Forwarding to the general list due to popular demand ---------- Forwarded message ---------- From: Ajith Ranabahu <[EMAIL PROTECTED]> Date: Fri, May 2, 2008 at 1:21 PM Subject: Re: Voting on release artifacts - Binary vs Source To: [EMAIL PROTECTED]
Hi, Thanks Jeremy for the pointer - I understand the why source is a must (otherwise why would you call it opensource :)) What I was trying to say was that I was under the impression that binary release artifacts are as important as source artifacts. However what this discussion (and the draft incubator proposal) tells me is that binaries are considered just a convenience and may not play a significant role in the voting process. What I am thinking is during the voting process (for a release) we should only post a source distribution. Once it is approved release manager can put up all the binary artifacts. To me signatures and hashes are a way for you to verify the authenticity and nothing more. IMHO during the vote users may or may not check the accuracy/legitimity of the hashes/signatures. If the release manager screws up the signing of artifacts that will be reported by infra (say the Key is invalid or the hashes are not right) [ I made a mistake in the signatures during the last Xml Schema release. The files that should have the .asc extension were in .gpg (signatures were fine though). However during the voting process this never came up (I know people tested the artifacts since we went on several RC cycles). What that tells me is that perhaps there is very little signature/checksum checking in practice. Anyway the mistake was reported by Henk (infra) and corrected later] So what I am trying to say is that to be in par with the Apache mentality of "source is the most important artifact" we should slightly augment our voting procedures so that we give priority to the source. The voting thread should indicate clearly that you check the source artifacts. Better yet we can post only the source for a vote - so that what people vote on would be the source and not the binary. Well - I did not send this to the general list since asking questions like 'are we fully Apache compliant ?' in public seemed a bit drastic to me. I was thinking we should treat this as a WS internal matter before we put it out to general@ or legal@ Ajith On Fri, May 2, 2008 at 9:12 AM, Jeremy Hughes <[EMAIL PROTECTED]> wrote: > There are some good points on the (still draft) release management page > @incubator [1]. In the end it's up to the project as to what's in a release. > I say the release *has* to include binaries to the user community happy. It > *should* release source zips (source is always available in SVN of course), > so that users are encouraged to become contributors as they debug any issues > they have. > > It's possible for voting to be against a particular SVN revision number > (ie. the source), but it also needs to be against the released artifacts, > since release signing happens once you have artifacts (ie binary and source > zips) that you want to release, and voting on the release should include a > check that the signature file is correct. Ideally there'd be a check that > the binaries relate to the source. > > [1] > http://incubator.apache.org/guides/releasemanagement.html#best-practice-source > > Cheers, > Jeremy > > 2008/5/1 Ajith Ranabahu <[EMAIL PROTECTED]>: > > Hi all, > > I've been wanting to ask this question from the pmc for about a week or > > so but did not get time to write a detailed email. Since most of the guys > > here are not in the member list (where an important discussion about "what > > Apache distributes?" happened) here is an excerpt. > > > > During one of the JCP discussions a point came up which resulted in the > > digression of "what Apache distributes as releases, is it code or > > binaries". Roy T Fielding, One of the Apache veterans, stated that Apache > > distributes source code and most importantly the voting should happen with > > the source code. Indeed HTTPD seem to follow this routine but AFAIK all of > > us in the WS world always voted on artifacts including binaries. There are > > many instances I have tested releases only with the binary artifacts without > > looking at the source (The source gets attention when there is a problem !). > > Again I suppose a good proportion of our users used the binaries and never > > tried building from source unless they absolutely have to. > > > > Now my question is whether what we have been doing all these years is > > the right Apache way. The discussion in the member list did not conclude > > with anything concrete and my brief search did not yield any concrete > > documents. However I think this is something we should clarify and get a > > clear understanding of the procedures before a potential clash. > > > > I suppose Glen/Dims/Sanjiva or any other folks who've been around Apache > > for a while would be able to shed some light on to this :) > > > > Thanks > > -- > > Ajith Ranabahu > > > > Reading, after a certain age, diverts the mind too much from its > > creative pursuits. Any man who reads too much and uses his own brain too > > little falls into lazy habits of thinking - Albert Einstein > > > -- Ajith Ranabahu Reading, after a certain age, diverts the mind too much from its creative pursuits. Any man who reads too much and uses his own brain too little falls into lazy habits of thinking - Albert Einstein -- Ajith Ranabahu Reading, after a certain age, diverts the mind too much from its creative pursuits. Any man who reads too much and uses his own brain too little falls into lazy habits of thinking - Albert Einstein
