jackrabbit-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jukka Zitting" <jukka.zitt...@gmail.com>
Subject Re: Concerns about release vote behaviour
Date Mon, 21 Apr 2008 15:36:55 GMT

On Mon, Apr 21, 2008 at 5:46 PM, Thomas Mueller
<thomas.tom.mueller@gmail.com> wrote:
>  The reason that I don't vote very often is because I am not very
>  comfortable with it.
>  I would like to make sure the jar files reflect the source code in the
>  branch. I would need to compile the source code myself using the same
>  compiler (JVM) and compare the jar files in binary mode. It would be
>  good to know what compiler was used.

The important release artifact to check is the source archive, the
binary artifacts are mostly a convenience to users. Personally I trust
the release manager to have compiled things correctly, so I generally
just check the checksums of the binaries and try to spot any obvious
surprises in binary artifact sizes. Sometimes I also deploy the
binaries to a test installation and try them out, but only if I feel
like it and have the extra time. In general there's no good way to
review binaries so you in any case need to trust the release manager
to some extent.

>  Checksums: If the checksums are on the same server as the compiled
>  files, an attacker would only have to replace both files. It probably
>  makes sense to always distribute the checksums in some other way (for
>  example in the mail). This was done sometimes, but not always.

+1 I've recently started including the checksums in the VOTE messages
for exactly this reason.

>  If multiple components are going to be released, I would prefer to only
>  check one file (for example a .zip file that contains all other files).

As mentioned above, the only really important file is the source archive.

At some point I've even considered whether it would be OK to separate
at least the Maven repository update from the release vote. We would
first vote on a pure source release (packaged svn export of a tag),
and if the vote passes the release manager could then run "mvn deploy"
on the approved sources without a separate review. I'm not sure how
well this would play out with Apache policies, but it would make
releasing much simpler.


Jukka Zitting

View raw message