Update legal/src-headers to allow https

[ctubbsii]

• Keep http by default in the recommended source header
• Add wording to make it clear that https is also acceptable

[ctubbsii]

This only changes the recommended source header that ASF projects themselves "should" use. It doesn't change the "how to apply" section at the bottom of the Apache 2.0 LICENSE page. The change here makes it clear that either http or https are permitted, but changes the default copy/paste recommendation to use https for the URL.

[ctubbsii]

https://issues.apache.org/jira/browse/LEGAL-265 resolved the question of whether the deviation to use https is acceptable or not (the conclusion was that it was acceptable).

And, from a certain technical perspective, it could be argued that the https version is already effectively the canonical location, since the http version of the link is merely a 301 permanent redirect to the https version.

[ctubbsii]

I backed out the changes to make https the default in the source header. Interestingly, I noticed that the front matter at the top of this markdown file already uses https in it's own link to the license. It doesn't have much bearing on this PR or the recommended source header, but I thought it was interesting.

[ctubbsii]

I rebased this on the main branch, and added suggested wording to the license FAQs because the question keeps arising for that as well as for the source headers.

[garydgregory]

So why not say https in the license URL as the normative scheme?

[ctubbsii]

So why not say https in the license URL as the normative scheme?

Can you please rephrase your question? I'm not sure what you mean by "as the normative scheme".

[garydgregory]

Hi,

Should we replace the header example with "https" and then talk about http and https as both valid? Should we express a preference for for https?

Gary

On Sat, Jun 1, 2024, 12:22 AM Christopher Tubbs @.***> wrote:

So why not say https in the license URL as the normative scheme?

Can you please rephrase your question? I'm not sure what you mean by "as the normative scheme".

— Reply to this email directly, view it on GitHub https://github.com/apache/www-site/pull/331#issuecomment-2143282768, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAJB6NYA227UIHX6436KACLZFFEBTAVCNFSM6AAAAABA4KJDTOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNBTGI4DENZWHA . You are receiving this because you commented.Message ID: @.***>

[ctubbsii]

Hi, Should we replace the header example with "https" and then talk about http and https as both valid? Should we express a preference for for https? Gary

I see. That has been discussed at length on the mailing list, and there seems to be reluctance to do that, for a variety of reasons. My intent here is to do something that's much easier and less controversial. That is, I merely wish to document the answer to the frequently asked question about whether or not it's okay to use https instead of http. The consensus seems to be "yes" to that question.

However, when presented with a PR to update the site with that answer, the issue is stalled again. I believe this issue is simply waiting on the VP legal to say "yes, it's okay to merge this" (or to click the merge button themselves). However, it is a struggle getting a response that is unambiguously clear.

[garydgregory]

@ctubbsii Thank you for the update.