Clarify what files are allowed in source releases

[Julian Hyde <jh...@apache.org>]

The discussion about whether source releases can contain .jar files is
having an impact in the wider ASF community. There have been some
useful clarifying comments on ASF-private threads (e.g. [1]) but these
are not visible to some PMC members who are voting on releases (see
e.g. [2])

I know there is an action to clarify policy documents. But that might
take a while. it would be really useful if VP legal could answer
simple questions like the following. (Several board members have
opined on these questions in [1] but since it is a private thread I
cannot reproduce them here.)

1. Are images (.png, .gif, .jpg) allowed in source releases?

2. Are non-binary "compiled" files like .min.js allowed in source releases?

3. Are binary documents (.pdf, .doc) allowed in source releases?

4. Are .jar files allowed in source releases?

Julian

[1] https://lists.apache.org/thread.html/rd8a32e8b47effd97e34b521e97a92953af7ea41d776b1c1766b362ae%40%3Cboard.apache.org%3E

[2] https://issues.apache.org/jira/browse/CALCITE-4575

---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

Re: Clarify what files are allowed in source releases

[Justin Mclean <ju...@classsoftware.com>]

Hi,

> I don't follow. Most of the things above a reasonable human being would probably agree is part of the source.

A number of source releases I’ve looked at contain binary files (not code) that a reasonable person would probably not consider to be the “source form”. I can find examples for you if it helps.

Thanks,
Justin
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

Re: Clarify what files are allowed in source releases

[Roman Shaposhnik <ro...@shaposhnik.org>]

On Fri, Apr 9, 2021 at 6:54 PM Justin Mclean <ju...@classsoftware.com>
wrote:

> Hi,
>
> > There's a part of me that is saying that this line of questioning is not
> > useful.
>
> That may be the case but sometimes projects (in particular incubating
> ones) need clear answers to their questions.


Sure. And some [geek] plaintiffs/defendants would like the law to be fully
verifiable formal code -- ain't gonna happen.


> If we say you can decide what is source and what is not we’ll have a risk
> of  incubating projects copying other projects and then not understanding
> why, and it may not be appropriate for their project or the resource in
> question.
>

That's why we have the spirit of the law to be agreed to. That's why we
have Legal committee
to appeal to when it is unclear when something is happening within the
spirit of the law.


> > Basically, the way I see it -- there's a letter of the law and the spirit
> > of the law. The spirit of the law is simple: whatever a reasonable
> > human being would recognize as a source should be allowed in
> > a source release.
>
> But this certainly does apply. I can think of a number of occasions where
> we had project bend policy to not be within its spirit.
>

Sure. People break the law willingly and unwillingly on regular occasions.
Not sure what does it prove.


> > But again -- the test is this: would a reasonable human being
> > work with this artifact in its source form -- if the answer is yes,
> > it should be allowed.
>
> That approach may not quite work for  a couple of things that are
> typically included in source releases e.g. font files, some generated
> files, test data and the like.
>

I don't follow. Most of the things above a reasonable human being would
probably agree is part of the source.

Thanks,
Roman.

Re: Clarify what files are allowed in source releases

[Justin Mclean <ju...@classsoftware.com>]

Hi,

> There's a part of me that is saying that this line of questioning is not
> useful. 

That may be the case but sometimes projects (in particular incubating ones) need clear answers to their questions. If we say you can decide what is source and what is not we’ll have a risk of  incubating projects copying other projects and then not understanding why, and it may not be appropriate for their project or the resource in question.

> Basically, the way I see it -- there's a letter of the law and the spirit
> of the law. The spirit of the law is simple: whatever a reasonable
> human being would recognize as a source should be allowed in 
> a source release. 

But this certainly does apply. I can think of a number of occasions where we had project bend policy to not be within its spirit.

> But again -- the test is this: would a reasonable human being
> work with this artifact in its source form -- if the answer is yes,
> it should be allowed.

That approach may not quite work for  a couple of things that are typically included in source releases e.g. font files, some generated files, test data and the like.

Thanks,
Justin
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

Re: Clarify what files are allowed in source releases

[Roman Shaposhnik <ro...@shaposhnik.org>]

On Fri, Apr 9, 2021 at 3:57 PM Julian Hyde <jh...@apache.org> wrote:

> The discussion about whether source releases can contain .jar files is
> having an impact in the wider ASF community. There have been some
> useful clarifying comments on ASF-private threads (e.g. [1]) but these
> are not visible to some PMC members who are voting on releases (see
> e.g. [2])


Funny you should start this thread -- I'm actually working on splitting
the policy into legal vs. informative ;-)


> I know there is an action to clarify policy documents. But that might
> take a while. it would be really useful if VP legal could answer
> simple questions like the following. (Several board members have
> opined on these questions in [1] but since it is a private thread I
> cannot reproduce them here.)
>
> 1. Are images (.png, .gif, .jpg) allowed in source releases?
>
> 2. Are non-binary "compiled" files like .min.js allowed in source releases?
>
> 3. Are binary documents (.pdf, .doc) allowed in source releases?
>
> 4. Are .jar files allowed in source releases?
>

There's a part of me that is saying that this line of questioning is not
useful.

