Hi, > The important release artifact to check is the source archive, the > binary artifacts are mostly a convenience to users.
> The binaries are irrelevant. OK, I understand, but I don't agree. Most users download the binaries; very few download the source code and even less build the binaries themselves. I think the binaries are important. If the release scripts are correct the binaries should be correct. But then, if the release scripts are correct then 'rat' is already run and I don't need to do that again... The binaries could contain a virus (there are some Java viruses). I know that some developers disabled the virus scanner (well I do that sometimes). Probably it's not that urgent, but maybe when we have time to improve the release process we find a solution for that as well. Regards, Thomas
