On 27 November 2012 17:16, Ralph Goers <ralph.go...@dslextreme.com> wrote: > > On Nov 27, 2012, at 5:12 AM, Gilles Sadowski wrote: > >> On Tue, Nov 27, 2012 at 10:55:14AM +0000, sebb wrote: >>> On 26 November 2012 17:41, Ralph Goers <ralph.go...@dslextreme.com> wrote: >>>> Traceability by who? >>>> >>>> PMC members can easily verify that what is committed to dist matches what >>>> they verified using what they downloaded and the MD5s that came with them. >>>> They are the ones responsible for the vote and the artifacts so I don't >>>> see a problem with that. Why you would need some sort of formal linking >>>> once the artifacts are published escapes me. >>> >>> The point is that using the SVN URL+revsion in the vote thread >>> automatically identifies a unique set of artifacts, and is a single >>> item to check. >> >> That seems a welcome simplification. >> > > If you use the release plugin it isn't simpler. Maven is going to deploy all > the artifacts to the staging repository, including the distribution artifacts.
Actually that is true regardless of whether the release plugin is used or not; deploy will generally include the dist artifacts. > Reviewers then do "wget -e robots=off --cut-dirs=3 -r -p -np > --no-check-certificate link", where link is the url to the staging > repository. After that the reviewer will have all the artifacts for > inspection. With what Sebb is proposing you will have to still do this to > verify the Maven artifacts but you will also have to checkout the > distribution artifacts from SVN, which seems like a needless step to me. Well, it's just one more command. > Ralph --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org