>
> If there actually is an ASF-wide Policy concerning binaries then I
> would expect that:
>
> 1) It would come from the ASF Board, or from a Legal Affairs, not as
> individual opinions on the IPMC list
>
> 2) It would be documented someplace, as other important ASF policies
> are documented
>
And 2a) Actually state the constraints of the policy, i.e., what is
allowed or disallowed by the policy. Merely inventing a label like
"convenience" or "unofficial" gives absolutely zero direction to
PMC's. It is just a label. Consider what the IPMC's Release Guide
gives with regards to the source artifact. It is labeled "canonical",
but that level is backed up with requirements, e.g., that every
release must include it, that it must be signed, etc. Similarly,
podling releases are not merely labeled "podling releases", but policy
defines requirements, e.g., a disclaimer, a required IPMC vote, etc.
I hope I am not being too pedantic here. But I would like to have a
policy defined here so any PMC can determine whether they are in
compliance. But so far I just hear strongly held opinions that amount
to applying labels, but not mandating or forbidden any actions with
regards to artifacts that bear these labels.
Consider: If some IPMC members declared loudly that "It is ASF policy
that binary artifacts are 'Umbabuga'", what exactly would you expect a
Podling to do, given that Umbabuga is an undefined term with no policy
mandated or forbidden actions?
There is a seductive appeal to reaching consensus on a label. But it
avoids the hard part of policy development, the useful part: reaching
consensus on constraints to actions.
> 3) That the policies is applied not only to AOO, but to other podlings
> and to TLP's as well.
>
> Until that happens, I hear only opinions. But opinions, even widely
> held opinions, even Roy opinions, are not the same as policy.
>
> -Rob
>
>>> OTOH I don't think anybody said the ASF will never allow projects to
>>> distribute binaries - but people who want to do that need to get
>>> together (*) and come up with a proposal that's compatible with the
>>> ASF's goals and constraints, so that a clear policy can be set.
>>
>> I'm concerned that such an effort may not be completed, and that once the
>> podling graduates, AOO binaries will once again be advertised as official,
>> placing the project in conflict with ASF-wide policy. It may be that some
>> within the newly formed PMC will speak out in favor of the ASF status quo, but
>> as their position will likely be inexpedient and unpopular, it may be
>> difficult to prevail.
>>
>> Of course I don't know how things will play out, but it seems to me that
>> reactions from podling contributors have ranged from discouraged to skeptical
>> to antagonistic and that there is limited enthusisasm for working within the ASF
>> on this matter.
>>
>> Gaming out this pessimistic scenario, what would it look like if the Board
>> were forced to clamp down on a rebellious AOO PMC to enforce ASF policy
>> regarding binary releases?
>>
>> If we believe that we are adequately prepared for such circumstances, then I
>> think that's good enough and that fully resolving the issue of binary
>> releases prior to AOO's graduation is not required.
>>
>> Marvin Humphrey
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>> For additional commands, e-mail: general-help@incubator.apache.org
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Rob Weir <ro...@apache.org>.
On Fri, Aug 24, 2012 at 12:32 PM, Marvin Humphrey
<ma...@rectangular.com> wrote:
> Returning to this topic after an intermission...
>
> On Tue, Aug 21, 2012 at 6:18 AM, Bertrand Delacretaz
> <bd...@apache.org> wrote:
>> On Tue, Aug 21, 2012 at 11:54 AM, Jürgen Schmidt <jo...@gmail.com> wrote:
>>> ...As one of the active developers I would have a serious problem if we as
>>> project couldn't provide binary releases for our users. And I thought
>>> the ASF is a serious enough institution that can ensure to deliver
>>> binaries of these very popular end user oriented software and can of
>>> course protect the very valuable brand OpenOffice that the ASF now owns
>>> as well...
>>
>> As has been repeatedly mentioned in this thread and elsewhere, at the
>> moment ASF releases consist of source code, not binaries.
>
> My impression from this discussion is that many podling contributors are
> dismayed by this policy, and that there is an element within the PPMC which
> remains convinced that it is actually up to individual PMCs within the ASF to
> set policy as to whether binaries are official or not.
>
If there actually is an ASF-wide Policy concerning binaries then I
would expect that:
1) It would come from the ASF Board, or from a Legal Affairs, not as
individual opinions on the IPMC list
2) It would be documented someplace, as other important ASF policies
are documented
3) That the policies is applied not only to AOO, but to other podlings
and to TLP's as well.
Until that happens, I hear only opinions. But opinions, even widely
held opinions, even Roy opinions, are not the same as policy.
-Rob
>> OTOH I don't think anybody said the ASF will never allow projects to
>> distribute binaries - but people who want to do that need to get
>> together (*) and come up with a proposal that's compatible with the
>> ASF's goals and constraints, so that a clear policy can be set.
>
> I'm concerned that such an effort may not be completed, and that once the
> podling graduates, AOO binaries will once again be advertised as official,
> placing the project in conflict with ASF-wide policy. It may be that some
> within the newly formed PMC will speak out in favor of the ASF status quo, but
> as their position will likely be inexpedient and unpopular, it may be
> difficult to prevail.
>
> Of course I don't know how things will play out, but it seems to me that
> reactions from podling contributors have ranged from discouraged to skeptical
> to antagonistic and that there is limited enthusisasm for working within the ASF
> on this matter.
>
> Gaming out this pessimistic scenario, what would it look like if the Board
> were forced to clamp down on a rebellious AOO PMC to enforce ASF policy
> regarding binary releases?
>
> If we believe that we are adequately prepared for such circumstances, then I
> think that's good enough and that fully resolving the issue of binary
> releases prior to AOO's graduation is not required.
>
> Marvin Humphrey
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Marvin Humphrey <ma...@rectangular.com>.
Returning to this topic after an intermission...
On Tue, Aug 21, 2012 at 6:18 AM, Bertrand Delacretaz
<bd...@apache.org> wrote:
> On Tue, Aug 21, 2012 at 11:54 AM, Jürgen Schmidt <jo...@gmail.com> wrote:
>> ...As one of the active developers I would have a serious problem if we as
>> project couldn't provide binary releases for our users. And I thought
>> the ASF is a serious enough institution that can ensure to deliver
>> binaries of these very popular end user oriented software and can of
>> course protect the very valuable brand OpenOffice that the ASF now owns
>> as well...
>
> As has been repeatedly mentioned in this thread and elsewhere, at the
> moment ASF releases consist of source code, not binaries.
My impression from this discussion is that many podling contributors are
dismayed by this policy, and that there is an element within the PPMC which
remains convinced that it is actually up to individual PMCs within the ASF to
set policy as to whether binaries are official or not.
> OTOH I don't think anybody said the ASF will never allow projects to
> distribute binaries - but people who want to do that need to get
> together (*) and come up with a proposal that's compatible with the
> ASF's goals and constraints, so that a clear policy can be set.
I'm concerned that such an effort may not be completed, and that once the
podling graduates, AOO binaries will once again be advertised as official,
placing the project in conflict with ASF-wide policy. It may be that some
within the newly formed PMC will speak out in favor of the ASF status quo, but
as their position will likely be inexpedient and unpopular, it may be
difficult to prevail.
Of course I don't know how things will play out, but it seems to me that
reactions from podling contributors have ranged from discouraged to skeptical
to antagonistic and that there is limited enthusisasm for working within the ASF
on this matter.
Gaming out this pessimistic scenario, what would it look like if the Board
were forced to clamp down on a rebellious AOO PMC to enforce ASF policy
regarding binary releases?
If we believe that we are adequately prepared for such circumstances, then I
think that's good enough and that fully resolving the issue of binary
releases prior to AOO's graduation is not required.
Marvin Humphrey
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Bertrand Delacretaz <bd...@apache.org>.
On Tue, Aug 21, 2012 at 11:54 AM, Jürgen Schmidt <jo...@gmail.com> wrote:
> ...As one of the active developers I would have a serious problem if we as
> project couldn't provide binary releases for our users. And I thought
> the ASF is a serious enough institution that can ensure to deliver
> binaries of these very popular end user oriented software and can of
> course protect the very valuable brand OpenOffice that the ASF now owns
> as well...
As has been repeatedly mentioned in this thread and elsewhere, at the
moment ASF releases consist of source code, not binaries.
OTOH I don't think anybody said the ASF will never allow projects to
distribute binaries - but people who want to do that need to get
together (*) and come up with a proposal that's compatible with the
ASF's goals and constraints, so that a clear policy can be set. A
related discussion is ongoing on infra-dev [1] about signing
artifacts, where we also have suggested that people get together and
express their requirements in a constructive way instead of
complaining.
-Bertrand
(*) Earlier in this thread, I have suggested using legal-discuss +
LEGAL jira issues to manage this cross-project discussion. The pmcs@
alias + this list can be used to invite all projects and podlings to
join such a discussion.
[1] http://s.apache.org/signing_reqs
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Jürgen Schmidt <jo...@gmail.com>.
On 8/21/12 12:03 AM, drew wrote:
> On Mon, 2012-08-20 at 13:32 -0700, Marvin Humphrey wrote:
>> On Sun, Aug 19, 2012 at 8:53 AM, Rob Weir <ro...@apache.org> wrote:
>>> Per the IPMC's "Guide to Successful Graduation" [1] this is the
>>> optional, but recommended, community vote for us to express our
>>> willingness/readiness to govern ourselves. If this vote passes then
>>> we continue by drafting a charter, submitting it for IPMC endorsement,
>>> and then to the ASF Board for final approval. Details can be found
>>> in the "Guide to Successful Graduation".
>>>
>>> Everyone in the community is encouraged to vote. Votes from PPMC
>>> members and Mentors are binding. This vote will run 72-hours.
>>>
>>>
>>> [ ] +1 Apache OpenOffice community is ready to graduate from the
>>> Apache Incubator.
>>> [ ] +0 Don't care.
>>> [ ] -1 Apache OpenOffice community is not ready to graduate from the
>>> Apache Incubator because...
>>
>> In my opinion, the issue of binary releases ought to be resolved before
>> graduation.
>>
>> If the podling believes that ASF-endorsed binaries are a hard requirement,
>> then it seems to me that the ASF is not yet ready for AOO and will not be
>> until suitable infrastructure and legal institutions to support binary
>> releases (sterile build machines, artifact signing, etc) have been created
>> and a policy has been endorsed by the Board.
>>
>> One possibility discussed in the past was to have downstream commercial
>> vendors release binaries a la Subversion's example, which would
>> obviate the need for all the effort and risk associated with providing support
>> for ASF-endorsed binaries. For whatever reason, the AOO podling seems not to
>> have gone this direction, though.
>>
>> Marvin Humphrey
>
> Hi Marvin,
>
> Well, for myself, I don't have a problem with the AOO project not having
> official binary releases - in such a circumstance I would strongly
> prefer no binary release at all.
As one of the active developers I would have a serious problem if we as
project couldn't provide binary releases for our users. And I thought
the ASF is a serious enough institution that can ensure to deliver
binaries of these very popular end user oriented software and can of
course protect the very valuable brand OpenOffice that the ASF now owns
as well.
The satisfaction of developers (at least my personal) is the fact that I
work on a piece of software used by millions of users worldwide and
these users require a binary version. And one of a trusted source and
that is allowed to name it OpenOffice.
I thought also that the ASF could leverage the brand in a way to
generate more donations for the ASF and benefit even more from the
overall success of the project. I know people who didn't know Apache
before but now because of OpenOffice. Maybe worth to think about it!
But I get ones more the impression that I am probably wrong. If the day
should come that I will leave this project it will have nothing to do
with the project itself.
Juergen
>
> On the other hand if there is a binary release from the AOO project then
> I believe it should be treated as a fully endorsed action.
>
> One guys opinion.
>
> Thanks
>
> Drew Jensen
> AOO PPMC member
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by drew <dr...@baseanswers.com>.
On Mon, 2012-08-20 at 13:32 -0700, Marvin Humphrey wrote:
> On Sun, Aug 19, 2012 at 8:53 AM, Rob Weir <ro...@apache.org> wrote:
> > Per the IPMC's "Guide to Successful Graduation" [1] this is the
> > optional, but recommended, community vote for us to express our
> > willingness/readiness to govern ourselves. If this vote passes then
> > we continue by drafting a charter, submitting it for IPMC endorsement,
> > and then to the ASF Board for final approval. Details can be found
> > in the "Guide to Successful Graduation".
> >
> > Everyone in the community is encouraged to vote. Votes from PPMC
> > members and Mentors are binding. This vote will run 72-hours.
> >
> >
> > [ ] +1 Apache OpenOffice community is ready to graduate from the
> > Apache Incubator.
> > [ ] +0 Don't care.
> > [ ] -1 Apache OpenOffice community is not ready to graduate from the
> > Apache Incubator because...
>
> In my opinion, the issue of binary releases ought to be resolved before
> graduation.
>
> If the podling believes that ASF-endorsed binaries are a hard requirement,
> then it seems to me that the ASF is not yet ready for AOO and will not be
> until suitable infrastructure and legal institutions to support binary
> releases (sterile build machines, artifact signing, etc) have been created
> and a policy has been endorsed by the Board.
