On 20 February 2014 14:47, Andrew Grieve <[email protected]> wrote: > SCM == ?
Source Code / Software Configuration Management > Do you mean the git tags? > All of the repositories are tagged with the version number of the release. > So, "3.4.0" is the tag. OK, so where are the repos then please? Also, if the tag is not immutable, it would help to have the hash. > > On Thu, Feb 20, 2014 at 9:02 AM, sebb <[email protected]> wrote: > >> On 18 February 2014 23:26, Steven Gill <[email protected]> wrote: >> > Please review and vote on the Cordova 3.4.0 release. >> > >> > You can find the sample release at http://people.apache.org/~steven/ >> >> At the risk of being flamed, I am concerned that the VOTE mail does >> not include a link to the SCM tag. >> >> Why is this important? >> >> The ASF releases source files which come with a LICENSE (and NOTICE). >> It is vital that the release only contains files that are permitted to >> be distributed, and we aren't accidentally including files that should >> not be distributed. >> >> Equally, it is important that the source release is not missing any >> required files. >> >> The only practical way to check all the files is to compare the source >> archive against the tag(s) it is supposed to contain. >> >> In theory, an automated build process will ensure that the archive >> only contains files from the tag, and does not omit any require files. >> However, in practice, the archives are built from workspaces that >> contain other files (e.g. compilation output). >> I know of at least two projects which used standard automated >> procedures (Maven), yet their source releases contained files that >> should not have been released. >> >> Should there be a complaint, it's important that the PMC can show that >> due diligence was done in checking the source archive contents. >> This will be easier to prove if the VOTE thread contains details of >> the SCM tags from which the archive was built. >> >> The SCM repo provides traceability of provenance. >> >> So please can someone provide the SCM tag(s) that were used to create >> the source release? >> >> > Voting will go on for 24 hours. >> > >> > Cheers, >> > >> > -Steve >>
