incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Greg Stein <gst...@gmail.com>
Subject Re: Publishing Maven artifacts under third-party coordinates (was: Set up Nexus staging profile for Dubbo ...)
Date Thu, 10 May 2018 10:37:55 GMT
On Thu, May 10, 2018 at 3:31 AM, Huxing Zhang <huxing@apache.org> wrote:

> Hi,
>
> On Thu, May 10, 2018 at 3:59 PM, Willem Jiang <willem.jiang@gmail.com>
> wrote:
> > Is there any plan for going through the vote process of Binary file?
>
> Yes, binaries will also go through the vote process.


No. It makes no sense.

There is NO WAY to verify a binary. Even compiling from source to binary on
your machine, and trying to compare against a target binary will generally
fail since timestamps are embedded. Or maybe there are different compilers
being used.

The Foundation *never* votes on binaries, because the Foundation DOES NOT
RELEASE BINARIES. The Foundation only votes/authorizes/releases source
code. REPEAT: only source code.

Only source. Which is verifiable. Which has provenance.

Regards,
-g
(Member, skipping my Infra hat)

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message