www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <david_jen...@yahoo.com>
Subject Re: Clarification on the release requirements
Date Thu, 30 Apr 2009 16:54:10 GMT

On Apr 30, 2009, at 9:18 AM, John Casey wrote:

> On Thu, Apr 30, 2009 at 9:50 AM, sebb <sebbaz@gmail.com> wrote:
>>
>> Even ignoring SVN deletions, an SVN tag+revision is still not
>> constant, as different OSes represent EOLs in different ways. These
>> differences can (and do) have an effect on the build output.
>>
>
> If this is true, then simply checking out the sources on one machine
> and archiving them may mean that the sources will produce different
> (flawed?) results when unpacked and built on another machine. So in
> the case you mention, the signed source archive is no guarantee that
> the build would be reproducible. With a verified tag in SCM, at least
> we know that we have the opportunity to research the history on any
> particular piece of code, in the event we did uncover a flaw in the
> release after the fact. This isn't just theoretical, either; I use
> this history, along with the debug information in the binaries we
> produce, to trace through Maven all the time in search of bugs.
> Without a definite, direct link between SCM and binaries, this would
> be a _lot_ less dependable.

I completely agree.

To go out on a limb...

I wasn't aware until the last couple of days that the C based projects  
don't produce a copy of what's in svn as their source archive.  I've  
been thinking about this situation and can't see any fundamental  
difference between a C project including a generated configure script  
(not from svn) and a java project converting all the java source to  
jasmin (basically "java assembly language") and releasing that instead  
of the java files.  In both situations the resulting archive includes  
stuff derived from svn that can be used to build working binaries.   
While I don't think anyone would call a bunch of jasmin files a  
"source release" I don't see how something with a generated script can  
be either.

IMO such an artifact with non-scm content is just as much a  
"convenience binary" as a java binary jar file and voting on it is  
logically equivalent to voting on java binaries.

thanks
david jencks
>
>
> Just my $0.02.
>
> -john
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org


Mime
View raw message