>
> One possibility discussed in the past was to have downstream commercial
> vendors release binaries a la Subversion's example, which would
> obviate the need for all the effort and risk associated with providing support
> for ASF-endorsed binaries. For whatever reason, the AOO podling seems not to
> have gone this direction, though.
>
> Marvin Humphrey
Hi Marvin,
Well, for myself, I don't have a problem with the AOO project not having
official binary releases - in such a circumstance I would strongly
prefer no binary release at all.
On the other hand if there is a binary release from the AOO project then
I believe it should be treated as a fully endorsed action.
One guys opinion.
Thanks
Drew Jensen
AOO PPMC member
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
RE: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Prescott Nasser <ge...@hotmail.com>.
Actually one more question - so we can release binaries, but we can't call them official? Do we have wording for this? "Official source code release with accompanying binaries for convenience" or some such?
> From: geobmx540@hotmail.com
> To: general@incubator.apache.org
> Subject: RE: [VOTE] Apache OpenOffice Community Graduation Vote
> Date: Mon, 20 Aug 2012 20:11:23 -0700
>
> Simple enough - thanks.
> > Date: Mon, 20 Aug 2012 23:05:00 -0400
> > Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
> > From: gstein@gmail.com
> > To: general@incubator.apache.org
> >
> > On Mon, Aug 20, 2012 at 10:55 PM, Prescott Nasser <ge...@hotmail.com> wrote:
> > > I'm sorry, I'm playing catch-up and I'm a bit unclear on the argument - Marvin said: "If the podling believes that ASF-endorsed binaries are a hard requirement,
> > > then it seems to me that the ASF is not yet ready for AOO and will not be
> > > until suitable infrastructure and legal institutions to support binary
> > > releases (sterile build machines, artifact signing, etc) have been created
> > > and a policy has been endorsed by the Board." Is AOO not able to determine that for them a binary is a hard requirement for their releases (along with source code)? I would think that ASF puts a minimum requirement on what an official release is, not a limit. Why is there a requirement for special infrustructure? (perhaps that is due to the size of AOO?) Speaking just from the Lucene.Net persective, I would consider our binaries (and nuget packages) as official - even if ASF does not specifically allow for "official releases or officially endourced binaries" - what else would they be? They were built and put up by the same guys releasing the source code.
> >
> > The simplest response is that source releases can be audited by (P)PMC
> > members. Binary releases cannot. If they cannot be audited, then how
> > can the ASF stand behind those releases? How can they state that the
> > releases are free of viruses/trojans/etc, and that the binary
> > precisely matches the compiled/built output of the audited source
> > release?
> >
> > That is the first and hardest issue about having the ASF provide
> > authenticated binaries.
> >
> > Cheers,
> > -g
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> > For additional commands, e-mail: general-help@incubator.apache.org
> >
>
RE: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Prescott Nasser <ge...@hotmail.com>.
Simple enough - thanks.
> Date: Mon, 20 Aug 2012 23:05:00 -0400
> Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
> From: gstein@gmail.com
> To: general@incubator.apache.org
>
> On Mon, Aug 20, 2012 at 10:55 PM, Prescott Nasser <ge...@hotmail.com> wrote:
> > I'm sorry, I'm playing catch-up and I'm a bit unclear on the argument - Marvin said: "If the podling believes that ASF-endorsed binaries are a hard requirement,
> > then it seems to me that the ASF is not yet ready for AOO and will not be
> > until suitable infrastructure and legal institutions to support binary
> > releases (sterile build machines, artifact signing, etc) have been created
> > and a policy has been endorsed by the Board." Is AOO not able to determine that for them a binary is a hard requirement for their releases (along with source code)? I would think that ASF puts a minimum requirement on what an official release is, not a limit. Why is there a requirement for special infrustructure? (perhaps that is due to the size of AOO?) Speaking just from the Lucene.Net persective, I would consider our binaries (and nuget packages) as official - even if ASF does not specifically allow for "official releases or officially endourced binaries" - what else would they be? They were built and put up by the same guys releasing the source code.
>
> The simplest response is that source releases can be audited by (P)PMC
> members. Binary releases cannot. If they cannot be audited, then how
> can the ASF stand behind those releases? How can they state that the
> releases are free of viruses/trojans/etc, and that the binary
> precisely matches the compiled/built output of the audited source
> release?
>
> That is the first and hardest issue about having the ASF provide
> authenticated binaries.
>
> Cheers,
> -g
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Bertrand Delacretaz <bd...@apache.org>.
On Tue, Aug 21, 2012 at 5:30 AM, Benson Margulies <bi...@gmail.com> wrote:
> Officially, no Apache project has ever, ever, released a binary.
>
> Apache projects have published convenience binaries to accompany their
> releases, which have been, by definition, source....
Agreed - for the Flex podling the mentors have asked for a distinct
"binaries" folder, see
http://apache.org/dist/incubator/flex/4.8.0-incubating/
I think that's a good step, and it would be even better to add a
README in there which points to an URL that explains the source/binary
release thing.
The best way to clarify that is to probably to create an issue at
https://issues.apache.org/jira/browse/LEGAL and discuss on the
legal-discuss list, where people from multiple projects that are
affected by this can join. It's an ASF-wide issue, not an Incubator
issue.
-Bertrand (not volunteering - busy enough)
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Rob Weir <ro...@apache.org>.
On Mon, Aug 20, 2012 at 11:30 PM, Benson Margulies
<bi...@gmail.com> wrote:
> Officially, no Apache project has ever, ever, released a binary.
>
> Apache projects have published convenience binaries to accompany their
> releases, which have been, by definition, source.
>
Maybe you can help clarify this for me then. What exactly about the
proposed AOO 3.4.1 ballot suggests that the AOO binaries are any
different than "published convenience binaries to accompany their
releases" that you believe are permitted?
Or equivalently, can you point to something, say, in the Lucerne.Net
ballot that distinguishes their binaries as different from ours in
status?
I'm honestly trying to find out what, if anything, we need to change.
Or whether we're just arguing semantics rather than code and bits.
-Rob
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Benson Margulies <bi...@gmail.com>.
Officially, no Apache project has ever, ever, released a binary.
Apache projects have published convenience binaries to accompany their
releases, which have been, by definition, source.
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Rob Weir <ro...@apache.org>.
On Mon, Aug 20, 2012 at 11:05 PM, Greg Stein <gs...@gmail.com> wrote:
> On Mon, Aug 20, 2012 at 10:55 PM, Prescott Nasser <ge...@hotmail.com> wrote:
>> I'm sorry, I'm playing catch-up and I'm a bit unclear on the argument - Marvin said: "If the podling believes that ASF-endorsed binaries are a hard requirement,
>> then it seems to me that the ASF is not yet ready for AOO and will not be
>> until suitable infrastructure and legal institutions to support binary
>> releases (sterile build machines, artifact signing, etc) have been created
>> and a policy has been endorsed by the Board." Is AOO not able to determine that for them a binary is a hard requirement for their releases (along with source code)? I would think that ASF puts a minimum requirement on what an official release is, not a limit. Why is there a requirement for special infrustructure? (perhaps that is due to the size of AOO?) Speaking just from the Lucene.Net persective, I would consider our binaries (and nuget packages) as official - even if ASF does not specifically allow for "official releases or officially endourced binaries" - what else would they be? They were built and put up by the same guys releasing the source code.
>
> The simplest response is that source releases can be audited by (P)PMC
> members. Binary releases cannot. If they cannot be audited, then how
> can the ASF stand behind those releases? How can they state that the
> releases are free of viruses/trojans/etc, and that the binary
> precisely matches the compiled/built output of the audited source
> release?
>
You ask a serious question it deserves a serious answer. This issue
faces every software distributor, not just Apache. We verify
binaries releases in several ways:
1) As part of the release approval process project members ensure
that they can build from the source artifact.
2) I install the RC on an isolated system and check for viruses and
other malware, and then wait for a few days, refresh the virus
signatures, and test again before releasing, to ensure that we're not
caught by a zero-day attack.
3) We would like to do code signing, as do several other projects.
The discussions with Infra on how this could be accomplished are
ongoing.
Of course, the same questions could be asked of each of the large
number of ASF projects that release binaries today. I wonder how many
of them even take the precautions of #2?
Maybe my turn for a question? How many Apache projects have released
a binary in the past 10 years? And how many have released a binary
containing a virus or a trojan? And how many users have downloaded
Apache source and built it? And how many of those users then found
that their servers were compromised due to a security flaw in the
Apache source? In theory source code can be inspected. In practice,
stuff happens. Ditto for binaries.
-Rob
> That is the first and hardest issue about having the ASF provide
> authenticated binaries.
>
> Cheers,
> -g
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Greg Stein <gs...@gmail.com>.
On Mon, Aug 20, 2012 at 10:55 PM, Prescott Nasser <ge...@hotmail.com> wrote:
> I'm sorry, I'm playing catch-up and I'm a bit unclear on the argument - Marvin said: "If the podling believes that ASF-endorsed binaries are a hard requirement,
> then it seems to me that the ASF is not yet ready for AOO and will not be
> until suitable infrastructure and legal institutions to support binary
> releases (sterile build machines, artifact signing, etc) have been created
> and a policy has been endorsed by the Board." Is AOO not able to determine that for them a binary is a hard requirement for their releases (along with source code)? I would think that ASF puts a minimum requirement on what an official release is, not a limit. Why is there a requirement for special infrustructure? (perhaps that is due to the size of AOO?) Speaking just from the Lucene.Net persective, I would consider our binaries (and nuget packages) as official - even if ASF does not specifically allow for "official releases or officially endourced binaries" - what else would they be? They were built and put up by the same guys releasing the source code.
The simplest response is that source releases can be audited by (P)PMC
members. Binary releases cannot. If they cannot be audited, then how
can the ASF stand behind those releases? How can they state that the
releases are free of viruses/trojans/etc, and that the binary
precisely matches the compiled/built output of the audited source
release?
That is the first and hardest issue about having the ASF provide
authenticated binaries.
Cheers,
-g
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
RE: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Prescott Nasser <ge...@hotmail.com>.
I'm sorry, I'm playing catch-up and I'm a bit unclear on the argument - Marvin said: "If the podling believes that ASF-endorsed binaries are a hard requirement,
then it seems to me that the ASF is not yet ready for AOO and will not be
until suitable infrastructure and legal institutions to support binary
releases (sterile build machines, artifact signing, etc) have been created
and a policy has been endorsed by the Board." Is AOO not able to determine that for them a binary is a hard requirement for their releases (along with source code)? I would think that ASF puts a minimum requirement on what an official release is, not a limit. Why is there a requirement for special infrustructure? (perhaps that is due to the size of AOO?) Speaking just from the Lucene.Net persective, I would consider our binaries (and nuget packages) as official - even if ASF does not specifically allow for "official releases or officially endourced binaries" - what else would they be? They were built and put up by the same guys releasing the source code.
I apologize if I misunderstand or mischaracterized anything ~P > Date: Mon, 20 Aug 2012 22:33:43 -0400
> Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
> From: gstein@gmail.com
> To: general@incubator.apache.org
>
> On Aug 20, 2012 8:33 PM, "Rob Weir" <ro...@apache.org> wrote:
> >
> > On Mon, Aug 20, 2012 at 8:11 PM, Greg Stein <gs...@gmail.com> wrote:
> >...
> > > I would also state that continuing to argue is symptomatic of a
> > > failure to understand and integrate with the Foundation's thoughts on
> > > the matter. Or to at least politely discuss the situation on
> > > legal-discuss.
> >
> > I would say the lack of understanding could be in both directions, and
> > some greater tolerance would be mutually beneficial.
>
> I *am* being tolerant (you should see my intolerant emails). And what makes
> you believe that I don't understand? I get to offer my thoughts, and you do
> not get to say that I have a "lack of understanding" simply because you
> disagree.
>
> > Remember, OpenOffice is unlike anything else previously at Apache.
>
> Duh. Don't be so patronizing.
>
> Again: I suggest the discussion about making authorized/authenticated
> binaries be moved to legal-discuss. Not here. Infrastructure may need to
> provide some input, too.
>
> I might also point you to Sam's recommendation to avoid over-posting to a
> thread as a way to dominate / get your way. How many emails are you up to
> so far?
>
> -g
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Rob Weir <ro...@apache.org>.
On Mon, Aug 20, 2012 at 10:58 PM, Rob Weir <ro...@apache.org> wrote:
> On Mon, Aug 20, 2012 at 10:33 PM, Greg Stein <gs...@gmail.com> wrote:
>> On Aug 20, 2012 8:33 PM, "Rob Weir" <ro...@apache.org> wrote:
>>>
>>> On Mon, Aug 20, 2012 at 8:11 PM, Greg Stein <gs...@gmail.com> wrote:
>>>...
