On Aug 27, 2012, at 10:38 AM, Jim Jagielski wrote: > The ASF releases code. PMCs vote on a SVN tag and on a release tarball > (distribution) made from that tag. There is a direct and easily > followed path between the bits the end-user gets and the bits that > the PMC has determined as "the release." > > The issue with voting on "just" a binary release is how is the > providence of the code ensured... If I get a binary how can I, > as an end-user, ensure that the binary was based on the official bits > and was built in a way that didn't much around with those bits. > *THAT* is what the AOO PPMC needs to work thru, since most end-user > of AOO couldn't care a fig about the bits. But just because end-users > don't care, or shouldn't care, doesn't mean that the PMC/PPMC > can just wing it. Nor can it consider the binaries as "more important" > than the code. > > One possible scenario: The AOO PPMC/PMC is ready for a release > and someone steps up to RM. He/she does the normal process and > a release tag is created. At that point, binary RM's step up > and, using that tag and a well-defined (and trackable) process, > creates binaries and then sign that binary. In fact, that was/is > my intent on wanting to be on the AOO PMC is to be the Apple OSX > RM (that is, take on that responsibility).
Exactly! And if you are doing this, it would make sense to address the Apple CA questions regarding Mountain Lion and digital certs. Regards, Dave
