maven-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dennis Lundberg <denn...@apache.org>
Subject Re: [VOTE] Release Apache Maven Model Converter version 2.3
Date Wed, 14 Aug 2013 20:21:28 GMT
On Wed, Aug 14, 2013 at 10:47 AM, sebb <sebbaz@gmail.com> wrote:

> On 13 August 2013 18:58, Dennis Lundberg <dennisl@apache.org> wrote:
> > On Tue, Aug 13, 2013 at 12:30 AM, sebb <sebbaz@gmail.com> wrote:
> >> On 12 August 2013 20:10, Jason van Zyl <jason@tesla.io> wrote:
> >>>
> >>>>>
> >>>>> I have now read the threads that are referring to, and have not
found
> >>>>> a single link to any ASF rule stating that we need to include these
> >>>>> things in a VOTE thread.
> >>>>
> >>>> So how do you propose that reviewers check the provenance of the files
> >>>> in the source release?
> >>>
> >>> Are you looking for files that are in a distribution that didn't come
> from source control? Everything else as far as provenance goes is covered.
> Errant content is a potential problem, but everything in a distribution
> should come from source control which no one has access to until they have
> a signed CLA on file.
> >>
> >> Yes. That is where the whole saga started.
> >>
> >> Proving provenance is why the SCM coordinates are needed for the vote.
> >>
> >> The SCM details may also be useful to discover files accidentally
> >> omitted from the source archive.
> >
> > You want to compare the contents of the *-source-release.zip with
> > something from SCM, to make nothing bad has crept into the source
> > bundle. So you need to know where in SCM you can find it. Have I
> > understood you correctly?
>
> It's vital to be able to link the files in the source release
> archive(s) to their origin in SCM.
>
> The provenance of any source files the ASF releases must be clearly
> traceable.
>

This information is clearly traceable and available to anyone who wants to
review a release made by the Maven project. Our process uses the Release
Plugin, which will put the POM from the SCM tag in the staging directory
along with the source-release.zip. In that POM wou will find the URL to the
original sources in SCM.



>
> >>> Thanks,
> >>>
> >>> Jason
> >>>
> >>> ----------------------------------------------------------
> >>> Jason van Zyl
> >>> Founder,  Apache Maven
> >>> http://twitter.com/jvanzyl
> >>> ---------------------------------------------------------
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> >> For additional commands, e-mail: dev-help@maven.apache.org
> >>
> >
> >
> >
> > --
> > Dennis Lundberg
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> > For additional commands, e-mail: dev-help@maven.apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> For additional commands, e-mail: dev-help@maven.apache.org
>
> --
> Dennis Lundberg <dev-help@maven.apache.org>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message