www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jason van Zyl <jvan...@sonatype.com>
Subject Re: Clarification on the release requirements
Date Thu, 30 Apr 2009 17:45:23 GMT

On 30-Apr-09, at 10:07 AM, sebb wrote:

> I think the point is that we want our customers/users to be able to
> download the source and that they should have confidence that the
> source archive has the correct contents. This means that the vote must
> be on the signed source archive.
>

Without question the single most popular form of building from source  
in Java projects is not from source archives. In Maven all our users  
always try and build from tags.

> Users are for the most part not interested in SCM, and should
> certainly not be forced to install a particular SCM merely to use the
> source archive.
>

Sorry, but that's just not the case with our users so I think we have  
a fundamentally different kinds of users between our projects types.

So, I echo what people have said in that we need a base set of  
requirements and the nature of projects and what our users want may  
mean different processes in different projects. If legal requirements  
are met, and users in the communities are happy with the way they have  
to reproduce a build then everyone can do what's optimal.

> On 30/04/2009, John Casey <casey.john.d@gmail.com> wrote:
>> On Thu, Apr 30, 2009 at 9:50 AM, sebb <sebbaz@gmail.com> wrote:
>>>
>>> Even ignoring SVN deletions, an SVN tag+revision is still not
>>> constant, as different OSes represent EOLs in different ways. These
>>> differences can (and do) have an effect on the build output.
>>>
>>
>>
>> If this is true, then simply checking out the sources on one machine
>> and archiving them may mean that the sources will produce different
>> (flawed?) results when unpacked and built on another machine. So in
>> the case you mention, the signed source archive is no guarantee that
>> the build would be reproducible. With a verified tag in SCM, at least
>> we know that we have the opportunity to research the history on any
>> particular piece of code, in the event we did uncover a flaw in the
>> release after the fact. This isn't just theoretical, either; I use
>> this history, along with the debug information in the binaries we
>> produce, to trace through Maven all the time in search of bugs.
>> Without a definite, direct link between SCM and binaries, this would
>> be a _lot_ less dependable.
>>
>> Just my $0.02.
>>
>>
>> -john
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>> For additional commands, e-mail: legal-discuss-help@apache.org
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
>

Thanks,

Jason

----------------------------------------------------------
Jason van Zyl
Founder,  Apache Maven
http://twitter.com/jvanzyl
http://twitter.com/SonatypeNexus
http://twitter.com/SonatypeM2E
----------------------------------------------------------

In short, man creates for himself a new religion of a rational
and technical order to justify his work and to be justified in it.

   -- Jacques Ellul, The Technological Society


---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org


Mime
View raw message