>>> > I would also state that continuing to argue is symptomatic of a
>>> > failure to understand and integrate with the Foundation's thoughts on
>>> > the matter. Or to at least politely discuss the situation on
>>> > legal-discuss.
>>>
>>> I would say the lack of understanding could be in both directions, and
>>> some greater tolerance would be mutually beneficial.
>>
>> I *am* being tolerant (you should see my intolerant emails). And what makes
>> you believe that I don't understand? I get to offer my thoughts, and you do
>> not get to say that I have a "lack of understanding" simply because you
>> disagree.
>>
>>> Remember, OpenOffice is unlike anything else previously at Apache.
>>
>> Duh. Don't be so patronizing.
>>
>
> Greg, I am certain that you are well-informed of the details about
> OpenOffice and its history. But for the benefit of IPMC members and
> observers who may have followed this less closely I thought that a
> brief summary would be welcome. I apologize if you thought it was
> unnecessary.
>
>> Again: I suggest the discussion about making authorized/authenticated
>> binaries be moved to legal-discuss. Not here. Infrastructure may need to
>> provide some input, too.
>>
>
> Do you have a specific question we should be asking legal affairs
> and/or infrastructure?
>
> We have already had extensive discussions on legal-discuss, including
> discussions about specific dependencies that are only included in
> binary form in our binary artifacts, per ASF policy. These
> discussions were in the context of releases that included source and
> binaries. I don't recall hearing any concerns raised in principle
> about releasing binaries along with source. The guidance from Legal
> Affairs was focused more on the permissible dependencies and required
> form for LICENSE and NOTICE and copyright statement in the binaries.
>
> But if you have a specific license-related question we should resolve
> with them, please let me know what it is. I'd be more than happy to
> check with them.
>
> As for Infrastructure, we've also had extensive discussions with them
> on the specific topic of distributing the binaries. There was an
> initial sizing, a poll of the mirror operators and a determination
> that the storage and bandwidth would be too great for many of the
> mirror operators. So a separate list of mirror operators was created
> who could handle our dist, and this subset rsync's with the OpenOffice
> dist.
>
> Also, SourceForge volunteered to provide us access to their
> distribution network. This was approved by VP, Infrastructure. As of
A slight correction. We collaborated with SourceForge on two
projects: hosting the extensions and templates websites as well as
mirror the distributions.
The records show that Sam OK'ed handing over the templates and
extensions to SourceForge [1], but for the mirroring this go-head we
received was from Joe.
[1] http://markmail.org/message/oveyethdmsxnykfj
[2] http://markmail.org/message/ioxowodlwsqoba5i
> our AOO 3.4.0 release the majority of the downloads for the binaries
> does not involve Apache Infra at all, but goes through SourceForge.
> But the source downloads, as well as the downloads of the hashes and
> detached signatures does go through the normal ASF mirror network.
>
> Again, I'm not aware of an open question we have for Infra related to
> the proposed AOO 3.4.1 podling release. If they had an issue I know
> they would not be shy about raising it with us. But if you have
> something specific that you think we should ask them, please let me
> know. I would be delighted to check with them.
>
>> I might also point you to Sam's recommendation to avoid over-posting to a
>> thread as a way to dominate / get your way. How many emails are you up to
>> so far?
>
> I'm trying to determine what your substantive issues are and to
> resolve them to your satisfaction. If you want to hear less of me,
> then please get to the point and say what your concerns are and what
> exactly would resolve it.
>
> Regards,
>
> -Rob
>>
>> -g
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Rob Weir <ro...@apache.org>.
On Mon, Aug 20, 2012 at 10:33 PM, Greg Stein <gs...@gmail.com> wrote:
> On Aug 20, 2012 8:33 PM, "Rob Weir" <ro...@apache.org> wrote:
>>
>> On Mon, Aug 20, 2012 at 8:11 PM, Greg Stein <gs...@gmail.com> wrote:
>>...
>> > I would also state that continuing to argue is symptomatic of a
>> > failure to understand and integrate with the Foundation's thoughts on
>> > the matter. Or to at least politely discuss the situation on
>> > legal-discuss.
>>
>> I would say the lack of understanding could be in both directions, and
>> some greater tolerance would be mutually beneficial.
>
> I *am* being tolerant (you should see my intolerant emails). And what makes
> you believe that I don't understand? I get to offer my thoughts, and you do
> not get to say that I have a "lack of understanding" simply because you
> disagree.
>
>> Remember, OpenOffice is unlike anything else previously at Apache.
>
> Duh. Don't be so patronizing.
>
Greg, I am certain that you are well-informed of the details about
OpenOffice and its history. But for the benefit of IPMC members and
observers who may have followed this less closely I thought that a
brief summary would be welcome. I apologize if you thought it was
unnecessary.
> Again: I suggest the discussion about making authorized/authenticated
> binaries be moved to legal-discuss. Not here. Infrastructure may need to
> provide some input, too.
>
Do you have a specific question we should be asking legal affairs
and/or infrastructure?
We have already had extensive discussions on legal-discuss, including
discussions about specific dependencies that are only included in
binary form in our binary artifacts, per ASF policy. These
discussions were in the context of releases that included source and
binaries. I don't recall hearing any concerns raised in principle
about releasing binaries along with source. The guidance from Legal
Affairs was focused more on the permissible dependencies and required
form for LICENSE and NOTICE and copyright statement in the binaries.
But if you have a specific license-related question we should resolve
with them, please let me know what it is. I'd be more than happy to
check with them.
As for Infrastructure, we've also had extensive discussions with them
on the specific topic of distributing the binaries. There was an
initial sizing, a poll of the mirror operators and a determination
that the storage and bandwidth would be too great for many of the
mirror operators. So a separate list of mirror operators was created
who could handle our dist, and this subset rsync's with the OpenOffice
dist.
Also, SourceForge volunteered to provide us access to their
distribution network. This was approved by VP, Infrastructure. As of
our AOO 3.4.0 release the majority of the downloads for the binaries
does not involve Apache Infra at all, but goes through SourceForge.
But the source downloads, as well as the downloads of the hashes and
detached signatures does go through the normal ASF mirror network.
Again, I'm not aware of an open question we have for Infra related to
the proposed AOO 3.4.1 podling release. If they had an issue I know
they would not be shy about raising it with us. But if you have
something specific that you think we should ask them, please let me
know. I would be delighted to check with them.
> I might also point you to Sam's recommendation to avoid over-posting to a
> thread as a way to dominate / get your way. How many emails are you up to
> so far?
I'm trying to determine what your substantive issues are and to
resolve them to your satisfaction. If you want to hear less of me,
then please get to the point and say what your concerns are and what
exactly would resolve it.
Regards,
-Rob
>
> -g
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Greg Stein <gs...@gmail.com>.
On Aug 20, 2012 8:33 PM, "Rob Weir" <ro...@apache.org> wrote:
>
> On Mon, Aug 20, 2012 at 8:11 PM, Greg Stein <gs...@gmail.com> wrote:
>...
> > I would also state that continuing to argue is symptomatic of a
> > failure to understand and integrate with the Foundation's thoughts on
> > the matter. Or to at least politely discuss the situation on
> > legal-discuss.
>
> I would say the lack of understanding could be in both directions, and
> some greater tolerance would be mutually beneficial.
I *am* being tolerant (you should see my intolerant emails). And what makes
you believe that I don't understand? I get to offer my thoughts, and you do
not get to say that I have a "lack of understanding" simply because you
disagree.
> Remember, OpenOffice is unlike anything else previously at Apache.
Duh. Don't be so patronizing.
Again: I suggest the discussion about making authorized/authenticated
binaries be moved to legal-discuss. Not here. Infrastructure may need to
provide some input, too.
I might also point you to Sam's recommendation to avoid over-posting to a
thread as a way to dominate / get your way. How many emails are you up to
so far?
-g
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Rob Weir <ro...@apache.org>.
On Mon, Aug 20, 2012 at 8:11 PM, Greg Stein <gs...@gmail.com> wrote:
> Just because some other podlings have released binary artifacts does
> not mean AOO can base their entire release strategy on binaries.
>
True, But we have not based our entire release strategy on binaries.
If you recall we spent a great deal of time preparing the AOO 3.4.0
release, with the vast majority of the work dedicated entirely to the
source code aspects of the release. There were very few feature
enhancements in that initial release. Our work was highly centered on
meeting ASF requirements with respect to pedigree review, license
headers, treatment of 3rd party components, LICENSE and NOTICE
requirements, etc.
> As Marvin has said: source releases are the primary release mechanism.
>
> Binaries are and should be a distant second.
>
And that is why we put so much effort ensuring that the source code
for OpenOffice met ASF requirements. But we are also releasing
binaries, as we did for Apache OpenOffice 3.4.0, and as this project
has done for the past 10 years.
If you look at our release artifacts, you see that the source tar
balls are listed first, followed by binaries:
https://cwiki.apache.org/confluence/display/OOOUSERS/Development+Snapshot+Builds
Is there some specific method by which the IPMC wishes podlings to
make this distinction between the canonical source release and
binaries more clear? I've looked at recent podling release approved
by the IPMC and I can discern no such distinction.
> I would also state that continuing to argue is symptomatic of a
> failure to understand and integrate with the Foundation's thoughts on
> the matter. Or to at least politely discuss the situation on
> legal-discuss.
>
I would say the lack of understanding could be in both directions, and
some greater tolerance would be mutually beneficial.
Remember, OpenOffice is unlike anything else previously at Apache. It
is an end user product. and a very famous and well adopted one. This
does not diminish the importance of the source code artifacts. But it
does increase the importance of the binary ones. This is something
the PPMC is generally happy with and matches our decade plus
experience with the project and the ecosystem.
Note also that although we take pride in the 12 million downloads of
the binaries, we take even more pride in seeing successful reuses of
the code, as we are seeing with non-Apache ports for BSD, OS/2 and
Solaris, and work on other non-ASF products based on Apache
OpenOffice, including portableApps and WinPenpack. We have PPMC
members employed in producing products based on our source code, by
three different companies. So we understand the value of the source
to the overall ecosystem. But it still remains true that this is an
end user application, used by millions of users, and as a project we
will need to (and desire) to give it the attention it deserves as
well. These two work together, of course, as additional interest in
the source drives more investment into the ecosyste,
Regards,
-Rob
Regards,
-Rob
> Cheers,
> -g
>
> On Mon, Aug 20, 2012 at 7:33 PM, Rob Weir <ro...@apache.org> wrote:
>> On Mon, Aug 20, 2012 at 5:04 PM, Rob Weir <ro...@apache.org> wrote:
>>> On Mon, Aug 20, 2012 at 4:32 PM, Marvin Humphrey <ma...@rectangular.com> wrote:
>>>> On Sun, Aug 19, 2012 at 8:53 AM, Rob Weir <ro...@apache.org> wrote:
>>>>> Per the IPMC's "Guide to Successful Graduation" [1] this is the
>>>>> optional, but recommended, community vote for us to express our
>>>>> willingness/readiness to govern ourselves. If this vote passes then
>>>>> we continue by drafting a charter, submitting it for IPMC endorsement,
>>>>> and then to the ASF Board for final approval. Details can be found
>>>>> in the "Guide to Successful Graduation".
>>>>>
>>>>> Everyone in the community is encouraged to vote. Votes from PPMC
>>>>> members and Mentors are binding. This vote will run 72-hours.
>>>>>
>>>>>
>>>>> [ ] +1 Apache OpenOffice community is ready to graduate from the
>>>>> Apache Incubator.
>>>>> [ ] +0 Don't care.
>>>>> [ ] -1 Apache OpenOffice community is not ready to graduate from the
>>>>> Apache Incubator because...
>>>>
>>>> In my opinion, the issue of binary releases ought to be resolved before
>>>> graduation.
>>>>
>>>> If the podling believes that ASF-endorsed binaries are a hard requirement,
>>>> then it seems to me that the ASF is not yet ready for AOO and will not be
>>>> until suitable infrastructure and legal institutions to support binary
>>>> releases (sterile build machines, artifact signing, etc) have been created
>>>> and a policy has been endorsed by the Board.
>>>>
>>>> One possibility discussed in the past was to have downstream commercial
>>>> vendors release binaries a la Subversion's example, which would
>>>> obviate the need for all the effort and risk associated with providing support
>>>> for ASF-endorsed binaries. For whatever reason, the AOO podling seems not to
>>>> have gone this direction, though.
