On 13 August 2013 18:58, Dennis Lundberg <denn...@apache.org> wrote: > On Tue, Aug 13, 2013 at 12:30 AM, sebb <seb...@gmail.com> wrote: >> On 12 August 2013 20:10, Jason van Zyl <ja...@tesla.io> wrote: >>> >>>>> >>>>> I have now read the threads that are referring to, and have not found >>>>> a single link to any ASF rule stating that we need to include these >>>>> things in a VOTE thread. >>>> >>>> So how do you propose that reviewers check the provenance of the files >>>> in the source release? >>> >>> Are you looking for files that are in a distribution that didn't come from >>> source control? Everything else as far as provenance goes is covered. >>> Errant content is a potential problem, but everything in a distribution >>> should come from source control which no one has access to until they have >>> a signed CLA on file. >> >> Yes. That is where the whole saga started. >> >> Proving provenance is why the SCM coordinates are needed for the vote. >> >> The SCM details may also be useful to discover files accidentally >> omitted from the source archive. > > You want to compare the contents of the *-source-release.zip with > something from SCM, to make nothing bad has crept into the source > bundle. So you need to know where in SCM you can find it. Have I > understood you correctly?
It's vital to be able to link the files in the source release archive(s) to their origin in SCM. The provenance of any source files the ASF releases must be clearly traceable. >>> Thanks, >>> >>> Jason >>> >>> ---------------------------------------------------------- >>> Jason van Zyl >>> Founder, Apache Maven >>> http://twitter.com/jvanzyl >>> --------------------------------------------------------- >>> >>> >>> >>> >>> >>> >>> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org >> For additional commands, e-mail: dev-h...@maven.apache.org >> > > > > -- > Dennis Lundberg > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > For additional commands, e-mail: dev-h...@maven.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
