www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Fox <bri...@infinity.nu>
Subject Re: Clarification on the release requirements
Date Wed, 29 Apr 2009 13:51:57 GMT

Emmanuel Lecharny wrote:
>>> Anything that (essentially) matches the contents of svn and can be
>>> built to produce the other release artifacts is IMHO fine as a source
>>> release.
>> I agree and this is generally standard practice by SCM teams. It's
>> predicated on immutable tagging and the SCM being reliable. I can see why
>> Roy wants it done from the source archive here because we've never setup CVS
>> or SVN to follow SCM best practices and it's not uncommon for SVN to be out
>> for unacceptable periods of time. So I can see where Roy's methodology came
>> from. I've seen lots of diddled tags (though this is pretty much impossible
>> with mvn -B release:prepare release:perform) and SVN has been unavailable
>> more often then I would like to admit to the outside world.
> It's not only a problem of SVN not being available : there is no way
> you can guarantee that SVN hasn't been compromized if you base your
> build on a tag. OTOS, a source package can be signed, thus can't be
> compromized without being detected.
But if you produce and sign the source in the same action as producing 
the binaries, you are still signing the source that produced the binary.

To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

View raw message