On Wed, Aug 14, 2013 at 10:47 AM, sebb <[email protected]> wrote: > On 13 August 2013 18:58, Dennis Lundberg <[email protected]> wrote: > > On Tue, Aug 13, 2013 at 12:30 AM, sebb <[email protected]> wrote: > >> On 12 August 2013 20:10, Jason van Zyl <[email protected]> wrote: > >>> > >>>>> > >>>>> I have now read the threads that are referring to, and have not found > >>>>> a single link to any ASF rule stating that we need to include these > >>>>> things in a VOTE thread. > >>>> > >>>> So how do you propose that reviewers check the provenance of the files > >>>> in the source release? > >>> > >>> Are you looking for files that are in a distribution that didn't come > from source control? Everything else as far as provenance goes is covered. > Errant content is a potential problem, but everything in a distribution > should come from source control which no one has access to until they have > a signed CLA on file. > >> > >> Yes. That is where the whole saga started. > >> > >> Proving provenance is why the SCM coordinates are needed for the vote. > >> > >> The SCM details may also be useful to discover files accidentally > >> omitted from the source archive. > > > > You want to compare the contents of the *-source-release.zip with > > something from SCM, to make nothing bad has crept into the source > > bundle. So you need to know where in SCM you can find it. Have I > > understood you correctly? > > It's vital to be able to link the files in the source release > archive(s) to their origin in SCM. > > The provenance of any source files the ASF releases must be clearly > traceable. >
This information is clearly traceable and available to anyone who wants to review a release made by the Maven project. Our process uses the Release Plugin, which will put the POM from the SCM tag in the staging directory along with the source-release.zip. In that POM wou will find the URL to the original sources in SCM. > > >>> Thanks, > >>> > >>> Jason > >>> > >>> ---------------------------------------------------------- > >>> Jason van Zyl > >>> Founder, Apache Maven > >>> http://twitter.com/jvanzyl > >>> --------------------------------------------------------- > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: [email protected] > >> For additional commands, e-mail: [email protected] > >> > > > > > > > > -- > > Dennis Lundberg > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > -- > Dennis Lundberg <[email protected]> >
