jackrabbit-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Roy T. Fielding" <field...@gbiv.com>
Subject Re: Concerns about release vote behaviour
Date Mon, 21 Apr 2008 19:28:16 GMT
On Apr 21, 2008, at 11:47 AM, Thomas Mueller wrote:

> Hi,
>
>> The important release artifact to check is the source archive, the
>> binary artifacts are mostly a convenience to users.
>
>> The binaries are irrelevant.
>
> OK, I understand, but I don't agree. Most users download the binaries;
> very few download the source code and even less build the binaries

Apache's users download the source code and build from source.
Jukka's users may just run the binaries.

> themselves. I think the binaries are important. If the release scripts
> are correct the binaries should be correct. But then, if the release
> scripts are correct then 'rat' is already run and I don't need to do
> that again... The binaries could contain a virus (there are some Java
> viruses). I know that some developers disabled the virus scanner (well
> I do that sometimes). Probably it's not that urgent, but maybe when we
> have time to improve the release process we find a solution for that
> as well.

Thomas, there is no way to verify that a binary is redistributable
without building the entire computer from trusted sources each time.
That's why we don't vote on binaries.  Don't waste your abilities on
testing binaries when we need them to test the source code.

Allow me to repeat: WE DON'T VOTE ON BINARIES.  We CAN'T vote on  
binaries.
To vote would imply that we have the magical ability to evaluate them on
behalf of the ASF.  None of us has that ability.  That's why the ASF  
does
not release binaries!

If it really becomes too hard for folks to understand that the binaries
do not matter, then I will ask the RM to stop building binaries.  They
don't belong in the release vote, period.  Is that clear?  The HTTP  
Server
project has never, in its entire history, voted on the release of  
binaries.
Apache Jackrabbit has no reason to do so now.  We let Jukka upload  
binaries
that he has built from the released source code bits because we trust
Jukka, not because we trust the binaries.

....Roy

Mime
View raw message