89 messages in org.apache.legal-discussRE: Binary channels| From | Sent On | Attachments |
|---|---|---|
| 14 earlier messages | ||
| Hen | Jan 17, 2019 9:58 pm | |
| Alex Harui | Jan 17, 2019 10:58 pm | |
| Justin Mclean | Jan 17, 2019 11:39 pm | |
| Mark Thomas | Jan 18, 2019 2:37 am | |
| Hen | Jan 18, 2019 6:56 am | |
| Hen | Jan 18, 2019 7:07 am | |
| Justin Mclean | Jan 18, 2019 8:26 am | |
| Marvin Humphrey | Jan 18, 2019 9:14 am | |
| Hen | Jan 18, 2019 9:36 am | |
| Kenneth Knowles | Jan 18, 2019 1:22 pm | |
| Hen | Jan 19, 2019 3:02 pm | |
| Alex Harui | Jan 19, 2019 4:00 pm | |
| Hen | Jan 19, 2019 6:59 pm | |
| Marvin Humphrey | Jan 19, 2019 8:39 pm | |
| Hen | Jan 20, 2019 12:05 pm | |
| Justin Mclean | Jan 20, 2019 2:53 pm | |
| Hen | Jan 20, 2019 4:13 pm | |
| Marvin Humphrey | Jan 20, 2019 5:44 pm | |
| Hen | Jan 20, 2019 7:17 pm | |
| Bertrand Delacretaz | Jan 21, 2019 1:53 am | |
| David Nalley | Jan 21, 2019 7:45 am | |
| David Nalley | Jan 21, 2019 8:17 am | |
| Bertrand Delacretaz | Jan 21, 2019 8:45 am | |
| Davor Bonaci | Jan 21, 2019 10:21 am | |
| Wheeler, David A | Jan 21, 2019 11:32 am | |
| Marvin Humphrey | Jan 21, 2019 12:17 pm | |
| David Nalley | Jan 21, 2019 2:01 pm | |
| Bertrand Delacretaz | Jan 22, 2019 12:48 am | |
| Hervé BOUTEMY | Jan 22, 2019 5:36 am | |
| Karan, Cem F CIV USARMY RDECOM ARL (US) | Jan 22, 2019 5:51 am | |
| Karan, Cem F CIV USARMY RDECOM ARL (US) | Jan 22, 2019 5:57 am | |
| Bertrand Delacretaz | Jan 22, 2019 6:53 am | |
| Martin Desruisseaux | Jan 22, 2019 7:58 am | |
| Bertrand Delacretaz | Jan 22, 2019 8:07 am | |
| Hervé BOUTEMY | Jan 22, 2019 9:06 am | |
| Hervé BOUTEMY | Jan 22, 2019 9:13 am | |
| Martin Desruisseaux | Jan 22, 2019 11:13 am | |
| Marvin Humphrey | Jan 22, 2019 1:20 pm | |
| Wheeler, David A | Jan 22, 2019 3:00 pm | |
| Roman Shaposhnik | Jan 22, 2019 6:50 pm | |
| Marvin Humphrey | Jan 22, 2019 8:03 pm | |
| David Jencks | Jan 22, 2019 8:49 pm | |
| David Nalley | Jan 23, 2019 7:11 am | |
| Wheeler, David A | Jan 23, 2019 7:56 am | |
| Roy T. Fielding | Jan 23, 2019 1:38 pm | |
| David Nalley | Jan 23, 2019 3:48 pm | |
| Marvin Humphrey | Jan 23, 2019 5:37 pm | |
| Hervé BOUTEMY | Jan 23, 2019 11:32 pm | |
| Marvin Humphrey | Jan 24, 2019 9:45 am | |
| Roy T. Fielding | Jan 24, 2019 4:22 pm | |
| 25 later messages | ||
| Subject: | RE: Binary channels | |
|---|---|---|
| From: | Wheeler, David A (dwhe...@ida.org) | |
| Date: | Jan 21, 2019 11:32:15 am | |
| List: | org.apache.legal-discuss | |
Davor Bonaci <dav...@apache.org> on Monday, January 21, 2019 1:22 PM said:
I, too, want to join Roman, David, et al. and put down a strong opinion that our
current position is disillusional. If ever tested, our total disavowment of
binaries will simply not stand...
This is a fair point. In *practice* people depend on those binaries, and it is
practice that matters.
We can and should do better, and evolve in this area. We already trust random
people to brand random binaries with our names if they pledge that they will
forever follow Mark's rules -- which we don't/cannot verify. I would trust our
release managers to produce proper binaries, verified to the degree possible by
other members of the community, and invest in tooling to support both sides, as
deemed necessary and appropriate.
I suggest that, in the longer term, ASF work towards developing *reproducible*
builds and establishing mechanisms to verify the builds of all Apache projects.
It is quite possible to record what tools were used to build something,
reproduce the build in multiple places, and then verify that the different
builds match. Of course, this doesn't eliminate all problems (e.g., by itself
it doesn't counter malicious tools used during a build). However, it counters
many problems (it strongly counters subverted builds, and it even provides a
starting point for countering malicious tools).
Switching to reproducible builds would transform "trusting random people" into
an ASF process that verifies builds. Historically the computing costs would
have been too expensive to do this, but computing is so cheap now that its costs
are not a real barrier.
Technical work is necessary to make this happen, and that obviously takes time &
money, but the most important part is a policy to create & verify reproducible
builds in the first place. Such work has been going on for some time in various
communities; more info is here:
https://reproducible-builds.org/
--- David A. Wheeler