>>>>
>>>
>>> Let's look at the the TLP's that the IPMC has recommended, and the ASF
>>> Board has approved in recent months. Notice that a fair number of
>>> them releae source and binaries, as does the OpenOffice podling:
>>>
>>
>> Some further documentation of IPMC practice in this regard:
>>
>>> Apache Lucene.Net -- releases source and binaries
>>>
>>
>> IPMC voted to approve release, and vote post pointed to both source
>> and binary artifacts:
>>
>> http://markmail.org/message/mt3xthcqqng7ftnw
>>
>>> Apache DirectMemory -- releases source only
>>>
>>> Apache VCL -- releases source only
>>>
>>> Apache Hama -- releases source and binaries
>>>
>>
>> The people.a.o directory that was voted on by the IPMC is gone now. I
>> suspect it included binaries as well. Certainly now that the podling
>> has graduated their release candidates include binaries:
>>
>> http://people.apache.org/~edwardyoon/dist/0.5-RC4/
>>
>>> Apache MRUnit -- releases source only
>>>
>>> Apache Giraph -- releases source only
>>>
>>> Apache ManifoldCF -- releases source and binaries
>>>
>>
>> Their most recent vote was withdrawn because they graduated before the
>> vote completed, but that IPMC vote post also pointed to both source
>> and binary artifacts:
>>
>> http://markmail.org/message/op7ofi2gudwfov3z
>>
>> So the recent practice of the IPMC has been to approve releases with
>> source and binaries, but also to graduate podlings that do so.
>>
>> Regards,
>>
>> -Rob
>>
>>
>>> So I'm not quite sure in what way the ASF "is not ready" for a TLP
>>> that releases binaries, or what additional legal or procedural work
>>> needs to be done to enable this. As far as I can tell ASF projects
>>> release binaries today.
>>>
>>> I agree, sterile buildbots and code signing are good things to have,
>>> and we are working with Infra on this today, and would continue to
>>> peruse these avenues as a TLP.
>>>
>>> In any case, shouldn't the question be whether the podling is ready
>>> for the ASF rather than whether the ASF is ready for the poding? ;-)
>>>
>>> -Rob
>>>
>>>
>>>> Marvin Humphrey
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>>>> For additional commands, e-mail: general-help@incubator.apache.org
>>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>> For additional commands, e-mail: general-help@incubator.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Greg Stein <gs...@gmail.com>.
Just because some other podlings have released binary artifacts does
not mean AOO can base their entire release strategy on binaries.
As Marvin has said: source releases are the primary release mechanism.
Binaries are and should be a distant second.
I would also state that continuing to argue is symptomatic of a
failure to understand and integrate with the Foundation's thoughts on
the matter. Or to at least politely discuss the situation on
legal-discuss.
Cheers,
-g
On Mon, Aug 20, 2012 at 7:33 PM, Rob Weir <ro...@apache.org> wrote:
> On Mon, Aug 20, 2012 at 5:04 PM, Rob Weir <ro...@apache.org> wrote:
>> On Mon, Aug 20, 2012 at 4:32 PM, Marvin Humphrey <ma...@rectangular.com> wrote:
>>> On Sun, Aug 19, 2012 at 8:53 AM, Rob Weir <ro...@apache.org> wrote:
>>>> Per the IPMC's "Guide to Successful Graduation" [1] this is the
>>>> optional, but recommended, community vote for us to express our
>>>> willingness/readiness to govern ourselves. If this vote passes then
>>>> we continue by drafting a charter, submitting it for IPMC endorsement,
>>>> and then to the ASF Board for final approval. Details can be found
>>>> in the "Guide to Successful Graduation".
>>>>
>>>> Everyone in the community is encouraged to vote. Votes from PPMC
>>>> members and Mentors are binding. This vote will run 72-hours.
>>>>
>>>>
>>>> [ ] +1 Apache OpenOffice community is ready to graduate from the
>>>> Apache Incubator.
>>>> [ ] +0 Don't care.
>>>> [ ] -1 Apache OpenOffice community is not ready to graduate from the
>>>> Apache Incubator because...
>>>
>>> In my opinion, the issue of binary releases ought to be resolved before
>>> graduation.
>>>
>>> If the podling believes that ASF-endorsed binaries are a hard requirement,
>>> then it seems to me that the ASF is not yet ready for AOO and will not be
>>> until suitable infrastructure and legal institutions to support binary
>>> releases (sterile build machines, artifact signing, etc) have been created
>>> and a policy has been endorsed by the Board.
>>>
>>> One possibility discussed in the past was to have downstream commercial
>>> vendors release binaries a la Subversion's example, which would
>>> obviate the need for all the effort and risk associated with providing support
>>> for ASF-endorsed binaries. For whatever reason, the AOO podling seems not to
>>> have gone this direction, though.
>>>
>>
>> Let's look at the the TLP's that the IPMC has recommended, and the ASF
>> Board has approved in recent months. Notice that a fair number of
>> them releae source and binaries, as does the OpenOffice podling:
>>
>
> Some further documentation of IPMC practice in this regard:
>
>> Apache Lucene.Net -- releases source and binaries
>>
>
> IPMC voted to approve release, and vote post pointed to both source
> and binary artifacts:
>
> http://markmail.org/message/mt3xthcqqng7ftnw
>
>> Apache DirectMemory -- releases source only
>>
>> Apache VCL -- releases source only
>>
>> Apache Hama -- releases source and binaries
>>
>
> The people.a.o directory that was voted on by the IPMC is gone now. I
> suspect it included binaries as well. Certainly now that the podling
> has graduated their release candidates include binaries:
>
> http://people.apache.org/~edwardyoon/dist/0.5-RC4/
>
>> Apache MRUnit -- releases source only
>>
>> Apache Giraph -- releases source only
>>
>> Apache ManifoldCF -- releases source and binaries
>>
>
> Their most recent vote was withdrawn because they graduated before the
> vote completed, but that IPMC vote post also pointed to both source
> and binary artifacts:
>
> http://markmail.org/message/op7ofi2gudwfov3z
>
> So the recent practice of the IPMC has been to approve releases with
> source and binaries, but also to graduate podlings that do so.
>
> Regards,
>
> -Rob
>
>
>> So I'm not quite sure in what way the ASF "is not ready" for a TLP
>> that releases binaries, or what additional legal or procedural work
>> needs to be done to enable this. As far as I can tell ASF projects
>> release binaries today.
>>
>> I agree, sterile buildbots and code signing are good things to have,
>> and we are working with Infra on this today, and would continue to
>> peruse these avenues as a TLP.
>>
>> In any case, shouldn't the question be whether the podling is ready
>> for the ASF rather than whether the ASF is ready for the poding? ;-)
>>
>> -Rob
>>
>>
>>> Marvin Humphrey
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>>> For additional commands, e-mail: general-help@incubator.apache.org
>>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Rob Weir <ro...@apache.org>.
On Mon, Aug 20, 2012 at 5:04 PM, Rob Weir <ro...@apache.org> wrote:
> On Mon, Aug 20, 2012 at 4:32 PM, Marvin Humphrey <ma...@rectangular.com> wrote:
>> On Sun, Aug 19, 2012 at 8:53 AM, Rob Weir <ro...@apache.org> wrote:
>>> Per the IPMC's "Guide to Successful Graduation" [1] this is the
>>> optional, but recommended, community vote for us to express our
>>> willingness/readiness to govern ourselves. If this vote passes then
>>> we continue by drafting a charter, submitting it for IPMC endorsement,
>>> and then to the ASF Board for final approval. Details can be found
>>> in the "Guide to Successful Graduation".
>>>
>>> Everyone in the community is encouraged to vote. Votes from PPMC
>>> members and Mentors are binding. This vote will run 72-hours.
>>>
>>>
>>> [ ] +1 Apache OpenOffice community is ready to graduate from the
>>> Apache Incubator.
>>> [ ] +0 Don't care.
>>> [ ] -1 Apache OpenOffice community is not ready to graduate from the
>>> Apache Incubator because...
>>
>> In my opinion, the issue of binary releases ought to be resolved before
>> graduation.
>>
>> If the podling believes that ASF-endorsed binaries are a hard requirement,
>> then it seems to me that the ASF is not yet ready for AOO and will not be
>> until suitable infrastructure and legal institutions to support binary
>> releases (sterile build machines, artifact signing, etc) have been created
>> and a policy has been endorsed by the Board.
>>
>> One possibility discussed in the past was to have downstream commercial
>> vendors release binaries a la Subversion's example, which would
>> obviate the need for all the effort and risk associated with providing support
>> for ASF-endorsed binaries. For whatever reason, the AOO podling seems not to
>> have gone this direction, though.
>>
>
> Let's look at the the TLP's that the IPMC has recommended, and the ASF
> Board has approved in recent months. Notice that a fair number of
> them releae source and binaries, as does the OpenOffice podling:
>
Some further documentation of IPMC practice in this regard:
> Apache Lucene.Net -- releases source and binaries
>
IPMC voted to approve release, and vote post pointed to both source
and binary artifacts:
http://markmail.org/message/mt3xthcqqng7ftnw
> Apache DirectMemory -- releases source only
>
> Apache VCL -- releases source only
>
> Apache Hama -- releases source and binaries
>
The people.a.o directory that was voted on by the IPMC is gone now. I
suspect it included binaries as well. Certainly now that the podling
has graduated their release candidates include binaries:
http://people.apache.org/~edwardyoon/dist/0.5-RC4/
> Apache MRUnit -- releases source only
>
> Apache Giraph -- releases source only
>
> Apache ManifoldCF -- releases source and binaries
>
Their most recent vote was withdrawn because they graduated before the
vote completed, but that IPMC vote post also pointed to both source
and binary artifacts:
http://markmail.org/message/op7ofi2gudwfov3z
So the recent practice of the IPMC has been to approve releases with
source and binaries, but also to graduate podlings that do so.
Regards,
-Rob
> So I'm not quite sure in what way the ASF "is not ready" for a TLP
> that releases binaries, or what additional legal or procedural work
> needs to be done to enable this. As far as I can tell ASF projects
> release binaries today.
>
> I agree, sterile buildbots and code signing are good things to have,
> and we are working with Infra on this today, and would continue to
> peruse these avenues as a TLP.
>
> In any case, shouldn't the question be whether the podling is ready
> for the ASF rather than whether the ASF is ready for the poding? ;-)
>
> -Rob
>
>
>> Marvin Humphrey
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>> For additional commands, e-mail: general-help@incubator.apache.org
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Rob Weir <ro...@apache.org>.
On Mon, Aug 20, 2012 at 4:32 PM, Marvin Humphrey <ma...@rectangular.com> wrote:
> On Sun, Aug 19, 2012 at 8:53 AM, Rob Weir <ro...@apache.org> wrote:
>> Per the IPMC's "Guide to Successful Graduation" [1] this is the
>> optional, but recommended, community vote for us to express our
>> willingness/readiness to govern ourselves. If this vote passes then
>> we continue by drafting a charter, submitting it for IPMC endorsement,
>> and then to the ASF Board for final approval. Details can be found
>> in the "Guide to Successful Graduation".
>>
>> Everyone in the community is encouraged to vote. Votes from PPMC
>> members and Mentors are binding. This vote will run 72-hours.
>>
>>
>> [ ] +1 Apache OpenOffice community is ready to graduate from the
>> Apache Incubator.
>> [ ] +0 Don't care.
>> [ ] -1 Apache OpenOffice community is not ready to graduate from the
>> Apache Incubator because...
>
> In my opinion, the issue of binary releases ought to be resolved before
> graduation.
>
> If the podling believes that ASF-endorsed binaries are a hard requirement,
> then it seems to me that the ASF is not yet ready for AOO and will not be
> until suitable infrastructure and legal institutions to support binary
> releases (sterile build machines, artifact signing, etc) have been created
> and a policy has been endorsed by the Board.
>
> One possibility discussed in the past was to have downstream commercial
> vendors release binaries a la Subversion's example, which would
> obviate the need for all the effort and risk associated with providing support
> for ASF-endorsed binaries. For whatever reason, the AOO podling seems not to
> have gone this direction, though.
>
Let's look at the the TLP's that the IPMC has recommended, and the ASF
Board has approved in recent months. Notice that a fair number of
them releae source and binaries, as does the OpenOffice podling:
Apache Lucene.Net -- releases source and binaries
Apache DirectMemory -- releases source only
Apache VCL -- releases source only
Apache Hama -- releases source and binaries
Apache MRUnit -- releases source only
Apache Giraph -- releases source only
Apache ManifoldCF -- releases source and binaries
So I'm not quite sure in what way the ASF "is not ready" for a TLP
that releases binaries, or what additional legal or procedural work
needs to be done to enable this. As far as I can tell ASF projects
release binaries today.
I agree, sterile buildbots and code signing are good things to have,
and we are working with Infra on this today, and would continue to
peruse these avenues as a TLP.
In any case, shouldn't the question be whether the podling is ready
for the ASF rather than whether the ASF is ready for the poding? ;-)
-Rob
> Marvin Humphrey
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Marvin Humphrey <ma...@rectangular.com>.
On Sun, Aug 19, 2012 at 8:53 AM, Rob Weir <ro...@apache.org> wrote:
> Per the IPMC's "Guide to Successful Graduation" [1] this is the
> optional, but recommended, community vote for us to express our
> willingness/readiness to govern ourselves. If this vote passes then
> we continue by drafting a charter, submitting it for IPMC endorsement,
> and then to the ASF Board for final approval. Details can be found
> in the "Guide to Successful Graduation".
>
> Everyone in the community is encouraged to vote. Votes from PPMC
> members and Mentors are binding. This vote will run 72-hours.