Basically, the way I see it -- there's a letter of the law and the spirit
of the law. The spirit of the law is simple: whatever a reasonable
human being would recognize as a source should be allowed in
a source release.

IOW, a Microsoft Word document would qualify as a source,
a jar file definitely wouldn't -- everything else is in between.

But again -- the test is this: would a reasonable human being
work with this artifact in its source form -- if the answer is yes,
it should be allowed.

Thanks,
Roman.

Re: Clarify what files are allowed in source releases

[Justin Mclean <ju...@classsoftware.com>]

Hi,

> What about test files that are archives?

The advice has generally been to build that resource from code as part of your build process.

Thanks,
Justin

Re: Clarify what files are allowed in source releases

[Dave Fisher <wa...@comcast.net>]

Sent from my iPhone

> On Apr 9, 2021, at 4:55 PM, Justin Mclean <ju...@classsoftware.com> wrote:
> 
> Hi,
> 
> I’m not VP legal but have reviewed 100s and 100s of releases and I’m on the legal committee.
> 
>> 1. Are images (.png, .gif, .jpg) allowed in source releases?
> 
> Yes if you have permission to use and distribute the images and they are licensed appropriately. The same applies to binary font files. 
> 
> I’ve voted -1 on releases because they have contained cat photos before.
> 
>> 2. Are non-binary "compiled" files like .min.js allowed in source releases?
> 
> Yes, if you include the original source as well. There might be some differing opinions here.
> 
>> 3. Are binary documents (.pdf, .doc) allowed in source releases?
> 
> Yes if you have permission to use and distribute the document and they are licensed appropriately. 
> 
>> 4. Are .jar files allowed in source releases?
> 
> No.

What about test files that are archives?

Regards,
Dave

> 
> However with any policy / guideline a project could ask for permission to do something different or an exception.
> 
> Thanks,
> Justin
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

Re: Clarify what files are allowed in source releases

[Julian Hyde <jh...@apache.org>]

Thanks, everyone, for the replies. I do find it useful to have both
the letter of the law and examples that illustrate the spirit of the
law. I hope you can find a way to accommodate both, Roman, when you
publish the revised policy.

Useful case in point: .jar and .zip files have essentially the same
format, but .jar files typically contain .class files, which are the
binary output of a compiler, whereas .zip files might contain benign
text/data files such as .csv. So it all comes down to the reviewer's
discretion.

Julian

On Sat, Apr 10, 2021 at 6:05 AM Neil C Smith <ne...@apache.org> wrote:
>
>
> On Sat, 10 Apr 2021, 09:38 Justin Mclean, <ju...@classsoftware.com> wrote:
>>
>> > Are .zip files?!
>>
>> It's going to depend on what is in them obviously. Currently I know of releases that contain zip files, they do make it hard to review releases as you need to look inside the zip files.
>
>
> Exactly. My point was that jar files are zip files, so should likewise depend on what's in them? Agree on the try not to, harder to review, etc. But it's not a hypothetical concern to a straight no .jar files as a file type right now.
>
> Best wishes,
>
> Neil

---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

Re: Clarify what files are allowed in source releases

[Neil C Smith <ne...@apache.org>]

On Sat, 10 Apr 2021, 09:38 Justin Mclean, <ju...@classsoftware.com> wrote:

> > Are .zip files?!
>
> It's going to depend on what is in them obviously. Currently I know of
> releases that contain zip files, they do make it hard to review releases as
> you need to look inside the zip files.
>

Exactly. My point was that jar files are zip files, so should likewise
depend on what's in them? Agree on the try not to, harder to review, etc.
But it's not a hypothetical concern to a straight no .jar files as a file
type right now.

Best wishes,

Neil

Re: Clarify what files are allowed in source releases

[Justin Mclean <ju...@classsoftware.com>]

Hi,

> Are .zip files?!

It's going to depend on what is in them obviously. Currently I know of releases that contain zip files, they do make it hard to review releases as you need to look inside the zip files.

Thanks,
Justin
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

Re: Clarify what files are allowed in source releases

[Neil C Smith <ne...@apache.org>]

On Sat, 10 Apr 2021, 00:55 Justin Mclean, <ju...@classsoftware.com> wrote:

> > 4. Are .jar files allowed in source releases?
>
> No.
>

Are .zip files?!

There are also some uses for .jar files that don't contain compiled code.
It would be good if they didn't get banned accidentally in the course of
this thread. ;-)

Best wishes,

Neil

>

Re: Clarify what files are allowed in source releases

[Justin Mclean <ju...@classsoftware.com>]

Hi,

I’m not VP legal but have reviewed 100s and 100s of releases and I’m on the legal committee.

> 1. Are images (.png, .gif, .jpg) allowed in source releases?

Yes if you have permission to use and distribute the images and they are licensed appropriately. The same applies to binary font files. 

I’ve voted -1 on releases because they have contained cat photos before.

> 2. Are non-binary "compiled" files like .min.js allowed in source releases?

Yes, if you include the original source as well. There might be some differing opinions here.

> 3. Are binary documents (.pdf, .doc) allowed in source releases?

Yes if you have permission to use and distribute the document and they are licensed appropriately. 

> 4. Are .jar files allowed in source releases?

No.

However with any policy / guideline a project could ask for permission to do something different or an exception.

Thanks,
Justin


---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org