On Mon, Feb 2, 2009 at 3:56 PM, James Dixson <[email protected]> wrote:
> 1. Generate final binary/source images (should happen today) Apache is all about Open Source, so the source distro is actually more important than the binaries, from a legal point of view. Any artifact being generated, need to have LICENSE and NOTICE files in them. > 2. Sign the images... easy enough, but what key should I use, or if I > use one of my keys, is there a standard place folks make their public > keys available? Well, many public PGP servers are used, such as pgp.mit.edu. More importantly, they should also be stored in a KEYS file in the root of the project. > 3. Take a vote in etch-dev Correct. > 4. Take a vote in incubator-dev If you mean [email protected] - Correct. Typically, announce on [email protected] that there will be a vote started on etch-dev a day in advance, so people can jump in if they feel like it. > 5. Publish the images... Q: where should/can the binaries be posted? Yes, before the vote of course. Most people upload to their account on people.apache.org. If you create a public_html folder, it will show up as http://people.apache.org/~niclas > Am I missing anything? Yes, there is a tool called RAT. It will analyze the files from a legal perspective and report any potential issues. The incubator PMC members are typically keen on seeing its output. http://incubator.apache.org/rat/ So, upload the rat output to people.apache.org as well. Cheers Niclas -- http://www.qi4j.org - New Energy for Java