>
>
> [ ] +1 Apache OpenOffice community is ready to graduate from the
> Apache Incubator.
> [ ] +0 Don't care.
> [ ] -1 Apache OpenOffice community is not ready to graduate from the
> Apache Incubator because...
In my opinion, the issue of binary releases ought to be resolved before
graduation.
If the podling believes that ASF-endorsed binaries are a hard requirement,
then it seems to me that the ASF is not yet ready for AOO and will not be
until suitable infrastructure and legal institutions to support binary
releases (sterile build machines, artifact signing, etc) have been created
and a policy has been endorsed by the Board.
One possibility discussed in the past was to have downstream commercial
vendors release binaries a la Subversion's example, which would
obviate the need for all the effort and risk associated with providing support
for ASF-endorsed binaries. For whatever reason, the AOO podling seems not to
have gone this direction, though.
Marvin Humphrey
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Fwd: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Rob Weir <ro...@apache.org>.
---------- Forwarded message ----------
From: Rob Weir <ro...@apache.org>
Date: Sun, Aug 19, 2012 at 11:52 AM
Subject: [VOTE] Apache OpenOffice Community Graduation Vote
To: ooo-dev@incubator.apache.org
Per the IPMC's "Guide to Successful Graduation" [1] this is the
optional, but recommended, community vote for us to express our
willingness/readiness to govern ourselves. If this vote passes then
we continue by drafting a charter, submitting it for IPMC endorsement,
and then to the ASF Board for final approval. Details can be found
in the "Guide to Successful Graduation".
Everyone in the community is encouraged to vote. Votes from PPMC
members and Mentors are binding. This vote will run 72-hours.
[ ] +1 Apache OpenOffice community is ready to graduate from the
Apache Incubator.
[ ] +0 Don't care.
[ ] -1 Apache OpenOffice community is not ready to graduate from the
Apache Incubator because...
Regards,
-Rob
[1] http://incubator.apache.org/guides/graduation.html#tlp-community-vote
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Ying Zhang <tl...@gmail.com>.
+1 to graduate。
2012/8/20 Lei Wang <le...@gmail.com>
> +1
>
> On Sun, Aug 19, 2012 at 11:52 PM, Rob Weir <ro...@apache.org> wrote:
>
> > Per the IPMC's "Guide to Successful Graduation" [1] this is the
> > optional, but recommended, community vote for us to express our
> > willingness/readiness to govern ourselves. If this vote passes then
> > we continue by drafting a charter, submitting it for IPMC endorsement,
> > and then to the ASF Board for final approval. Details can be found
> > in the "Guide to Successful Graduation".
> >
> > Everyone in the community is encouraged to vote. Votes from PPMC
> > members and Mentors are binding. This vote will run 72-hours.
> >
> >
> > [ ] +1 Apache OpenOffice community is ready to graduate from the
> > Apache Incubator.
> > [ ] +0 Don't care.
> > [ ] -1 Apache OpenOffice community is not ready to graduate from the
> > Apache Incubator because...
> >
> >
> > Regards,
> >
> > -Rob
> >
> > [1]
> http://incubator.apache.org/guides/graduation.html#tlp-community-vote
> >
>
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Lei Wang <le...@gmail.com>.
+1
On Sun, Aug 19, 2012 at 11:52 PM, Rob Weir <ro...@apache.org> wrote:
> Per the IPMC's "Guide to Successful Graduation" [1] this is the
> optional, but recommended, community vote for us to express our
> willingness/readiness to govern ourselves. If this vote passes then
> we continue by drafting a charter, submitting it for IPMC endorsement,
> and then to the ASF Board for final approval. Details can be found
> in the "Guide to Successful Graduation".
>
> Everyone in the community is encouraged to vote. Votes from PPMC
> members and Mentors are binding. This vote will run 72-hours.
>
>
> [ ] +1 Apache OpenOffice community is ready to graduate from the
> Apache Incubator.
> [ ] +0 Don't care.
> [ ] -1 Apache OpenOffice community is not ready to graduate from the
> Apache Incubator because...
>
>
> Regards,
>
> -Rob
>
> [1] http://incubator.apache.org/guides/graduation.html#tlp-community-vote
>
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Roberto Galoppini <rg...@geek.net>.
On Sun, Aug 19, 2012 at 5:52 PM, Rob Weir <ro...@apache.org> wrote:
> Per the IPMC's "Guide to Successful Graduation" [1] this is the
> optional, but recommended, community vote for us to express our
> willingness/readiness to govern ourselves. If this vote passes then
> we continue by drafting a charter, submitting it for IPMC endorsement,
> and then to the ASF Board for final approval. Details can be found
> in the "Guide to Successful Graduation".
>
> Everyone in the community is encouraged to vote. Votes from PPMC
> members and Mentors are binding. This vote will run 72-hours.
>
>
> [ ] +1 Apache OpenOffice community is ready to graduate from the
> Apache Incubator.
> [ ] +0 Don't care.
> [ ] -1 Apache OpenOffice community is not ready to graduate from the
> Apache Incubator because...
>
+1 Apache OpenOffice community is ready to graduate from the Apache
Incubator.
Roberto
>
>
> Regards,
>
> -Rob
>
> [1] http://incubator.apache.org/guides/graduation.html#tlp-community-vote
>
--
====
This e- mail message is intended only for the named recipient(s) above. It
may contain confidential and privileged information. If you are not the
intended recipient you are hereby notified that any dissemination,
distribution or copying of this e-mail and any attachment(s) is strictly
prohibited. If you have received this e-mail in error, please immediately
notify the sender by replying to this e-mail and delete the message and any
attachment(s) from your system. Thank you.
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Kazunari Hirano <kh...@gmail.com>.
Hi all,
+1 Let us go!
:)
Thanks,
khirano
On Mon, Aug 20, 2012 at 12:52 AM, Rob Weir <ro...@apache.org> wrote:
> Per the IPMC's "Guide to Successful Graduation" [1] this is the
> optional, but recommended, community vote for us to express our
> willingness/readiness to govern ourselves. If this vote passes then
> we continue by drafting a charter, submitting it for IPMC endorsement,
> and then to the ASF Board for final approval. Details can be found
> in the "Guide to Successful Graduation".
>
> Everyone in the community is encouraged to vote. Votes from PPMC
> members and Mentors are binding. This vote will run 72-hours.
>
>
> [ ] +1 Apache OpenOffice community is ready to graduate from the
> Apache Incubator.
> [ ] +0 Don't care.
> [ ] -1 Apache OpenOffice community is not ready to graduate from the
> Apache Incubator because...
>
>
> Regards,
>
> -Rob
>
> [1] http://incubator.apache.org/guides/graduation.html#tlp-community-vote
--
khirano@apache.org
Apache OpenOffice (incubating)
http://incubator.apache.org/openofficeorg/
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Wang Zhe <ki...@gmail.com>.
+1
2012/8/21 O.Felka <ol...@gmx.de>
>
> [X] +1 Apache OpenOffice community is ready to graduate from the
> Apache Incubator.
>
>
> Groetjes,
> Olaf
>
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by "O.Felka" <ol...@gmx.de>.
[X] +1 Apache OpenOffice community is ready to graduate from the
Apache Incubator.
Groetjes,
Olaf
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Andrew Rist <an...@oracle.com>.
+1
On 8/19/2012 8:52 AM, Rob Weir wrote:
> Per the IPMC's "Guide to Successful Graduation" [1] this is the
> optional, but recommended, community vote for us to express our
> willingness/readiness to govern ourselves. If this vote passes then
> we continue by drafting a charter, submitting it for IPMC endorsement,
> and then to the ASF Board for final approval. Details can be found
> in the "Guide to Successful Graduation".
>
> Everyone in the community is encouraged to vote. Votes from PPMC
> members and Mentors are binding. This vote will run 72-hours.
>
>
> [ ] +1 Apache OpenOffice community is ready to graduate from the
> Apache Incubator.
> [ ] +0 Don't care.
> [ ] -1 Apache OpenOffice community is not ready to graduate from the
> Apache Incubator because...
>
>
> Regards,
>
> -Rob
>
> [1] http://incubator.apache.org/guides/graduation.html#tlp-community-vote
--
Andrew Rist | Interoperability Architect
OracleCorporate Architecture Group
Redwood Shores, CA | 650.506.9847
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Herbert Duerr <hd...@alice.de>.
+1: we're ready!
Herbert
(saying hello from my vacation in Gran Canaria 8-) )
(via phone, please excuse my brevity)
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Jürgen Lange <jl...@juergen-lange.de>.
[x] +1 Apache OpenOffice community is ready to graduate from the
Apache Incubator.
Jürgen
Am 19.08.2012 17:52, schrieb Rob Weir:
> Per the IPMC's "Guide to Successful Graduation" [1] this is the
> optional, but recommended, community vote for us to express our
> willingness/readiness to govern ourselves. If this vote passes then
> we continue by drafting a charter, submitting it for IPMC endorsement,
> and then to the ASF Board for final approval. Details can be found
> in the "Guide to Successful Graduation".
>
> Everyone in the community is encouraged to vote. Votes from PPMC
> members and Mentors are binding. This vote will run 72-hours.
>
>
> [ ] +1 Apache OpenOffice community is ready to graduate from the
> Apache Incubator.
> [ ] +0 Don't care.
> [ ] -1 Apache OpenOffice community is not ready to graduate from the
> Apache Incubator because...
>
>
> Regards,
>
> -Rob
>
> [1] http://incubator.apache.org/guides/graduation.html#tlp-community-vote
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Reizinger Zoltán <zr...@hdsnet.hu>.
2012.08.19. 17:52 keltezéssel, Rob Weir írta:
> Per the IPMC's "Guide to Successful Graduation" [1] this is the
> optional, but recommended, community vote for us to express our
> willingness/readiness to govern ourselves. If this vote passes then
> we continue by drafting a charter, submitting it for IPMC endorsement,
> and then to the ASF Board for final approval. Details can be found
> in the "Guide to Successful Graduation".
>
> Everyone in the community is encouraged to vote. Votes from PPMC
> members and Mentors are binding. This vote will run 72-hours.
>
>
> [ ] +1 Apache OpenOffice community is ready to graduate from the
> Apache Incubator.
> [ ] +0 Don't care.
> [ ] -1 Apache OpenOffice community is not ready to graduate from the
> Apache Incubator because...
>
>
> Regards,
>
> -Rob
>
> [1] http://incubator.apache.org/guides/graduation.html#tlp-community-vote
>
+1 Apache OpenOffice community is ready to graduate from the Apache Incubator.
Zoltan
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Armin Le Grand <Ar...@me.com>.
+1, let's go!
Sincerely,
Armin
On 19.08.2012 17:52, Rob Weir wrote:
> Per the IPMC's "Guide to Successful Graduation" [1] this is the
> optional, but recommended, community vote for us to express our
> willingness/readiness to govern ourselves. If this vote passes then
> we continue by drafting a charter, submitting it for IPMC endorsement,
> and then to the ASF Board for final approval. Details can be found
> in the "Guide to Successful Graduation".
>
> Everyone in the community is encouraged to vote. Votes from PPMC
> members and Mentors are binding. This vote will run 72-hours.
>
>
> [ ] +1 Apache OpenOffice community is ready to graduate from the
> Apache Incubator.
> [ ] +0 Don't care.
> [ ] -1 Apache OpenOffice community is not ready to graduate from the
> Apache Incubator because...
>
>
> Regards,
>
> -Rob
>
> [1] http://incubator.apache.org/guides/graduation.html#tlp-community-vote
>
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by tj <tj...@apache.org>.
On 8/19/2012 11:52, Rob Weir wrote:
> Per the IPMC's "Guide to Successful Graduation" [1] this is the
> optional, but recommended, community vote for us to express our
> willingness/readiness to govern ourselves. If this vote passes then
> we continue by drafting a charter, submitting it for IPMC endorsement,
> and then to the ASF Board for final approval. Details can be found
> in the "Guide to Successful Graduation".
>
> Everyone in the community is encouraged to vote. Votes from PPMC
> members and Mentors are binding. This vote will run 72-hours.
>
[x] +1 Apache OpenOffice community is ready to graduate from the
> Apache Incubator.
The real test will be the process (not the result, the process) of
picking the PMC and the Chair. Should be interesting.
/tj/
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Ian Lynch <ia...@gmail.com>.
+1
On 20 August 2012 12:24, ZuoJun Chen <zj...@gmail.com> wrote:
> Hi,
>
> + 1 to graduate.
>
> Regards
>
> 2012/8/19 Rob Weir <ro...@apache.org>
>
>> Per the IPMC's "Guide to Successful Graduation" [1] this is the
>> optional, but recommended, community vote for us to express our
>> willingness/readiness to govern ourselves. If this vote passes then
>> we continue by drafting a charter, submitting it for IPMC endorsement,
>> and then to the ASF Board for final approval. Details can be found
>> in the "Guide to Successful Graduation".
>>
>> Everyone in the community is encouraged to vote. Votes from PPMC
>> members and Mentors are binding. This vote will run 72-hours.
