incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bertrand Delacretaz <bdelacre...@apache.org>
Subject Re: [VOTE] Apache Drill 0.6.0-incubating release
Date Mon, 13 Oct 2014 14:30:05 GMT
On Mon, Oct 13, 2014 at 4:14 PM, Julian Hyde <julianhyde@gmail.com> wrote:
>
> For many projects, especially "library" projects, the "convenient binaries" that matter
most these
> days are the jars (source, binary, and javadoc) that are deployed to the maven repo...

> ...Are these jars subjected to due diligence during the release vote?...

In projects where I'm active there's reasonable due diligence as the
build processes are automated in a way that allows you to trust the
build if that's done by someone that you trust.

That being said, we don't make any guarantees about those jars, so in
the end users can either choose to trust the build and distribution
process, or build the required jars themselves from a trusted source.

In the case of Maven, the ASF doesn't control the distribution
process, so it's not a safe channel without signatures or trusted
digests, and I don't think Maven allows for those at the moment. So
even the best due diligence wouldn't really help for these binaries.

-Bertrand

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message