incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Roman Shaposhnik <ro...@shaposhnik.org>
Subject Re: How to review so-called "binary releases"?
Date Wed, 21 Nov 2018 03:05:49 GMT
On Fri, Nov 16, 2018 at 6:59 AM Jim Jagielski <jim@jagunet.com> wrote:
>
>
>
> > On Nov 15, 2018, at 2:41 AM, Bertrand Delacretaz <bdelacretaz@codeconsult.ch>
wrote:
> >
> >
> > I see this as a two-level thing:
> >
> > a) The source release is an Act of the Foundation, it is what the
> > foundation produces
> >
> > b) For the binaries, the PMC states that it thinks they are good and
> > declares that the published digests and signatures are the correct
> > ones. The Foundation does not state anything about them - use at your
> > own risk but in practice that risk is very low if the PMC members
> > collectively recommend using them.
> >
> > That's not very different from what other open source projects do - we
> > need a) for our legal shield but b) is exactly like random open source
> > projects operate.
> >
> > You have to trust an open source project when you use their binaries,
> > and you can use digests and signatures to verify that those binaries
> > are the same that everyone else uses - I don't think anyone provides
> > more guarantees than that, except when you pay for someone to state
> > that those binaries are good.
> >
> > If people agree with this view we might need to explain this better,
> > "unofficial" does not mean much, this two-level view might be more
> > useful.
>
> Agree 100%. Thx for very clearly and accurately describing all this.

+1 to this as well.

In fact, I love it so much that I'd like to have it published as part of our
official guide:
   http://www.apache.org/legal/release-policy.html#compiled-packages

Any objections?

Thanks,
Roman.

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message