On 05/02/2011 02:05 PM, Arun C Murthy wrote: > As I noted before you were the first one to propose this release off > Yahoo security patch-set in April, 2010: > http://s.apache.org/5Gv > > What has changed since? Clearly, the same situation exists today.
I have absolutely no objection in principle to an Apache 0.20 release including security. I object to the fact that this patchset started from an arbitrary point and unilaterally applied a large set of patches that are not well correlated with Jira, trunk or other 0.20 branches. > Also, please note that of the ~450 commits in the branch, only 30 odd > jiras are yet to be committed to trunk: > http://s.apache.org/7Pe. So it's incorrect to state 'lack of community > involvement'. This should be easily discoverable from Jira: issues should use the "fix-for" field to indicate which branches they've been merged to. This standard practice has not been observed for over 400 patches included in this release candidate. > Assuming the technical inconsistencies are sorted out, are you willing > to withdraw you objection? These are not just technical concerns. How I vote on any future release candidate will in part depend on how the community is involved in its production. Thanks, Doug