Return-Path: X-Original-To: apmail-maven-dev-archive@www.apache.org Delivered-To: apmail-maven-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 54E5D10BC6 for ; Thu, 15 Aug 2013 20:06:04 +0000 (UTC) Received: (qmail 68719 invoked by uid 500); 15 Aug 2013 20:03:40 -0000 Delivered-To: apmail-maven-dev-archive@maven.apache.org Received: (qmail 68587 invoked by uid 500); 15 Aug 2013 20:03:29 -0000 Mailing-List: contact dev-help@maven.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Help: List-Post: List-Id: "Maven Developers List" Reply-To: "Maven Developers List" Delivered-To: mailing list dev@maven.apache.org Received: (qmail 67654 invoked by uid 99); 15 Aug 2013 20:02:27 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 15 Aug 2013 20:02:27 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of fred.cooke@gmail.com designates 74.125.82.42 as permitted sender) Received: from [74.125.82.42] (HELO mail-wg0-f42.google.com) (74.125.82.42) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 15 Aug 2013 20:02:21 +0000 Received: by mail-wg0-f42.google.com with SMTP id j13so770783wgh.1 for ; Thu, 15 Aug 2013 13:02:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=OWjVUi5KSAHpdMgyOuSj2cxAqe706XGndZYaIeOOCms=; b=0var62kmHjRmES/WHIisinGoSMFG+TPgiaaqPv4bPtE7o6+byE06UqItucBBPbK6Xz zV9bGAhhokpavHubnPcwUag/cMkO2PU26iHt9nUi/qo6euQqAjQgQtJS+dwIlSQhpoK7 +4n6bElUOLPPfPggAU3207aOFAuZSW7TM9ybqHuFrqUmHC+1qGVVvgM3Jh1r+Ulu6ZeV 85qI8ZO5MWOH1rVF5p2hvWmklwc12HUQqtV3ehyW0LAqUpI6bSdIF6TSWWfI73sLuq83 65G8HR6dABWAzuOp50cAHmCsE+hfEnSJsp5udJ/HjWTL95i058ojL87E86H8BpJw1nmx r4PA== MIME-Version: 1.0 X-Received: by 10.180.99.40 with SMTP id en8mr2868759wib.6.1376596921741; Thu, 15 Aug 2013 13:02:01 -0700 (PDT) Received: by 10.194.205.136 with HTTP; Thu, 15 Aug 2013 13:02:00 -0700 (PDT) In-Reply-To: References: Date: Thu, 15 Aug 2013 22:02:00 +0200 Message-ID: Subject: Re: [VOTE] Release Apache Maven Model Converter version 2.3 From: Fred Cooke To: Maven Developers List Content-Type: multipart/alternative; boundary=f46d0418258084fa4404e401f2c5 X-Virus-Checked: Checked by ClamAV on apache.org --f46d0418258084fa4404e401f2c5 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Dennis, effectively what is required is a statement like this: "I believe that I've released XYZ binaries from ABC sources (tarball + N patches, SCM, whatever)" with enough info to exactly identify what XYZ and ABC are (checksums, URLs, revisions, etc) without guessing and duplicated research/looking up of by everyone who wants to check. If you just say "here's the binaries" then you have to put a LOT more work in to figure out the source to compare with, and thus trace history, and thus know that they're legit, or not. That's the problem. No statement is being made about what the release manager thinks they've released. Thus that release could be from a wrong Git branch by accident, for example or any number of other things. EG POM edited to not be snapshots and manual build done with changes made, etc. PS, it's ****ing GREAT that Jason stepped up and said what he said. Amen to that! More fine leadership. Regards, Fred. On Thu, Aug 15, 2013 at 9:37 PM, Dennis Lundberg wrote= : > On Thu, Aug 15, 2013 at 10:50 AM, J=F6rg Schaible < > Joerg.Schaible@scalaris.com > > wrote: > > > Hi Oliver, > > > > Olivier Lamy wrote: > > > > > On 15 August 2013 08:53, sebb wrote: > > >> On 14 August 2013 21:21, Dennis Lundberg wrote: > > >>> On Wed, Aug 14, 2013 at 10:47 AM, sebb wrote: > > >>> > > >>>> On 13 August 2013 18:58, Dennis Lundberg > wrote: > > >>>> > On Tue, Aug 13, 2013 at 12:30 AM, sebb wrote: > > >>>> >> On 12 August 2013 20:10, Jason van Zyl wrote: > > >>>> >>> > > >>>> >>>>> > > >>>> >>>>> I have now read the threads that are referring to, and have > not > > >>>> >>>>> found a single link to any ASF rule stating that we need to > > >>>> >>>>> include these things in a VOTE thread. > > >>>> >>>> > > >>>> >>>> So how do you propose that reviewers check the provenance of > the > > >>>> >>>> files in the source release? > > >>>> >>> > > >>>> >>> Are you looking for files that are in a distribution that didn= 't > > >>>> >>> come > > >>>> from source control? Everything else as far as provenance goes is > > >>>> covered. Errant content is a potential problem, but everything in = a > > >>>> distribution should come from source control which no one has acce= ss > > to > > >>>> until they have a signed CLA on file. > > >>>> >> > > >>>> >> Yes. That is where the whole saga started. > > >>>> >> > > >>>> >> Proving provenance is why the SCM coordinates are needed for th= e > > >>>> >> vote. > > >>>> >> > > >>>> >> The SCM details may also be useful to discover files accidental= ly > > >>>> >> omitted from the source archive. > > >>>> > > > >>>> > You want to compare the contents of the *-source-release.zip wit= h > > >>>> > something from SCM, to make nothing bad has crept into the sourc= e > > >>>> > bundle. So you need to know where in SCM you can find it. Have I > > >>>> > understood you correctly? > > >>>> > > >>>> It's vital to be able to link the files in the source release > > >>>> archive(s) to their origin in SCM. > > >>>> > > >>>> The provenance of any source files the ASF releases must be clearl= y > > >>>> traceable. > > >>>> > > >>> > > >>> This information is clearly traceable and available to anyone who > wants > > >>> to review a release made by the Maven project. Our process uses the > > >>> Release Plugin, which will put the POM from the SCM tag in the > staging > > >>> directory along with the source-release.zip. In that POM wou will > find > > >>> the URL to the original sources in SCM. > > >>> > > >> > > >> As has already been pointed out, SVN tags are not immutable, so the > > >> tag name alone is not sufficient. > > > > > > I think Stephen perfectly sum up the situation. > > > If you're not happy follow that. > > > > > > But please STOP the troll! > > > > The Maven PMC has made clear, that it knows about the problems and want > to > > ignore it. However, please understand that Sebb is playing devil's > advocate > > here, because the same release process is used for other Apache project= s > > where the PMCs will *not* ignore this flaws. Sebb is more or less > pestering > > you, because he is tired of having the same discussions in projects whe= re > > he > > *is* PMC and is therefore responsible for the release. So, it is a bit > > short > > sighted to declare him as troll, simply because you (the Maven PMC) > decided > > to ignore the problem. > > > > Hi J=F6rg, > > Personally I'm not ignoring the problem, and I don't think anyone else is > either. > > I am trying to understand what the problem is, because I cannot see it. > Therefor I ask questions to try to find out what the problem is and then, > and only then, decide if/how to solve it. > > > > > > - J=F6rg > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org > > For additional commands, e-mail: dev-help@maven.apache.org > > > > > > -- > Dennis Lundberg > --f46d0418258084fa4404e401f2c5--