hadoop-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Patrick Hunt <ph...@apache.org>
Subject Re: additional source only release tarball
Date Thu, 25 Feb 2010 18:45:02 GMT
Ok, that's good to know. Thanks.


Doug Cutting wrote:
> Patrick Hunt wrote:
>> Ah, thanks for clarify that Doug. To take it a bit further, when you 
>> say "bug" you really mean "serious breach of Apache process/rules", 
>> would that be valid? i.e. it would be something that the responsible 
>> Apache team should work to address with highest of priority.
> To some degree that depends on the Apache project.  I don't know of a 
> project that does not create release tags and that would accept an 
> incorrect one lightly.  That said, release tags are not required nor 
> authoritative: the thing that counts is the signed artifact.
> I'd certainly encourage developers to leverage tags when convenient 
> e.g., for automated testing against and comparison with prior releases, 
> for IDE source browsing, etc.  But if someone wants to package an 
> alternate distribution of an Apache release, I think they're better 
> starting from the release artifact than the tag.  The artifact can be 
> validated against the signature at http://www.apache.org/dist/, while 
> there's currently no good means of validating the contents of a tag.  I 
> suppose one could rebuild the tarball from the tag and try to validate 
> its checksum against that at http://www.apache.org/dist/, but that seems 
> both fragile and less secure.
> Doug

View raw message