Hi Andrew, Are you saying it is ok to contain compiled executed binaries if they were signed?
There had been long discussion in general@ list about what should be contained in release artifacts (with 0.8.1 Spark release) and I believe the conclusion was to avoid executable binaries in the source release artifacts. - Henry On Mon, Feb 24, 2014 at 10:11 AM, Andrew Purtell <[email protected]> wrote: > Hi Sebb, > > On Sat, Feb 22, 2014 at 2:19 AM, sebb <[email protected]> wrote: > >> I've had a quick look at the (sole) archive, and it contains both >> source and compiled jars. >> Although it is OK to release convenience binaries, there must be a >> source only release, as that is the ASF mission - to release open >> source. >> > > The "what must every release contain" doc says: > > Every ASF release *must* contain a source package, which must be sufficient > for a user to build and test the release provided they have access to the > appropriate platform and tools. The source package must be cryptographically > signed <http://www.apache.org/dev/release-signing.html> by the Release > Manager with a detached signature; and that package together with its > signature must be tested prior to voting +1 for release. > > > We can mentor the podling to produce a separate source only tarball, but > this might be a point of confusion, because the candidate tarball here > conforms to the above language, I have personally built and tested this > release from the properly signed tarball. It is a source tarball also > containing compiled binaries. > > > -- > Best regards, > > - Andy > > Problems worthy of attack prove their worth by hitting back. - Piet Hein > (via Tom White) --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
