jackrabbit-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Thomas Mueller" <thomas.tom.muel...@gmail.com>
Subject Re: Concerns about release vote behaviour
Date Mon, 21 Apr 2008 14:46:45 GMT

The reason that I don't vote very often is because I am not very
comfortable with it.

I would like to make sure the jar files reflect the source code in the
branch. I would need to compile the source code myself using the same
compiler (JVM) and compare the jar files in binary mode. It would be
good to know what compiler was used.

Checksums: If the checksums are on the same server as the compiled
files, an attacker would only have to replace both files. It probably
makes sense to always distribute the checksums in some other way (for
example in the mail). This was done sometimes, but not always. If
multiple components are going to be released, I would prefer to only
check one file (for example a .zip file that contains all other


On Sun, Apr 20, 2008 at 3:03 PM, Felix Meschberger <fmeschbe@gmail.com> wrote:
> Hi all,
>  I have a growing concern about our latest releases. Most of the time we
>  barely get the required minimum of 3 +1 votes to release the stuff. Take
>  as an example some recent release vote results:
>    * Jackrabbit 1.3.4 - 3 votes
>    * jackrabbit-core 1.4.2 - 4 votes (of which 1 non-binding)
>    * Jackrabbit 1.4 - 4 votes (of which one non-binding -1)
>    * jackrabbit-jcr-commons 1.4.2 - 4 votest
>    * jackrabbit-core 1.4.1 - 4 votes
>    * Jackrabbit 1.3.3 - 5 votes (of which 1 non-binding)
>    * Jackrabbit 1.3.1 - 5 votes (of which 2 non-binding)
>  Now, compared to the number of committers/PMC members we have - 20
>  according to [1] - this is IMHO not enough backing for releases.
>  How come ? Could it be that we just don't feel comfortable enough with
>  the code base we are working on day-on and day-off ? Is it, that we
>  cannot bear the responsibility of releasing some code, we could not test
>  thorougly ourselves ? I cannot tell. And the reasons for these
>  abstentions are probably none of my business.
>  What I really am looking for is more votes on our releases to show our
>  user community that the Jackrabbit PMC is in fact proud and confident of
>  its product.
>  It is true, that the PMC is responsible for the published releases:
>         The main role of the PMC is not code and not coding - but to
>         ensure that all legal issues are addressed, that procedure is
>         followed, and that each and every release is the product of the
>         community as a whole (see [2]).
>  So a release vote, as I understand it, is not primarily about whether
>  the product code is 100% correct. Rather the question is whether the
>  code was developped correctly with respect to the community and that
>  legal issues have been addressed, e.g. required files such as LICENSE
>  and NOTICE files are in place.
>  And this is actually, what I do when considering my vote:
>    * I get the complete release from the release candidate location
>    * I check all checksums and signatures
>    * I run rat to check for the license headers ([3] and [4])
>    * Check NOTICE files
>  If all goes well, which it normally does, I vote +1. There is nothing
>  more I do. In particular I do not normally test drive the releases. And
>  I do not think, that this is really needed because of the excellent test
>  cases we have and the community constantly working on the code and
>  trying its best to keep it going. In short, I trust in the community
>  (aka developpers) in producing good quality code.
>  I hope these words help raise the release vote activity again in the
>  future. I really think Jackrabbit deserves more than just 3 +1 votes on
>  releases.
>  Thanks for your patience and time. Have fun !
>  Regards
>  Felix
>  PS: I uploaded two helper scripts which I use to get (getrelease) and
>  check releases (ckrelease; checksums and signatures only) to [5]. Use as
>  you see fit.
>  [1] http://jackrabbit.apache.org/jackrabbit-team.html
>  [2] http://www.apache.org/foundation/how-it-works.html#pmc
>  [3] http://incubator.apache.org/rat/
>  [4] http://code.google.com/p/arat/
>  [5] http://people.apache.org/~fmeschbe/release_helpers/

View raw message