>>
>>
>> [ ] +1 Apache OpenOffice community is ready to graduate from the
>> Apache Incubator.
>> [ ] +0 Don't care.
>> [ ] -1 Apache OpenOffice community is not ready to graduate from the
>> Apache Incubator because...
>> Regards,
>>
>> -Rob
--
Ian
Ofqual Accredited IT Qualifications (The Schools ITQ)
www.theINGOTs.org +44 (0)1827 305940
The Learning Machine Limited, Reg Office, 36 Ashby Road, Tamworth,
Staffordshire, B79 8AQ. Reg No: 05560797, Registered in England and
Wales.
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by ZuoJun Chen <zj...@gmail.com>.
Hi,
+ 1 to graduate.
Regards
2012/8/19 Rob Weir <ro...@apache.org>
> Per the IPMC's "Guide to Successful Graduation" [1] this is the
> optional, but recommended, community vote for us to express our
> willingness/readiness to govern ourselves. If this vote passes then
> we continue by drafting a charter, submitting it for IPMC endorsement,
> and then to the ASF Board for final approval. Details can be found
> in the "Guide to Successful Graduation".
>
> Everyone in the community is encouraged to vote. Votes from PPMC
> members and Mentors are binding. This vote will run 72-hours.
>
>
> [ ] +1 Apache OpenOffice community is ready to graduate from the
> Apache Incubator.
> [ ] +0 Don't care.
> [ ] -1 Apache OpenOffice community is not ready to graduate from the
> Apache Incubator because...
>
>
> Regards,
>
> -Rob
>
> [1] http://incubator.apache.org/guides/graduation.html#tlp-community-vote
>
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by "Keith N. McKenna" <ke...@comcast.net>.
Rob Weir wrote:
> Per the IPMC's "Guide to Successful Graduation" [1] this is the
> optional, but recommended, community vote for us to express our
> willingness/readiness to govern ourselves. If this vote passes then
> we continue by drafting a charter, submitting it for IPMC endorsement,
> and then to the ASF Board for final approval. Details can be found
> in the "Guide to Successful Graduation".
>
> Everyone in the community is encouraged to vote. Votes from PPMC
> members and Mentors are binding. This vote will run 72-hours.
>
>
> [ ] +1 Apache OpenOffice community is ready to graduate from the
> Apache Incubator.
> [ ] +0 Don't care.
> [ ] -1 Apache OpenOffice community is not ready to graduate from the
> Apache Incubator because...
>
>
> Regards,
>
> -Rob
>
> [1] http://incubator.apache.org/guides/graduation.html#tlp-community-vote
>
+1 Apache OpenOffice community is ready to graduate from the Apache
Incubator.
Keith N. McKenna
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by RGB ES <rg...@gmail.com>.
2012/8/19 Rob Weir <ro...@apache.org>:
> Per the IPMC's "Guide to Successful Graduation" [1] this is the
> optional, but recommended, community vote for us to express our
> willingness/readiness to govern ourselves. If this vote passes then
> we continue by drafting a charter, submitting it for IPMC endorsement,
> and then to the ASF Board for final approval. Details can be found
> in the "Guide to Successful Graduation".
>
> Everyone in the community is encouraged to vote. Votes from PPMC
> members and Mentors are binding. This vote will run 72-hours.
>
>
> [ ] +1 Apache OpenOffice community is ready to graduate from the
> Apache Incubator.
> [ ] +0 Don't care.
> [ ] -1 Apache OpenOffice community is not ready to graduate from the
> Apache Incubator because...
>
>
> Regards,
>
> -Rob
>
> [1] http://incubator.apache.org/guides/graduation.html#tlp-community-vote
+1 Apache OpenOffice community is ready to graduate from the Apache Incubator.
Regards
Ricardo
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Anton Meixome <me...@certima.net>.
+1
--
Antón Méixome - Galician Native Lang Coordination
Galician community LibO & AOO
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Wang Zhe <ki...@gmail.com>.
+1
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Peter Junge <pe...@gmx.org>.
On 8/19/2012 11:52 PM, Rob Weir wrote:
> Per the IPMC's "Guide to Successful Graduation" [1] this is the
> optional, but recommended, community vote for us to express our
> willingness/readiness to govern ourselves. If this vote passes then
> we continue by drafting a charter, submitting it for IPMC endorsement,
> and then to the ASF Board for final approval. Details can be found
> in the "Guide to Successful Graduation".
>
> Everyone in the community is encouraged to vote. Votes from PPMC
> members and Mentors are binding. This vote will run 72-hours.
>
>
> [ ] +1 Apache OpenOffice community is ready to graduate from the
> Apache Incubator.
> [ ] +0 Don't care.
> [ ] -1 Apache OpenOffice community is not ready to graduate from the
> Apache Incubator because...
Although I have been mostly limiting my participation to reading and
moderating, I'm convinced that AOO is ready to move ahead.
+1 from my side.
Peter
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Rob Weir <ro...@apache.org>.
On Sun, Aug 19, 2012 at 11:52 AM, Rob Weir <ro...@apache.org> wrote:
> Per the IPMC's "Guide to Successful Graduation" [1] this is the
> optional, but recommended, community vote for us to express our
> willingness/readiness to govern ourselves. If this vote passes then
> we continue by drafting a charter, submitting it for IPMC endorsement,
> and then to the ASF Board for final approval. Details can be found
> in the "Guide to Successful Graduation".
>
> Everyone in the community is encouraged to vote. Votes from PPMC
> members and Mentors are binding. This vote will run 72-hours.
>
>
> [ ] +1 Apache OpenOffice community is ready to graduate from the
> Apache Incubator.
> [ ] +0 Don't care.
> [ ] -1 Apache OpenOffice community is not ready to graduate from the
> Apache Incubator because...
>
+1 from me.
-Rob
>
> Regards,
>
> -Rob
>
> [1] http://incubator.apache.org/guides/graduation.html#tlp-community-vote
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by shzh zhao <ao...@gmail.com>.
+1 Apache OpenOffice community is ready to graduate from the
Apache Incubator.
2012/8/19 Rob Weir <ro...@apache.org>
> Per the IPMC's "Guide to Successful Graduation" [1] this is the
> optional, but recommended, community vote for us to express our
> willingness/readiness to govern ourselves. If this vote passes then
> we continue by drafting a charter, submitting it for IPMC endorsement,
> and then to the ASF Board for final approval. Details can be found
> in the "Guide to Successful Graduation".
>
> Everyone in the community is encouraged to vote. Votes from PPMC
> members and Mentors are binding. This vote will run 72-hours.
>
>
> [ ] +1 Apache OpenOffice community is ready to graduate from the
> Apache Incubator.
> [ ] +0 Don't care.
> [ ] -1 Apache OpenOffice community is not ready to graduate from the
> Apache Incubator because...
>
>
> Regards,
>
> -Rob
>
> [1] http://incubator.apache.org/guides/graduation.html#tlp-community-vote
>
--
*
mailto: *aoo.zhaoshzh@gmail.com <https://google.com/profiles>
<https://google.com/profiles>
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by imacat <im...@mail.imacat.idv.tw>.
On 2012/08/19 23:52, Rob Weir said:
> Per the IPMC's "Guide to Successful Graduation" [1] this is the
> optional, but recommended, community vote for us to express our
> willingness/readiness to govern ourselves. If this vote passes then
> we continue by drafting a charter, submitting it for IPMC endorsement,
> and then to the ASF Board for final approval. Details can be found
> in the "Guide to Successful Graduation".
>
> Everyone in the community is encouraged to vote. Votes from PPMC
> members and Mentors are binding. This vote will run 72-hours.
>
>
> [ ] +1 Apache OpenOffice community is ready to graduate from the
> Apache Incubator.
> [ ] +0 Don't care.
> [ ] -1 Apache OpenOffice community is not ready to graduate from the
> Apache Incubator because...
+1 from me.
>
>
> Regards,
>
> -Rob
>
> [1] http://incubator.apache.org/guides/graduation.html#tlp-community-vote
--
Best regards,
imacat ^_*' <im...@mail.imacat.idv.tw>
PGP Key http://www.imacat.idv.tw/me/pgpkey.asc
<<Woman's Voice>> News: http://www.wov.idv.tw/
Tavern IMACAT's http://www.imacat.idv.tw/
Woman in FOSS in Taiwan http://wofoss.blogspot.com/
Apache OpenOffice http://www.openoffice.org/
EducOO/OOo4Kids Taiwan http://www.educoo.tw/
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Phillip Rhodes <mo...@gmail.com>.
On Sun, Aug 19, 2012 at 10:52 AM, Rob Weir <ro...@apache.org> wrote:
> [ ] +1 Apache OpenOffice community is ready to graduate from the
> Apache Incubator.
> [ ] +0 Don't care.
> [ ] -1 Apache OpenOffice community is not ready to graduate from the
> Apache Incubator because...
+1
Phil
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Michal Hriň <mi...@aol.com>.
+0 Don't care
Michal Hriň
Dňa Sun, 19 Aug 2012 17:52:33 +0200 Rob Weir <ro...@apache.org> napísal:
> Per the IPMC's "Guide to Successful Graduation" [1] this is the
> optional, but recommended, community vote for us to express our
> willingness/readiness to govern ourselves. If this vote passes then
> we continue by drafting a charter, submitting it for IPMC endorsement,
> and then to the ASF Board for final approval. Details can be found
> in the "Guide to Successful Graduation".
>
> Everyone in the community is encouraged to vote. Votes from PPMC
> members and Mentors are binding. This vote will run 72-hours.
>
>
> [ ] +1 Apache OpenOffice community is ready to graduate from the
> Apache Incubator.
> [ ] +0 Don't care.
> [ ] -1 Apache OpenOffice community is not ready to graduate from the
> Apache Incubator because...
>
>
> Regards,
>
> -Rob
>
> [1] http://incubator.apache.org/guides/graduation.html#tlp-community-vote
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Oliver-Rainer Wittmann <or...@googlemail.com>.
+1 from my side.
Best regards, Oliver.
On 19.08.2012 17:52, Rob Weir wrote:
> Per the IPMC's "Guide to Successful Graduation" [1] this is the
> optional, but recommended, community vote for us to express our
> willingness/readiness to govern ourselves. If this vote passes then
> we continue by drafting a charter, submitting it for IPMC endorsement,
> and then to the ASF Board for final approval. Details can be found
> in the "Guide to Successful Graduation".
>
> Everyone in the community is encouraged to vote. Votes from PPMC
> members and Mentors are binding. This vote will run 72-hours.
>
>
> [ ] +1 Apache OpenOffice community is ready to graduate from the
> Apache Incubator.
> [ ] +0 Don't care.
> [ ] -1 Apache OpenOffice community is not ready to graduate from the
> Apache Incubator because...
>
>
> Regards,
>
> -Rob
>
> [1] http://incubator.apache.org/guides/graduation.html#tlp-community-vote
>
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Albino B Neto <bi...@gmail.com>.
Hi
2012/8/19 Rob Weir <ro...@apache.org>:
> Per the IPMC's "Guide to Successful Graduation" [1] this is the
> optional, but recommended, community vote for us to express our
> willingness/readiness to govern ourselves. If this vote passes then
> we continue by drafting a charter, submitting it for IPMC endorsement,
> and then to the ASF Board for final approval. Details can be found
> in the "Guide to Successful Graduation".
>
> Everyone in the community is encouraged to vote. Votes from PPMC
> members and Mentors are binding. This vote will run 72-hours.
+1
Albino
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Liu Da Li <wa...@gmail.com>.
+1 Apache OpenOffice community is ready to graduate from the
Apache Incubator.
2012/8/20 Linyi Li <li...@gmail.com>
> +1
> Ready to move on~
>
> On Mon, Aug 20, 2012 at 4:24 PM, Kevin Grignon <kevingrignon.oo@gmail.com
> >wrote:
>
> > +1 - onward...
> >
> > On Aug 20, 2012, at 4:07 PM, Shenfeng Liu <li...@gmail.com> wrote:
> >
> > > 2012/8/19 Rob Weir <ro...@apache.org>
> > >
> > >> Per the IPMC's "Guide to Successful Graduation" [1] this is the
> > >> optional, but recommended, community vote for us to express our
> > >> willingness/readiness to govern ourselves. If this vote passes then
> > >> we continue by drafting a charter, submitting it for IPMC endorsement,
> > >> and then to the ASF Board for final approval. Details can be found
> > >> in the "Guide to Successful Graduation".
> > >>
> > >> Everyone in the community is encouraged to vote. Votes from PPMC
> > >> members and Mentors are binding. This vote will run 72-hours.
> > >>
> > >>
> > >> [ ] +1 Apache OpenOffice community is ready to graduate from the
> > >> Apache Incubator.
> > >> [ ] +0 Don't care.
> > >> [ ] -1 Apache OpenOffice community is not ready to graduate from the
> > >> Apache Incubator because...
