cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sebb <seb...@gmail.com>
Subject Re: [Vote] Cordova 3.4.0 release
Date Thu, 20 Feb 2014 15:30:59 GMT
On 20 February 2014 14:47, Andrew Grieve <agrieve@chromium.org> wrote:
> SCM == ?

Source Code / Software Configuration   Management

> Do you mean the git tags?
> All of the repositories are tagged with the version number of the release.
> So, "3.4.0" is the tag.

OK, so where are the repos then please?
Also, if the tag is not immutable, it would help to have the hash.

>
> On Thu, Feb 20, 2014 at 9:02 AM, sebb <sebbaz@gmail.com> wrote:
>
>> On 18 February 2014 23:26, Steven Gill <stevengill97@gmail.com> wrote:
>> > Please review and vote on the Cordova 3.4.0 release.
>> >
>> > You can find the sample release at http://people.apache.org/~steven/
>>
>> At the risk of being flamed, I am concerned that the VOTE mail does
>> not include a link to the SCM tag.
>>
>> Why is this important?
>>
>> The ASF releases source files which come with a LICENSE (and NOTICE).
>> It is vital that the release only contains files that are permitted to
>> be distributed, and we aren't accidentally including files that should
>> not be distributed.
>>
>> Equally, it is important that the source release is not missing any
>> required files.
>>
>> The only practical way to check all the files is to compare the source
>> archive against the tag(s) it is supposed to contain.
>>
>> In theory, an automated build process will ensure that the archive
>> only contains files from the tag, and does not omit any require files.
>> However, in practice, the archives are built from workspaces that
>> contain other files (e.g. compilation output).
>> I know of at least two projects which used standard automated
>> procedures (Maven), yet their source releases contained files that
>> should not have been released.
>>
>> Should there be a complaint, it's important that the PMC can show that
>> due diligence was done in checking the source archive contents.
>> This will be easier to prove if the VOTE thread contains details of
>> the SCM tags from which the archive was built.
>>
>> The SCM repo provides traceability of provenance.
>>
>> So please can someone provide the SCM tag(s) that were used to create
>> the source release?
>>
>> > Voting will go on for 24 hours.
>> >
>> > Cheers,
>> >
>> > -Steve
>>

Mime
View raw message