incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Willem Jiang <willem.ji...@gmail.com>
Subject Re: How to review so-called "binary releases"?
Date Sat, 16 Feb 2019 13:03:25 GMT
+1 for adding the convenient binaries release check, it could help
lots of incubator projects.

Willem Jiang

Twitter: willemjiang
Weibo: 姜宁willem

On Thu, Feb 14, 2019 at 3:00 PM Huxing Zhang <huxing@apache.org> wrote:
>
> Hi,
>
> On Wed, Nov 21, 2018 at 11:06 AM Roman Shaposhnik <roman@shaposhnik.org> wrote:
> >
> > On Fri, Nov 16, 2018 at 6:59 AM Jim Jagielski <jim@jagunet.com> wrote:
> > >
> > >
> > >
> > > > On Nov 15, 2018, at 2:41 AM, Bertrand Delacretaz <bdelacretaz@codeconsult.ch>
wrote:
> > > >
> > > >
> > > > I see this as a two-level thing:
> > > >
> > > > a) The source release is an Act of the Foundation, it is what the
> > > > foundation produces
> > > >
> > > > b) For the binaries, the PMC states that it thinks they are good and
> > > > declares that the published digests and signatures are the correct
> > > > ones. The Foundation does not state anything about them - use at your
> > > > own risk but in practice that risk is very low if the PMC members
> > > > collectively recommend using them.
> > > >
> > > > That's not very different from what other open source projects do - we
> > > > need a) for our legal shield but b) is exactly like random open source
> > > > projects operate.
> > > >
> > > > You have to trust an open source project when you use their binaries,
> > > > and you can use digests and signatures to verify that those binaries
> > > > are the same that everyone else uses - I don't think anyone provides
> > > > more guarantees than that, except when you pay for someone to state
> > > > that those binaries are good.
> > > >
> > > > If people agree with this view we might need to explain this better,
> > > > "unofficial" does not mean much, this two-level view might be more
> > > > useful.
> > >
> > > Agree 100%. Thx for very clearly and accurately describing all this.
> >
> > +1 to this as well.
>
> +1 for what Bertrand said.
> I have a quick question from a podling's perspective, should the
> decision for release convenient binaries be left to PPMC or IPMC?
>
> >
> > In fact, I love it so much that I'd like to have it published as part of our
> > official guide:
> >    http://www.apache.org/legal/release-policy.html#compiled-packages
> >
> > Any objections?
>
> +1 to add it to the documentation, so that we do not have to search
> for mail archives.
> Besides [1], I think it is also better to add it to [2]. I noticed it
> uses "binary distribution" rather than "binary release".
> So may be we should avoid using "binary release".
>
> For how to do the check for binary distribution, I also suggest to add
> it to [3].
> For example:
> If the source release is accompanied with convenient binaries, we should check:
> - Does the LICENSE and NOTICE text exactly represent the contents of
> the distribution they reside in?
> - Does the jar files includes LICENSE/NOTICE/DISCLAIMER?
>
> Correct me if I am wrong.
>
> [1] http://www.apache.org/legal/release-policy.html#compiled-packages
> [2] http://www.apache.org/dev/licensing-howto.html#binary
> [3] https://wiki.apache.org/incubator/IncubatorReleaseChecklist
>
>
> >
> > Thanks,
> > Roman.
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> > For additional commands, e-mail: general-help@incubator.apache.org
> >
>
>
> --
> Best Regards!
> Huxing
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message