On Sun, 2014-06-29 at 15:27 +0100, sebb wrote: > On 29 June 2014 15:15, Oleg Kalnichevski <[email protected]> wrote:
... > >> >> >> > >> >> >> There's also no way to be sure that the binaries agree with the > >> >> >> source. > >> >> > > >> >> > And here we go. Voting on binary artifacts is equally stupid. The only > >> >> > >> >> Sorry, that was a bad analogy. > >> >> > >> >> But there are some aspects of binary artifacts that can - and should - > >> >> be checked. > >> >> > >> >> For example, sigs, hashes, NOTICE and LICENSE. > >> >> Ensuring that the binary artifacts don't contain bundled items that > >> >> should not be present. > >> >> Ensuring that jars have suitable MANIFEST entries > >> >> > >> > > >> > Which one should do by generating those binary artifacts from the > >> > source. > >> > >> Huh? > >> How does that help? > >> > >> The binary artifacts in the release vote are the ones that are going > >> to be published via the ASF mirrors. > >> So they are the ones that need checking to ensure that nothing has > >> gone wrong with the build. > >> > >> Any build others may do is not directly relevant to the artifacts that > >> are proposed for release. > >> > > > > What we release is a source tarball. Binary artifacts are distributed > > merely for convenience of users. > > Yes, they are optional. > Ah, finally. So are website or any reports. > But they are still distributions, and still need to follow the rules > regarding NOTICE and LICENSE etc. > And sigs/hashes must be OK > ETC. > Yes, by making sure that the correct artifacts can be built from source. Oleg --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
