incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Greg Stein <>
Subject Re: [VOTE] Apache OpenOffice Community Graduation Vote
Date Tue, 21 Aug 2012 03:05:00 GMT
On Mon, Aug 20, 2012 at 10:55 PM, Prescott Nasser <> wrote:
> I'm sorry, I'm playing catch-up and I'm a bit unclear on the argument - Marvin said:
 "If the podling believes that ASF-endorsed binaries are a hard requirement,
> then it seems to me that the ASF is not yet ready for AOO and will not be
> until suitable infrastructure and legal institutions to support binary
> releases (sterile build machines, artifact signing, etc) have been created
> and a policy has been endorsed by the Board." Is AOO not able to determine that for them
a binary is a hard requirement for their releases (along with source code)? I would think
that ASF puts a minimum requirement on what an official release is, not a limit.  Why is there
a requirement for special infrustructure? (perhaps that is due to the size of AOO?) Speaking
just from the Lucene.Net persective, I would consider our binaries (and nuget packages) as
official - even if ASF does not specifically allow for "official releases or officially endourced
binaries" - what else would they be? They were built and put up by the same guys releasing
the source code.

The simplest response is that source releases can be audited by (P)PMC
members. Binary releases cannot. If they cannot be audited, then how
can the ASF stand behind those releases? How can they state that the
releases are free of viruses/trojans/etc, and that the binary
precisely matches the compiled/built output of the audited source

That is the first and hardest issue about having the ASF provide
authenticated binaries.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message