I disagree about that -src and -bin should not be in the Maven repo, that is now common practice across many Apache projects, and it can also be helpful for downstream projects who needs to embed the distribution somehow.
It is also a structured way to provide distributions, while our dist archives are just semi-structured by convention, not to mention the fact that older releases are only accessible from archive.apache.org -- this means there is not a single permalink for a given release (as we don't want to recommend users to primarily download from archive). To me it also gives a very easy way to confirm the Maven repo matches the dist files - they should have the same checksums. Then we can reasonably assume that the corresponding JARs are also from the very same build as they are presumably uploaded in one go with the Release plugin and assume the Release Manager have acted faithfully and used the regular release process (typically Release plugin) Of course Creadur could try to add a tool for more formal verification of the JARs and binaries match the source (or even have a forced rebuild from -src). I think Apache could benefit from such a tool, as most downstream users pull JARs blindly from Maven, while they are often not tested at all from a staging repository during Apache projects' Release Candidate testing, and could potentially contain say malware inserted by a virus or be faulty because of a particular compiler setup. On 27 May 2016 6:52 p.m., "sebb" <[email protected]> wrote: -1 The NOTICE file refers to 2014 rather than 2016. Have there really been no substantive changes since 2014? The tag contains two different RN files: RELEASE-NOTES.txt RELEASE_NOTES.txt At least one of them is likely to be wrong. As mentioned elsethread, the KEYS file must be referenced from http[s]://www.apache.org/dist/creadur/KEYS Also, I don't believe the following has any place in the Maven repo https://repository.apache.org/content/repositories/orgapachecreadur-1002/org/apache/rat/apache-rat/0.12/ Or at least the -src and -bin archives seem out of place for Maven Central. On 27 May 2016 at 15:18, Jochen Wiedmann <[email protected]> wrote: > Forgot the SVN Tag: > > http://svn.apache.org/repos/asf/creadur/rat/tags/apache-rat-project-0.12-RC1/ > > > On Fri, May 27, 2016 at 4:09 PM, Jochen Wiedmann > <[email protected]> wrote: >> Proposed distribution: >> >> https://dist.apache.org/repos/dist/dev/creadur/apache-rat-0.12RC1/ >> >> Proposed KEYS: >> >> https://dist.apache.org/repos/dist/dev/creadur/apache-rat-0.12RC1/KEYS >> >> Proposed site: >> >> http://home.apache.org/~jochen/site-rat-0.12RC1/ >> >> Proposed Maven repository: >> >> https://repository.apache.org/content/repositories/orgapachecreadur-1002 >> >> Vote is open for 72 hours, as usual. >> >> >> Jochen >> >> >> -- >> The next time you hear: "Don't reinvent the wheel!" >> >> http://www.keystonedevelopment.co.uk/wp-content/uploads/2014/10/evolution-of-the-wheel-300x85.jpg > > > > -- > The next time you hear: "Don't reinvent the wheel!" > > http://www.keystonedevelopment.co.uk/wp-content/uploads/2014/10/evolution-of-the-wheel-300x85.jpg
