On Apr 21, 2008, at 11:47 AM, Thomas Mueller wrote:
Hi,
The important release artifact to check is the source archive, the
binary artifacts are mostly a convenience to users.
The binaries are irrelevant.
OK, I understand, but I don't agree. Most users download the binaries;
very few download the source code and even less build the binaries
Apache's users download the source code and build from source.
Jukka's users may just run the binaries.
themselves. I think the binaries are important. If the release scripts
are correct the binaries should be correct. But then, if the release
scripts are correct then 'rat' is already run and I don't need to do
that again... The binaries could contain a virus (there are some Java
viruses). I know that some developers disabled the virus scanner (well
I do that sometimes). Probably it's not that urgent, but maybe when we
have time to improve the release process we find a solution for that
as well.
Thomas, there is no way to verify that a binary is redistributable
without building the entire computer from trusted sources each time.
That's why we don't vote on binaries. Don't waste your abilities on
testing binaries when we need them to test the source code.
Allow me to repeat: WE DON'T VOTE ON BINARIES. We CAN'T vote on
binaries.
To vote would imply that we have the magical ability to evaluate them on
behalf of the ASF. None of us has that ability. That's why the ASF
does
not release binaries!
If it really becomes too hard for folks to understand that the binaries
do not matter, then I will ask the RM to stop building binaries. They
don't belong in the release vote, period. Is that clear? The HTTP
Server
project has never, in its entire history, voted on the release of
binaries.
Apache Jackrabbit has no reason to do so now. We let Jukka upload
binaries
that he has built from the released source code bits because we trust
Jukka, not because we trust the binaries.
....Roy
