commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject [OT] Verifying releases Was: svn commit: r1452037 - /commons/proper/beanutils/trunk/src/test/java/org/apache/commons/beanutils/bugs/
Date Fri, 08 Mar 2013 10:15:55 GMT

Niall Pemberton <> wrote:

>On Thu, Mar 7, 2013 at 11:54 PM, Mark Thomas <> wrote:


>> One of the primary responsibilities of a PMC member when voting on a
>> release is verifying what is being voted on against the tag.
>> client locales and $Date$ combine to make every single source file
>> different from the tag requiring a manual check of the diff of every
>> file to do the verification check properly. Even with good diff
>> the verification process is a lot slower and can't be automated.
>Its not required for a release - although I would agree its a nice
>thing to do.Spot check of the files is good enough to see if it has
>been created from the tag

I very strongly disagree. Any PMC member voting on a release should be
verifying every single file in the src tarball with the tag. There are
plenty of tools available that make this the work of a few seconds -
providing the files agree.

> - otherwise we trust our release managers.

Not trusting the release managers is not the primary reason that PMC
members should be verifying the tarball agrees with the tag (although if
a release manager ever does do anything malicious it will catch that
to). The primary reason is to catch errors in build process or mistakes
made by the release manager. BeanUtils is likely simpler than Tomcat but
the sorts of things a full verification has caught has included:
- missing files (usually after some form of code re-org)
- extra files (IDE files, intermediate files, .svn/.git files, etc)
- wrong line endings (Tomcat tries to use CRLF for zip and LF for tar.gz)
- local edits to the source files

Some are minor but missing or edited files are clearly serious issues
that should cause the release to fail.

>BeanUtils has used the $Date$ keyword since 2005 and I cannot remember
>it ever coming up in a release vote - so it hasn't stopped it being

If the release manager and the people checking the tarball all have the
same locale you won't see the issue.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message