On Jan 14, 2010, at 6:33 AM, Mark Phippard wrote: > On Wed, Jan 13, 2010 at 11:19 AM, Hyrum K. Wright > <hyrum_wri...@mail.utexas.edu> wrote: > >> Given this feedback, and the fact that it's a patch release with supposed >> minimal changes between releases, I agree we should >> step back to Neon 0.28.3. I've rerolled the tarballs and replaced them at >> the download site with the new deps tarballs. > > I just read this more closely and fear I have led you astray. I only > used Neon 0.28.3 because that happened to be the version I had sitting > in an old working copy (I had just deleted all of the old deps zip > files before starting the tests). However, there have been security > fixes in Neon since that release, so we should include the latest > version - 0.28.7 (or 0.29.3). I suspect that is the version we would > have included with 1.6.6, but maybe not.
Turns out I updated the script, but didn't bother to re-run it. Gah. > Can't we just copy/rename the 1.6.6 deps tarballs? I don't see a problem with this. We can even borrow the signatures from those files, yes? > Are we (thankfully in my opinion) going to drop the deps tarballs when > we start releasing at ASF? I don't know the party line on this, but I certainly hope it is the case. -Hyrum
