The release artifacts contain source code, the binaries are there for user convenience. I could use the new X500 Certificate to sign the jars, this was purchased by the Apache Foundation for this purpose.
Regards, Peter. Sent from my Samsung device. Include original message ---- Original message ---- From: Patricia Shanahan <p...@acm.org> Sent: 01/09/2016 11:31:01 pm To: dev@river.apache.org Subject: Re: release artifacts How many PMC members are ready and willing to build and test, so that they can upvote the release? Peter: Why jar files in the release? Isn't it supposed to be source code? On 9/1/2016 4:57 AM, Peter Firmstone wrote: > Getting another set of release artifacts 4 River3 ready and have run all >tests again, need to generate pgp signatures on weekend. > > Decided not to use X500 release cert to sign jar files this release to >prevent holding up progress, since I haven't worked out how others can verify >release artifacts as the pgp signatures will be different when comparing >artifacts containing signed jars with those that don't, then there's the issue >of how to integrate it into the build process. > > Regards, > > Peter. > > Sent from my Samsung device. > >
