www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Fox <bri...@infinity.nu>
Subject Re: Clarification on the release requirements
Date Wed, 29 Apr 2009 13:51:57 GMT


Emmanuel Lecharny wrote:
>>> Anything that (essentially) matches the contents of svn and can be
>>> built to produce the other release artifacts is IMHO fine as a source
>>> release.
>>>
>>>       
>> I agree and this is generally standard practice by SCM teams. It's
>> predicated on immutable tagging and the SCM being reliable. I can see why
>> Roy wants it done from the source archive here because we've never setup CVS
>> or SVN to follow SCM best practices and it's not uncommon for SVN to be out
>> for unacceptable periods of time. So I can see where Roy's methodology came
>> from. I've seen lots of diddled tags (though this is pretty much impossible
>> with mvn -B release:prepare release:perform) and SVN has been unavailable
>> more often then I would like to admit to the outside world.
>>     
>
> It's not only a problem of SVN not being available : there is no way
> you can guarantee that SVN hasn't been compromized if you base your
> build on a tag. OTOS, a source package can be signed, thus can't be
> compromized without being detected.
>
>
>   
But if you produce and sign the source in the same action as producing 
the binaries, you are still signing the source that produced the binary.

---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org


Mime
View raw message