> > >>
> > >>
> > >> Regards,
> > >>
> > >> -Rob
> > >>
> > >> [1]
> > http://incubator.apache.org/guides/graduation.html#tlp-community-vote
> > >>
> > >
> > > +1 Apache OpenOffice community is ready to graduate from the Apache
> > > Incubator.
> > >
> > > - Simon
> >
>
>
>
> --
> Best wishes.
> Linyi Li
>
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Linyi Li <li...@gmail.com>.
+1
Ready to move on~
On Mon, Aug 20, 2012 at 4:24 PM, Kevin Grignon <ke...@gmail.com>wrote:
> +1 - onward...
>
> On Aug 20, 2012, at 4:07 PM, Shenfeng Liu <li...@gmail.com> wrote:
>
> > 2012/8/19 Rob Weir <ro...@apache.org>
> >
> >> Per the IPMC's "Guide to Successful Graduation" [1] this is the
> >> optional, but recommended, community vote for us to express our
> >> willingness/readiness to govern ourselves. If this vote passes then
> >> we continue by drafting a charter, submitting it for IPMC endorsement,
> >> and then to the ASF Board for final approval. Details can be found
> >> in the "Guide to Successful Graduation".
> >>
> >> Everyone in the community is encouraged to vote. Votes from PPMC
> >> members and Mentors are binding. This vote will run 72-hours.
> >>
> >>
> >> [ ] +1 Apache OpenOffice community is ready to graduate from the
> >> Apache Incubator.
> >> [ ] +0 Don't care.
> >> [ ] -1 Apache OpenOffice community is not ready to graduate from the
> >> Apache Incubator because...
> >>
> >>
> >> Regards,
> >>
> >> -Rob
> >>
> >> [1]
> http://incubator.apache.org/guides/graduation.html#tlp-community-vote
> >>
> >
> > +1 Apache OpenOffice community is ready to graduate from the Apache
> > Incubator.
> >
> > - Simon
>
--
Best wishes.
Linyi Li
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Kevin Grignon <ke...@gmail.com>.
+1 - onward...
On Aug 20, 2012, at 4:07 PM, Shenfeng Liu <li...@gmail.com> wrote:
> 2012/8/19 Rob Weir <ro...@apache.org>
>
>> Per the IPMC's "Guide to Successful Graduation" [1] this is the
>> optional, but recommended, community vote for us to express our
>> willingness/readiness to govern ourselves. If this vote passes then
>> we continue by drafting a charter, submitting it for IPMC endorsement,
>> and then to the ASF Board for final approval. Details can be found
>> in the "Guide to Successful Graduation".
>>
>> Everyone in the community is encouraged to vote. Votes from PPMC
>> members and Mentors are binding. This vote will run 72-hours.
>>
>>
>> [ ] +1 Apache OpenOffice community is ready to graduate from the
>> Apache Incubator.
>> [ ] +0 Don't care.
>> [ ] -1 Apache OpenOffice community is not ready to graduate from the
>> Apache Incubator because...
>>
>>
>> Regards,
>>
>> -Rob
>>
>> [1] http://incubator.apache.org/guides/graduation.html#tlp-community-vote
>>
>
> +1 Apache OpenOffice community is ready to graduate from the Apache
> Incubator.
>
> - Simon
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Shenfeng Liu <li...@gmail.com>.
2012/8/19 Rob Weir <ro...@apache.org>
> Per the IPMC's "Guide to Successful Graduation" [1] this is the
> optional, but recommended, community vote for us to express our
> willingness/readiness to govern ourselves. If this vote passes then
> we continue by drafting a charter, submitting it for IPMC endorsement,
> and then to the ASF Board for final approval. Details can be found
> in the "Guide to Successful Graduation".
>
> Everyone in the community is encouraged to vote. Votes from PPMC
> members and Mentors are binding. This vote will run 72-hours.
>
>
> [ ] +1 Apache OpenOffice community is ready to graduate from the
> Apache Incubator.
> [ ] +0 Don't care.
> [ ] -1 Apache OpenOffice community is not ready to graduate from the
> Apache Incubator because...
>
>
> Regards,
>
> -Rob
>
> [1] http://incubator.apache.org/guides/graduation.html#tlp-community-vote
>
+1 Apache OpenOffice community is ready to graduate from the Apache
Incubator.
- Simon
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Regina Henschel <rb...@t-online.de>.
Hi,
Rob Weir schrieb:
> Per the IPMC's "Guide to Successful Graduation" [1] this is the
> optional, but recommended, community vote for us to express our
> willingness/readiness to govern ourselves. If this vote passes then
> we continue by drafting a charter, submitting it for IPMC endorsement,
> and then to the ASF Board for final approval. Details can be found
> in the "Guide to Successful Graduation".
>
> Everyone in the community is encouraged to vote. Votes from PPMC
> members and Mentors are binding. This vote will run 72-hours.
>
>
+1 Apache OpenOffice community is ready to graduate from the Apache
Incubator.
Kind regard
Regina
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Andre Fischer <aw...@gmail.com>.
On 19.08.2012 17:52, Rob Weir wrote:
> Per the IPMC's "Guide to Successful Graduation" [1] this is the
> optional, but recommended, community vote for us to express our
> willingness/readiness to govern ourselves. If this vote passes then
> we continue by drafting a charter, submitting it for IPMC endorsement,
> and then to the ASF Board for final approval. Details can be found
> in the "Guide to Successful Graduation".
>
> Everyone in the community is encouraged to vote. Votes from PPMC
> members and Mentors are binding. This vote will run 72-hours.
>
>
> [ ] +1 Apache OpenOffice community is ready to graduate from the
> Apache Incubator.
> [ ] +0 Don't care.
> [ ] -1 Apache OpenOffice community is not ready to graduate from the
> Apache Incubator because...
+1 We are ready.
Andre
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Yong Lin Ma <ma...@apache.org>.
+ 1 Time to move forward further
On Sun, Aug 19, 2012 at 11:52 PM, Rob Weir <ro...@apache.org> wrote:
> Per the IPMC's "Guide to Successful Graduation" [1] this is the
> optional, but recommended, community vote for us to express our
> willingness/readiness to govern ourselves. If this vote passes then
> we continue by drafting a charter, submitting it for IPMC endorsement,
> and then to the ASF Board for final approval. Details can be found
> in the "Guide to Successful Graduation".
>
> Everyone in the community is encouraged to vote. Votes from PPMC
> members and Mentors are binding. This vote will run 72-hours.
>
>
> [ ] +1 Apache OpenOffice community is ready to graduate from the
> Apache Incubator.
> [ ] +0 Don't care.
> [ ] -1 Apache OpenOffice community is not ready to graduate from the
> Apache Incubator because...
>
>
> Regards,
>
> -Rob
>
> [1] http://incubator.apache.org/guides/graduation.html#tlp-community-vote
--
Regards
Yong Lin Ma
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Andrea Pescetti <pe...@apache.org>.
Rob Weir wrote:
> Everyone in the community is encouraged to vote. Votes from PPMC
> members and Mentors are binding. This vote will run 72-hours.
> [ ] +1 Apache OpenOffice community is ready to graduate from the
> Apache Incubator.
> [ ] +0 Don't care.
> [ ] -1 Apache OpenOffice community is not ready to graduate from the
> Apache Incubator because...
+1 Apache OpenOffice community is ready to graduate from the Apache
Incubator.
Andrea
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Yan Ji <ya...@gmail.com>.
[X] +1 Apache OpenOffice community is ready to graduate from the
Apache Incubator.
Thanks & Best Regards, Yan Ji
On Aug 20, 2012, at 2:57 PM, Larry Gusaas <la...@gmail.com> wrote:
> +1
>
> On 2012-08-19 9:52 AM Rob Weir wrote:
>> Per the IPMC's "Guide to Successful Graduation" [1] this is the
>> optional, but recommended, community vote for us to express our
>> willingness/readiness to govern ourselves. If this vote passes then
>> we continue by drafting a charter, submitting it for IPMC endorsement,
>> and then to the ASF Board for final approval. Details can be found
>> in the "Guide to Successful Graduation".
>>
>> Everyone in the community is encouraged to vote. Votes from PPMC
>> members and Mentors are binding. This vote will run 72-hours.
>>
>>
>> [ ] +1 Apache OpenOffice community is ready to graduate from the
>> Apache Incubator.
>> [ ] +0 Don't care.
>> [ ] -1 Apache OpenOffice community is not ready to graduate from the
>> Apache Incubator because...
>>
>>
>> Regards,
>>
>> -Rob
>>
>> [1] http://incubator.apache.org/guides/graduation.html#tlp-community-vote
>>
>
>
> --
> _________________________________
>
> Larry I. Gusaas
> Moose Jaw, Saskatchewan Canada
> Website: http://larry-gusaas.com
> "An artist is never ahead of his time but most people are far behind theirs." - Edgard Varese
>
>
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Larry Gusaas <la...@gmail.com>.
+1
On 2012-08-19 9:52 AM Rob Weir wrote:
> Per the IPMC's "Guide to Successful Graduation" [1] this is the
> optional, but recommended, community vote for us to express our
> willingness/readiness to govern ourselves. If this vote passes then
> we continue by drafting a charter, submitting it for IPMC endorsement,
> and then to the ASF Board for final approval. Details can be found
> in the "Guide to Successful Graduation".
>
> Everyone in the community is encouraged to vote. Votes from PPMC
> members and Mentors are binding. This vote will run 72-hours.
>
>
> [ ] +1 Apache OpenOffice community is ready to graduate from the
> Apache Incubator.
> [ ] +0 Don't care.
> [ ] -1 Apache OpenOffice community is not ready to graduate from the
> Apache Incubator because...
>
>
> Regards,
>
> -Rob
>
> [1] http://incubator.apache.org/guides/graduation.html#tlp-community-vote
>
--
_________________________________
Larry I. Gusaas
Moose Jaw, Saskatchewan Canada
Website: http://larry-gusaas.com
"An artist is never ahead of his time but most people are far behind theirs." - Edgard Varese
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Carl Marcum <cm...@apache.org>.
+1 Apache OpenOffice community is ready to graduate from the Apache
Incubator.
Best regards,
Carl
On 08/19/2012 11:52 AM, Rob Weir wrote:
> Per the IPMC's "Guide to Successful Graduation" [1] this is the
> optional, but recommended, community vote for us to express our
> willingness/readiness to govern ourselves. If this vote passes then
> we continue by drafting a charter, submitting it for IPMC endorsement,
> and then to the ASF Board for final approval. Details can be found
> in the "Guide to Successful Graduation".
>
> Everyone in the community is encouraged to vote. Votes from PPMC
> members and Mentors are binding. This vote will run 72-hours.
>
>
> [ ] +1 Apache OpenOffice community is ready to graduate from the
> Apache Incubator.
> [ ] +0 Don't care.
> [ ] -1 Apache OpenOffice community is not ready to graduate from the
> Apache Incubator because...
>
>
> Regards,
>
> -Rob
>
> [1] http://incubator.apache.org/guides/graduation.html#tlp-community-vote
>
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by chengjh <ch...@apache.org>.
+1
On Wed, Aug 22, 2012 at 9:21 AM, Ian C <ia...@amham.net> wrote:
> +1
>
> On Wed, Aug 22, 2012 at 1:21 AM, Claudio Filho <fi...@gmail.com> wrote:
> > Hi
> >
> > Extremely out, in function of personal problems, but giving my vote:
> >
> > +1 Apache OpenOffice community is ready to graduate from the Apache
> Incubator.
> >
> > Claudio
> >
> > 2012/8/19 Rob Weir <ro...@apache.org>:
> >> Per the IPMC's "Guide to Successful Graduation" [1] this is the
> >> optional, but recommended, community vote for us to express our
> >> willingness/readiness to govern ourselves. If this vote passes then
> >> we continue by drafting a charter, submitting it for IPMC endorsement,
> >> and then to the ASF Board for final approval. Details can be found
> >> in the "Guide to Successful Graduation".
> >>
> >> Everyone in the community is encouraged to vote. Votes from PPMC
> >> members and Mentors are binding. This vote will run 72-hours.
> >>
> >>
> >> [ ] +1 Apache OpenOffice community is ready to graduate from the
> >> Apache Incubator.
> >> [ ] +0 Don't care.
> >> [ ] -1 Apache OpenOffice community is not ready to graduate from the
> >> Apache Incubator because...
> >>
> >>
> >> Regards,
> >>
> >> -Rob
> >>
> >> [1]
> http://incubator.apache.org/guides/graduation.html#tlp-community-vote
>
>
>
> --
> Cheers,
>
> Ian C
>
--
Best Regards,Jianhong Cheng
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Louis Suárez-Potts <lu...@gmail.com>.
I've gone over the issues, strengths, and weaknesses, too, and:
+1
Louis
On 12-08-21, at 21:21 , Ian C <ia...@amham.net> wrote:
> +1
>
> On Wed, Aug 22, 2012 at 1:21 AM, Claudio Filho <fi...@gmail.com> wrote:
>> Hi
>>
>> Extremely out, in function of personal problems, but giving my vote:
>>
>> +1 Apache OpenOffice community is ready to graduate from the Apache Incubator.
