On Mon, Aug 20, 2012 at 10:55 PM, Prescott Nasser <geobmx...@hotmail.com> wrote: > I'm sorry, I'm playing catch-up and I'm a bit unclear on the argument - > Marvin said: "If the podling believes that ASF-endorsed binaries are a hard > requirement, > then it seems to me that the ASF is not yet ready for AOO and will not be > until suitable infrastructure and legal institutions to support binary > releases (sterile build machines, artifact signing, etc) have been created > and a policy has been endorsed by the Board." Is AOO not able to determine > that for them a binary is a hard requirement for their releases (along with > source code)? I would think that ASF puts a minimum requirement on what an > official release is, not a limit. Why is there a requirement for special > infrustructure? (perhaps that is due to the size of AOO?) Speaking just from > the Lucene.Net persective, I would consider our binaries (and nuget packages) > as official - even if ASF does not specifically allow for "official releases > or officially endourced binaries" - what else would they be? They were built > and put up by the same guys releasing the source code.
The simplest response is that source releases can be audited by (P)PMC members. Binary releases cannot. If they cannot be audited, then how can the ASF stand behind those releases? How can they state that the releases are free of viruses/trojans/etc, and that the binary precisely matches the compiled/built output of the audited source release? That is the first and hardest issue about having the ASF provide authenticated binaries. Cheers, -g --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
