Return-Path: 
 <dev-return-30136-apmail-cordova-dev-archive=cordova.apache.org@cordova.apache.org>
X-Original-To: apmail-cordova-dev-archive@www.apache.org
Delivered-To: apmail-cordova-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 537B1117ED
	for <apmail-cordova-dev-archive@www.apache.org>;
 Thu, 20 Feb 2014 15:31:29 +0000 (UTC)
Received: (qmail 24089 invoked by uid 500); 20 Feb 2014 15:31:28 -0000
Delivered-To: apmail-cordova-dev-archive@cordova.apache.org
Received: (qmail 24052 invoked by uid 500); 20 Feb 2014 15:31:28 -0000
Mailing-List: contact dev-help@cordova.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@cordova.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@cordova.apache.org>
List-Post: <mailto:dev@cordova.apache.org>
List-Id: <dev.cordova.apache.org>
Reply-To: dev@cordova.apache.org
Delivered-To: mailing list dev@cordova.apache.org
Received: (qmail 24040 invoked by uid 99); 20 Feb 2014 15:31:26 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 20 Feb 2014 15:31:26 +0000
X-ASF-Spam-Status: No, hits=-0.7 required=5.0
	tests=RCVD_IN_DNSWL_LOW,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: domain of sebbaz@gmail.com designates
 74.125.82.52 as permitted sender)
Received: from [74.125.82.52] (HELO mail-wg0-f52.google.com) (74.125.82.52)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 20 Feb 2014 15:31:20 +0000
Received: by mail-wg0-f52.google.com with SMTP id b13so1595577wgh.7
        for <dev@cordova.apache.org>; Thu, 20 Feb 2014 07:31:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :content-type;
        bh=n/MCAGeyVsIc4mgkZak/LxxLFtJnaybj85csRTf0zKw=;
        b=McUxPH30joaCMT6bosdEErTOB9pqjSlSPN1/5Zd5b/25qIyIe1yjKkAGus2lKR2AiO
         ryP8MG1MbJhJpYAlJVy/F1iE1NvCHMmcahqGhNPLJ70KchXiyFjMhIMRyHGMqc5rKA8Z
         XAwKDEhpXvW7CdoxVJXYhoxTVee6qOKxz4yoI60Xs06FzFgooAzttpALzskbOVlt/YzS
         bK2SFWMSfdM1ZyuECdDO/3DZ+yEJpy11eVrP8my7ZCnlmteEdGwmrqFoogVsRzh6WeLJ
         536an9Pwr0z8t3PdUPJlJxEecaQVS6mlOXbq12fmzEwu8DSEMlYccPKGAV7/w2iSRyK7
         3LMA==
MIME-Version: 1.0
X-Received: by 10.180.205.130 with SMTP id lg2mr7498337wic.59.1392910259987;
 Thu, 20 Feb 2014 07:30:59 -0800 (PST)
Received: by 10.194.86.198 with HTTP; Thu, 20 Feb 2014 07:30:59 -0800 (PST)
In-Reply-To: 
 <CABiQX1XNByVyB6RHdqpV9Qfwxw4uFo4UBmbK93t0yGGfRvJUeg@mail.gmail.com>
References: 
 <CAMSbhBgaqeJb1NF0VaKqqnoZW=-n+fyNDhc-7MzAf4-VGvAm=A@mail.gmail.com>
	<CAOGo0VYnsV8f8aA3MQJD6XVHeDyYG7zhA3-AR7PSjpDRz4cu=Q@mail.gmail.com>
	<CABiQX1XNByVyB6RHdqpV9Qfwxw4uFo4UBmbK93t0yGGfRvJUeg@mail.gmail.com>
Date: Thu, 20 Feb 2014 15:30:59 +0000
Message-ID: 
 <CAOGo0VZ_BaP62K7e0Y+a6F732ccdW_O-JCpVv5ZsOevYNvdEeQ@mail.gmail.com>
Subject: Re: [Vote] Cordova 3.4.0 release
From: sebb <sebbaz@gmail.com>
To: dev@cordova.apache.org
Content-Type: text/plain; charset=ISO-8859-1
X-Virus-Checked: Checked by ClamAV on apache.org

On 20 February 2014 14:47, Andrew Grieve <agrieve@chromium.org> wrote:
> SCM == ?

Source Code / Software Configuration   Management

> Do you mean the git tags?
> All of the repositories are tagged with the version number of the release.
> So, "3.4.0" is the tag.

OK, so where are the repos then please?
Also, if the tag is not immutable, it would help to have the hash.

>
> On Thu, Feb 20, 2014 at 9:02 AM, sebb <sebbaz@gmail.com> wrote:
>
>> On 18 February 2014 23:26, Steven Gill <stevengill97@gmail.com> wrote:
>> > Please review and vote on the Cordova 3.4.0 release.
>> >
>> > You can find the sample release at http://people.apache.org/~steven/
>>
>> At the risk of being flamed, I am concerned that the VOTE mail does
>> not include a link to the SCM tag.
>>
>> Why is this important?
>>
>> The ASF releases source files which come with a LICENSE (and NOTICE).
>> It is vital that the release only contains files that are permitted to
>> be distributed, and we aren't accidentally including files that should
>> not be distributed.
>>
>> Equally, it is important that the source release is not missing any
>> required files.
>>
>> The only practical way to check all the files is to compare the source
>> archive against the tag(s) it is supposed to contain.
>>
>> In theory, an automated build process will ensure that the archive
>> only contains files from the tag, and does not omit any require files.
>> However, in practice, the archives are built from workspaces that
>> contain other files (e.g. compilation output).
>> I know of at least two projects which used standard automated
>> procedures (Maven), yet their source releases contained files that
>> should not have been released.
>>
>> Should there be a complaint, it's important that the PMC can show that
>> due diligence was done in checking the source archive contents.
>> This will be easier to prove if the VOTE thread contains details of
>> the SCM tags from which the archive was built.
>>
>> The SCM repo provides traceability of provenance.
>>
>> So please can someone provide the SCM tag(s) that were used to create
>> the source release?
>>
>> > Voting will go on for 24 hours.
>> >
>> > Cheers,
>> >
>> > -Steve
>>