>>
>> Claudio
>>
>> 2012/8/19 Rob Weir <ro...@apache.org>:
>>> Per the IPMC's "Guide to Successful Graduation" [1] this is the
>>> optional, but recommended, community vote for us to express our
>>> willingness/readiness to govern ourselves. If this vote passes then
>>> we continue by drafting a charter, submitting it for IPMC endorsement,
>>> and then to the ASF Board for final approval. Details can be found
>>> in the "Guide to Successful Graduation".
>>>
>>> Everyone in the community is encouraged to vote. Votes from PPMC
>>> members and Mentors are binding. This vote will run 72-hours.
>>>
>>>
>>> [ ] +1 Apache OpenOffice community is ready to graduate from the
>>> Apache Incubator.
>>> [ ] +0 Don't care.
>>> [ ] -1 Apache OpenOffice community is not ready to graduate from the
>>> Apache Incubator because...
>>>
>>>
>>> Regards,
>>>
>>> -Rob
>>>
>>> [1] http://incubator.apache.org/guides/graduation.html#tlp-community-vote
>
>
>
> --
> Cheers,
>
> Ian C
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Ian C <ia...@amham.net>.
+1
On Wed, Aug 22, 2012 at 1:21 AM, Claudio Filho <fi...@gmail.com> wrote:
> Hi
>
> Extremely out, in function of personal problems, but giving my vote:
>
> +1 Apache OpenOffice community is ready to graduate from the Apache Incubator.
>
> Claudio
>
> 2012/8/19 Rob Weir <ro...@apache.org>:
>> Per the IPMC's "Guide to Successful Graduation" [1] this is the
>> optional, but recommended, community vote for us to express our
>> willingness/readiness to govern ourselves. If this vote passes then
>> we continue by drafting a charter, submitting it for IPMC endorsement,
>> and then to the ASF Board for final approval. Details can be found
>> in the "Guide to Successful Graduation".
>>
>> Everyone in the community is encouraged to vote. Votes from PPMC
>> members and Mentors are binding. This vote will run 72-hours.
>>
>>
>> [ ] +1 Apache OpenOffice community is ready to graduate from the
>> Apache Incubator.
>> [ ] +0 Don't care.
>> [ ] -1 Apache OpenOffice community is not ready to graduate from the
>> Apache Incubator because...
>>
>>
>> Regards,
>>
>> -Rob
>>
>> [1] http://incubator.apache.org/guides/graduation.html#tlp-community-vote
--
Cheers,
Ian C
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Claudio Filho <fi...@gmail.com>.
Hi
Extremely out, in function of personal problems, but giving my vote:
+1 Apache OpenOffice community is ready to graduate from the Apache Incubator.
Claudio
2012/8/19 Rob Weir <ro...@apache.org>:
> Per the IPMC's "Guide to Successful Graduation" [1] this is the
> optional, but recommended, community vote for us to express our
> willingness/readiness to govern ourselves. If this vote passes then
> we continue by drafting a charter, submitting it for IPMC endorsement,
> and then to the ASF Board for final approval. Details can be found
> in the "Guide to Successful Graduation".
>
> Everyone in the community is encouraged to vote. Votes from PPMC
> members and Mentors are binding. This vote will run 72-hours.
>
>
> [ ] +1 Apache OpenOffice community is ready to graduate from the
> Apache Incubator.
> [ ] +0 Don't care.
> [ ] -1 Apache OpenOffice community is not ready to graduate from the
> Apache Incubator because...
>
>
> Regards,
>
> -Rob
>
> [1] http://incubator.apache.org/guides/graduation.html#tlp-community-vote
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Tan Li <li...@gmail.com>.
+1 Apache OpenOffice community is ready to graduate from the Apache
Incubator.
Regards,
Tan Li
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Christian Grobmeier <gr...@gmail.com>.
On Mon, Aug 20, 2012 at 12:14 PM, Jörg Schmidt <jo...@j-m-schmidt.de> wrote:
> hello,
>
> Rob Weir wrote:
>
>> [...]
>
>
> Am I authorized to vote? If so then:
Everybody is invited to voice his opinion. Non-PMC members usually add
"non-binding" to their vote to make the vote counters life easier.
Cheers!
> [x] +1 Apache OpenOffice community is ready to graduate from the Apache Incubator.
>
>
> greetings
> Jörg
>
--
http://www.grobmeier.de
https://www.timeandbill.de
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Jörg Schmidt <jo...@j-m-schmidt.de>.
hello,
Rob Weir wrote:
> [...]
Am I authorized to vote? If so then:
[x] +1 Apache OpenOffice community is ready to graduate from the Apache Incubator.
greetings
Jörg
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Raphael Bircher <rb...@apache.org>.
+1
Am 19.08.12 17:52, schrieb Rob Weir:
> Per the IPMC's "Guide to Successful Graduation" [1] this is the
> optional, but recommended, community vote for us to express our
> willingness/readiness to govern ourselves. If this vote passes then
> we continue by drafting a charter, submitting it for IPMC endorsement,
> and then to the ASF Board for final approval. Details can be found
> in the "Guide to Successful Graduation".
>
> Everyone in the community is encouraged to vote. Votes from PPMC
> members and Mentors are binding. This vote will run 72-hours.
>
>
> [ ] +1 Apache OpenOffice community is ready to graduate from the
> Apache Incubator.
> [ ] +0 Don't care.
> [ ] -1 Apache OpenOffice community is not ready to graduate from the
> Apache Incubator because...
>
>
> Regards,
>
> -Rob
>
> [1] http://incubator.apache.org/guides/graduation.html#tlp-community-vote
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Rory O'Farrell <of...@iol.ie>.
On Sun, 19 Aug 2012 11:52:33 -0400
Rob Weir <ro...@apache.org> wrote:
> Per the IPMC's "Guide to Successful Graduation" [1] this is the
> optional, but recommended, community vote for us to express our
> willingness/readiness to govern ourselves. If this vote passes then
> we continue by drafting a charter, submitting it for IPMC endorsement,
> and then to the ASF Board for final approval. Details can be found
> in the "Guide to Successful Graduation".
>
> Everyone in the community is encouraged to vote. Votes from PPMC
> members and Mentors are binding. This vote will run 72-hours.
>
>
> [ ] +1 Apache OpenOffice community is ready to graduate from the
> Apache Incubator.
> [ ] +0 Don't care.
> [ ] -1 Apache OpenOffice community is not ready to graduate from the
> Apache Incubator because...
+1 Apache OpenOffice community is ready to graduate from the Apache Incubator.
--
Rory O'Farrell <of...@iol.ie>
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by David McKay <dm...@btconnect.com>.
+1.
On 19/08/2012 16:52, Rob Weir wrote:
> Per the IPMC's "Guide to Successful Graduation" [1] this is the
> optional, but recommended, community vote for us to express our
> willingness/readiness to govern ourselves. If this vote passes then
> we continue by drafting a charter, submitting it for IPMC endorsement,
> and then to the ASF Board for final approval. Details can be found
> in the "Guide to Successful Graduation".
>
> Everyone in the community is encouraged to vote. Votes from PPMC
> members and Mentors are binding. This vote will run 72-hours.
>
>
> [ ] +1 Apache OpenOffice community is ready to graduate from the
> Apache Incubator.
> [ ] +0 Don't care.
> [ ] -1 Apache OpenOffice community is not ready to graduate from the
> Apache Incubator because...
>
>
> Regards,
>
> -Rob
>
> [1] http://incubator.apache.org/guides/graduation.html#tlp-community-vote
>
>
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Graham Lauder <yo...@apache.org>.
> Per the IPMC's "Guide to Successful Graduation" [1] this is the
> optional, but recommended, community vote for us to express our
> willingness/readiness to govern ourselves. If this vote passes then
> we continue by drafting a charter, submitting it for IPMC endorsement,
> and then to the ASF Board for final approval. Details can be found
> in the "Guide to Successful Graduation".
>
> Everyone in the community is encouraged to vote. Votes from PPMC
> members and Mentors are binding. This vote will run 72-hours.
>
>
> [ ] +1 Apache OpenOffice community is ready to graduate from the
> Apache Incubator.
> [ ] +0 Don't care.
> [ ] -1 Apache OpenOffice community is not ready to graduate from the
> Apache Incubator because...
>
>
> Regards,
>
> -Rob
+1 Let's get this party started
Cheers
GL
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by Bingbing Ma <ji...@gmail.com>.
+1
2012/8/21 dongjun zong <zo...@gmail.com>
> +1
>
>
>
> 2012/8/21 Juan C. Sanz <ju...@hotmail.com>
>
> > El 19/08/2012 17:52, Rob Weir escribió:
> >
> > Per the IPMC's "Guide to Successful Graduation" [1] this is the
> >> optional, but recommended, community vote for us to express our
> >> willingness/readiness to govern ourselves. If this vote passes then
> >> we continue by drafting a charter, submitting it for IPMC endorsement,
> >> and then to the ASF Board for final approval. Details can be found
> >> in the "Guide to Successful Graduation".
> >>
> >> Everyone in the community is encouraged to vote. Votes from PPMC
> >> members and Mentors are binding. This vote will run 72-hours.
> >>
> >>
> >> [ ] +1 Apache OpenOffice community is ready to graduate from the
> >> Apache Incubator.
> >> [ ] +0 Don't care.
> >> [ ] -1 Apache OpenOffice community is not ready to graduate from the
> >> Apache Incubator because...
> >>
> >>
> >> Regards,
> >>
> >> -Rob
> >>
> >> [1] http://incubator.apache.org/**guides/graduation.html#tlp-**
> >> community-vote<
> http://incubator.apache.org/guides/graduation.html#tlp-community-vote>
> >>
> >>
> >> +1
> > Regards
> >
>
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by dongjun zong <zo...@gmail.com>.
+1
2012/8/21 Juan C. Sanz <ju...@hotmail.com>
> El 19/08/2012 17:52, Rob Weir escribió:
>
> Per the IPMC's "Guide to Successful Graduation" [1] this is the
>> optional, but recommended, community vote for us to express our
>> willingness/readiness to govern ourselves. If this vote passes then
>> we continue by drafting a charter, submitting it for IPMC endorsement,
>> and then to the ASF Board for final approval. Details can be found
>> in the "Guide to Successful Graduation".
>>
>> Everyone in the community is encouraged to vote. Votes from PPMC
>> members and Mentors are binding. This vote will run 72-hours.
>>
>>
>> [ ] +1 Apache OpenOffice community is ready to graduate from the
>> Apache Incubator.
>> [ ] +0 Don't care.
>> [ ] -1 Apache OpenOffice community is not ready to graduate from the
>> Apache Incubator because...
>>
>>
>> Regards,
>>
>> -Rob
>>
>> [1] http://incubator.apache.org/**guides/graduation.html#tlp-**
>> community-vote<http://incubator.apache.org/guides/graduation.html#tlp-community-vote>
>>
>>
>> +1
> Regards
>
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by "Juan C. Sanz" <ju...@hotmail.com>.
El 19/08/2012 17:52, Rob Weir escribió:
> Per the IPMC's "Guide to Successful Graduation" [1] this is the
> optional, but recommended, community vote for us to express our
> willingness/readiness to govern ourselves. If this vote passes then
> we continue by drafting a charter, submitting it for IPMC endorsement,
> and then to the ASF Board for final approval. Details can be found
> in the "Guide to Successful Graduation".
>
> Everyone in the community is encouraged to vote. Votes from PPMC
> members and Mentors are binding. This vote will run 72-hours.
>
>
> [ ] +1 Apache OpenOffice community is ready to graduate from the
> Apache Incubator.
> [ ] +0 Don't care.
> [ ] -1 Apache OpenOffice community is not ready to graduate from the
> Apache Incubator because...
>
>
> Regards,
>
> -Rob
>
> [1] http://incubator.apache.org/guides/graduation.html#tlp-community-vote
>
>
+1
Regards
Re: [VOTE] Apache OpenOffice Community Graduation Vote
Posted by "Marcus (OOo)" <ma...@wtnet.de>.
+1
Marcus
Am 08/19/2012 05:52 PM, schrieb Rob Weir:
> Per the IPMC's "Guide to Successful Graduation" [1] this is the
> optional, but recommended, community vote for us to express our
> willingness/readiness to govern ourselves. If this vote passes then
> we continue by drafting a charter, submitting it for IPMC endorsement,
> and then to the ASF Board for final approval. Details can be found
> in the "Guide to Successful Graduation".
>
> Everyone in the community is encouraged to vote. Votes from PPMC
> members and Mentors are binding. This vote will run 72-hours.
>
>
> [ ] +1 Apache OpenOffice community is ready to graduate from the
> Apache Incubator.
> [ ] +0 Don't care.
> [ ] -1 Apache OpenOffice community is not ready to graduate from the
> Apache Incubator because...
>
>
> Regards,
>
> -Rob
>
> [1] http://incubator.apache.org/guides/graduation.html#tlp-community-vote