incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Justin Mclean <jus...@classsoftware.com>
Subject Re: Publishing Maven artifacts under third-party coordinates (was: Set up Nexus staging profile for Dubbo ...)
Date Fri, 11 May 2018 04:15:58 GMT
Hi,

> There is NO WAY to verify a binary. Even compiling from source to binary on
> your machine, and trying to compare against a target binary will generally
> fail since timestamps are embedded. Or maybe there are different compilers
> being used.

As per ASF policy a connivance binary can be release as the same time [1] and it needs to
comply with license and notice policy [2].

It usually very easy to check a binary (and I’ve done it 100’s of time) by uncompress
the jar or just editing it directly to see what is bundled inside it.

Thanks,
Justin

1. http://www.apache.org/legal/release-policy.html#compiled-packages
2. http://www.apache.org/dev/licensing-howto.html#binary
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message