On 10 May 2018 at 11:37, Greg Stein <gst...@gmail.com> wrote: > On Thu, May 10, 2018 at 3:31 AM, Huxing Zhang <hux...@apache.org> wrote: > >> Hi, >> >> On Thu, May 10, 2018 at 3:59 PM, Willem Jiang <willem.ji...@gmail.com> >> wrote: >> > Is there any plan for going through the vote process of Binary file? >> >> Yes, binaries will also go through the vote process. > > > No. It makes no sense. > > There is NO WAY to verify a binary. Even compiling from source to binary on > your machine, and trying to compare against a target binary will generally > fail since timestamps are embedded. Or maybe there are different compilers > being used. > > The Foundation *never* votes on binaries, because the Foundation DOES NOT > RELEASE BINARIES. The Foundation only votes/authorizes/releases source > code. REPEAT: only source code. > > Only source. Which is verifiable. Which has provenance.
The LICENCE and NOTICE files that accompany the binary artifact are text, and IMO should be checked against the contents of the binary artifact. For example, if the binary bundles jars from other projects, the L&N need to agree with the bundled contents. > Regards, > -g > (Member, skipping my Infra hat)
