Perhaps it's a reference that some file formats can include the signature attached while others detach the signature into its own file?
On Mon, 8 Mar 2021 at 09:23, Craig Russell <[email protected]> wrote: > > Hi Sebb, > > https://community.apache.org/apache-way/apache-project-maturity-model.html > > > > On Mar 8, 2021, at 3:41 AM, sebb <[email protected]> wrote: > > > > What does "and/or" in RE30 really mean? > > Is it intentional? > > > > --------- > > RE30 > > Releases are signed and/or distributed along with digests that can be > > reliably used to validate the downloaded archives. > > --------- > > > > Expanding the and/or, I read this two ways: > > > > 1) Releases are signed and distributed along with digests that can be > > reliably used to validate the downloaded archives. > > > > 2) Releases are signed or distributed along with digests that can be > > reliably used to validate the downloaded archives. > > > > Statement 1 seems clear to me. > > I agree. It could even be clearer that signatures and digests (SHA256 and/or > SHA512) are both required. Maybe the type of digest was the origin of the > and/or... > > > > Statement 2 appears to imply that releases don't have to be signed -- > > if it means anything. > > I cannot parse this one either. > > Craig > > > > Sebb. > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > > > Craig L Russell > [email protected] > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
