incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ted Dunning <ted.dunn...@gmail.com>
Subject Re: Publishing Maven artifacts under third-party coordinates (was: Set up Nexus staging profile for Dubbo ...)
Date Thu, 10 May 2018 18:23:01 GMT
There may be binary convenience artifacts, but let's not dignify them by
the name release. They aren't, after all.



On Thu, May 10, 2018 at 8:56 AM, Matt Sicker <boards@gmail.com> wrote:

> I still minimally require proper gpg signatures on binary artifacts. The
> source artifacts are what get far more scrutiny, but the binaries are
> released on apache.org after all.
>
> On 10 May 2018 at 10:20, Roman Shaposhnik <roman@shaposhnik.org> wrote:
>
> > On Thu, May 10, 2018 at 4:17 AM, sebb <sebbaz@gmail.com> wrote:
> > > On 10 May 2018 at 11:37, Greg Stein <gstein@gmail.com> wrote:
> > >> On Thu, May 10, 2018 at 3:31 AM, Huxing Zhang <huxing@apache.org>
> > wrote:
> > >>
> > >>> Hi,
> > >>>
> > >>> On Thu, May 10, 2018 at 3:59 PM, Willem Jiang <
> willem.jiang@gmail.com>
> > >>> wrote:
> > >>> > Is there any plan for going through the vote process of Binary
> file?
> > >>>
> > >>> Yes, binaries will also go through the vote process.
> > >>
> > >>
> > >> No. It makes no sense.
> > >>
> > >> There is NO WAY to verify a binary. Even compiling from source to
> > binary on
> > >> your machine, and trying to compare against a target binary will
> > generally
> > >> fail since timestamps are embedded. Or maybe there are different
> > compilers
> > >> being used.
> > >>
> > >> The Foundation *never* votes on binaries, because the Foundation DOES
> > NOT
> > >> RELEASE BINARIES. The Foundation only votes/authorizes/releases source
> > >> code. REPEAT: only source code.
> > >>
> > >> Only source. Which is verifiable. Which has provenance.
> > >
> > > The LICENCE and NOTICE files that accompany the binary artifact are
> > > text, and IMO should be checked against the contents of the binary
> > > artifact.
> > > For example, if the binary bundles jars from other projects, the L&N
> > > need to agree with the bundled contents.
> >
> > +1000! That has been a well established practice in the Incubator and
> > as such I see no reason not to keep following it.
> >
> > In addition to that, a reasonable effort should be put into making sure
> > that the binary bundle doesn't drag in bits with incompatible licenses
> > (such as GPL). That's why verifying LICENSE in the binary bundle
> > is NOT a simple exersize of comparing it to the source bundle.
> >
> > Thanks,
> > Roman.
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> > For additional commands, e-mail: general-help@incubator.apache.org
> >
> >
>
>
> --
> Matt Sicker <boards@gmail.com>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message