I ran the script twice; the first to verify that it worked and on the second run, read every word that it produced. Some of it I didn't know the rightness or wrongness of the statements, so that, to me, makes my vote not quite as valid. But then I would imagine that most people who vote are not 100% certain if everything is correct. I can tell if it is clear and logical, which I believe it to be true.
I think tools which make it easier to validate will encourage people to participate more. If the task is arduous, then more people will just leave the decision in the hands of a few. If my vote is invalid than validating manually will not change that. --peter On 6/17/14 1:29 PM, "Justin Mclean" <jus...@classsoftware.com> wrote: >Hi, > >> I followed these threads as they happened. I have not gone back and >> reviewed them, but my takeaway was this: A PMC cannot not use the >>output >> of a tool to determine the correctness of a release package because the >> determination of the correctness of LICENSE and NOTICE and the headers >> cannot be infallibly done by software. > >That's my meaning as well. Of course you don't have to manually type >everything, but the files headers, LICENSE and NOTICE need to be checked >manually not via a script. Also each PMC member should be free to check >the release how they want , IMO multiple methods == more chance an error >is caught. > >So you would agree that in this case Peter's vote is invalid as he only >run the script and pasted the output of that into the vote? Sorry Peter, >I don't mean to single you out, but it does illustrate the danger of >using a script to validate releases. > >Tools like you script and rat help with validating releases but are not a >replacement for manual checks. I think your script is useful and helpful >but it can't be the sole reason for voting +1. > >> This script only downloads the artifacts, runs gpg to dump the sig and >> makes sure it matches, then dumps the rat report and each notice file to >> the console and asks you to decide on its correctness > >IMO That's a little misleading are you need to look at the source (and >perhaps the source of dependancies) in conjunction with NOTICE/LICENSE to >see if they are correct. > >IMO the script should ask you to manually check the headers, LICENSE and >NOTICE and not prompt you for a y/n. There's to much temptation to say it >all looks good and just to hit "Y'. > >> I will post a [MENTOR] thread on private@ to try to get Dave Fisher's >>attention. >Feel free but I don't think that requires mentor attention, we as a PMC >should be able to sort this out. > >At the very least this should of been discussed (and perhaps VOTEed on) >before being implemented in 2 releases. > >Thanks, >Justin >
