maven-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jörg Schaible <Joerg.Schai...@scalaris.com>
Subject Re: [VOTE] Release Apache Maven Model Converter version 2.3
Date Thu, 15 Aug 2013 08:50:33 GMT
Hi Oliver,

Olivier Lamy wrote:

> On 15 August 2013 08:53, sebb <sebbaz@gmail.com> wrote:
>> On 14 August 2013 21:21, Dennis Lundberg <dennisl@apache.org> wrote:
>>> On Wed, Aug 14, 2013 at 10:47 AM, sebb <sebbaz@gmail.com> wrote:
>>>
>>>> On 13 August 2013 18:58, Dennis Lundberg <dennisl@apache.org> wrote:
>>>> > On Tue, Aug 13, 2013 at 12:30 AM, sebb <sebbaz@gmail.com> wrote:
>>>> >> On 12 August 2013 20:10, Jason van Zyl <jason@tesla.io> wrote:
>>>> >>>
>>>> >>>>>
>>>> >>>>> I have now read the threads that are referring to, and
have not
>>>> >>>>> found a single link to any ASF rule stating that we
need to
>>>> >>>>> include these things in a VOTE thread.
>>>> >>>>
>>>> >>>> So how do you propose that reviewers check the provenance
of the
>>>> >>>> files in the source release?
>>>> >>>
>>>> >>> Are you looking for files that are in a distribution that didn't
>>>> >>> come
>>>> from source control? Everything else as far as provenance goes is
>>>> covered. Errant content is a potential problem, but everything in a
>>>> distribution should come from source control which no one has access to
>>>> until they have a signed CLA on file.
>>>> >>
>>>> >> Yes. That is where the whole saga started.
>>>> >>
>>>> >> Proving provenance is why the SCM coordinates are needed for the
>>>> >> vote.
>>>> >>
>>>> >> The SCM details may also be useful to discover files accidentally
>>>> >> omitted from the source archive.
>>>> >
>>>> > You want to compare the contents of the *-source-release.zip with
>>>> > something from SCM, to make nothing bad has crept into the source
>>>> > bundle. So you need to know where in SCM you can find it. Have I
>>>> > understood you correctly?
>>>>
>>>> It's vital to be able to link the files in the source release
>>>> archive(s) to their origin in SCM.
>>>>
>>>> The provenance of any source files the ASF releases must be clearly
>>>> traceable.
>>>>
>>>
>>> This information is clearly traceable and available to anyone who wants
>>> to review a release made by the Maven project. Our process uses the
>>> Release Plugin, which will put the POM from the SCM tag in the staging
>>> directory along with the source-release.zip. In that POM wou will find
>>> the URL to the original sources in SCM.
>>>
>>
>> As has already been pointed out, SVN tags are not immutable, so the
>> tag name alone is not sufficient.
> 
> I think Stephen perfectly sum up the situation.
> If you're not happy follow that.
> 
> But please STOP the troll!

The Maven PMC has made clear, that it knows about the problems and want to 
ignore it. However, please understand that Sebb is playing devil's advocate 
here, because the same release process is used for other Apache projects 
where the PMCs will *not* ignore this flaws. Sebb is more or less pestering 
you, because he is tired of having the same discussions in projects where he 
*is* PMC and is therefore responsible for the release. So, it is a bit short 
sighted to declare him as troll, simply because you (the Maven PMC) decided 
to ignore the problem.

- Jörg


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org


Mime
View raw message