I disagree - I think the Apache process makes the minimum we should vote on be the source (and I agree that on many levels, it's the most important thing).
However I think we need to do more. The number of problems we have had with actual broken releases *with* posted binaries means I think we can't do without them. I do trust the release managers, but even release managers are human and mistakes happen. I personally want to test the thing that the majority of users will download and use so that I can accurately vouch for its quality. Speaking for myself: From a philosophical perspective, the source is most important As a user of software from apache.org I want to know that the binary I download has been tested by at least a couple of experts I think we can and should satisfy both and don't see a strong downside to doing so. David On Fri, May 2, 2008 at 8:47 PM, Ajith Ranabahu <[EMAIL PROTECTED]> wrote: > Forwarding to the general list due to popular demand > > > > ---------- Forwarded message ---------- > From: Ajith Ranabahu <[EMAIL PROTECTED]> > Date: Fri, May 2, 2008 at 1:21 PM > Subject: Re: Voting on release artifacts - Binary vs Source > To: [EMAIL PROTECTED] > > > Hi, > Thanks Jeremy for the pointer - I understand the why source is a must > (otherwise why would you call it opensource :)) What I was trying to say was > that I was under the impression that binary release artifacts are as > important as source artifacts. However what this discussion (and the draft > incubator proposal) tells me is that binaries are considered just a > convenience and may not play a significant role in the voting process. > > What I am thinking is during the voting process (for a release) we should > only post a source distribution. Once it is approved release manager can put > up all the binary artifacts. To me signatures and hashes are a way for you > to verify the authenticity and nothing more. IMHO during the vote users may > or may not check the accuracy/legitimity of the hashes/signatures. If the > release manager screws up the signing of artifacts that will be reported by > infra (say the Key is invalid or the hashes are not right) [ I made a > mistake in the signatures during the last Xml Schema release. The files that > should have the .asc extension were in .gpg (signatures were fine though). > However during the voting process this never came up (I know people tested > the artifacts since we went on several RC cycles). What that tells me is > that perhaps there is very little signature/checksum checking in practice. > Anyway the mistake was reported by Henk (infra) and corrected later] > > So what I am trying to say is that to be in par with the Apache mentality of > "source is the most important artifact" we should slightly augment our > voting procedures so that we give priority to the source. The voting thread > should indicate clearly that you check the source artifacts. Better yet we > can post only the source for a vote - so that what people vote on would be > the source and not the binary. > > Well - I did not send this to the general list since asking questions like > 'are we fully Apache compliant ?' in public seemed a bit drastic to me. I > was thinking we should treat this as a WS internal matter before we put it > out to general@ or legal@ > > Ajith > > > > On Fri, May 2, 2008 at 9:12 AM, Jeremy Hughes <[EMAIL PROTECTED]> wrote: > > > There are some good points on the (still draft) release management page > @incubator [1]. In the end it's up to the project as to what's in a release. > I say the release *has* to include binaries to the user community happy. It > *should* release source zips (source is always available in SVN of course), > so that users are encouraged to become contributors as they debug any issues > they have. > > > > It's possible for voting to be against a particular SVN revision number > (ie. the source), but it also needs to be against the released artifacts, > since release signing happens once you have artifacts (ie binary and source > zips) that you want to release, and voting on the release should include a > check that the signature file is correct. Ideally there'd be a check that > the binaries relate to the source. > > > > [1] > http://incubator.apache.org/guides/releasemanagement.html#best-practice-source > > > > Cheers, > > Jeremy > > > > > > 2008/5/1 Ajith Ranabahu <[EMAIL PROTECTED]>: > > > > > > > > > > > Hi all, > > > I've been wanting to ask this question from the pmc for about a week or > so but did not get time to write a detailed email. Since most of the guys > here are not in the member list (where an important discussion about "what > Apache distributes?" happened) here is an excerpt. > > > > > > During one of the JCP discussions a point came up which resulted in the > digression of "what Apache distributes as releases, is it code or > binaries". Roy T Fielding, One of the Apache veterans, stated that Apache > distributes source code and most importantly the voting should happen with > the source code. Indeed HTTPD seem to follow this routine but AFAIK all of > us in the WS world always voted on artifacts including binaries. There are > many instances I have tested releases only with the binary artifacts without > looking at the source (The source gets attention when there is a problem !). > Again I suppose a good proportion of our users used the binaries and never > tried building from source unless they absolutely have to. > > > > > > Now my question is whether what we have been doing all these years is > the right Apache way. The discussion in the member list did not conclude > with anything concrete and my brief search did not yield any concrete > documents. However I think this is something we should clarify and get a > clear understanding of the procedures before a potential clash. > > > > > > I suppose Glen/Dims/Sanjiva or any other folks who've been around Apache > for a while would be able to shed some light on to this :) > > > > > > Thanks > > > -- > > > Ajith Ranabahu > > > > > > Reading, after a certain age, diverts the mind too much from its > creative pursuits. Any man who reads too much and uses his own brain too > little falls into lazy habits of thinking - Albert Einstein > > > > > > > > -- > Ajith Ranabahu > > Reading, after a certain age, diverts the mind too much from its creative > pursuits. Any man who reads too much and uses his own brain too little falls > into lazy habits of thinking - Albert Einstein > > > -- > Ajith Ranabahu > > Reading, after a certain age, diverts the mind too much from its creative > pursuits. Any man who reads too much and uses his own brain too little falls > into lazy habits of thinking - Albert Einstein -- David Illsley - IBM Web Services Development --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
