www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lecharny <elecha...@apache.org>
Subject Re: Clarification on the release requirements
Date Wed, 29 Apr 2009 14:32:36 GMT
>> True, but we are not talking about a glimpse here. It's much more
>> about 72 hours, during which all the PMCs will svn co the tag, build
>> the release, and +1 it. In the mean time, the code base might have
>> been compromized. Not likely, but possible.
> We never to that for just that reason. We produce both if something is wrong
> we throw both away and start over.

You are assuming the RM is the only one who create both packages, and
every other PMCs just validate the packages. This is not a very common
use case.

Typically, that leads to serious problems. For instance, last week, we
tried to release a version of Apache Directory. If the RM was the only
one to generate the packages, then we would have missed a serious
build issue on some faster machine. Thus we usually check out the
code, and validate the build, before validating the package once
everyone agree that the release is ready.

You will reply that once this first phase (ie, check that the build is
ok) is done, then the RM can now produce the signed source tarball and
the signed release, but in this case, I think that you rely on the RM
only, not the PMCs, because you have no way to check that the source
tarball is the one used to produce the binaries. I know we trust the
RM, but I see where it can be seen as a breach in the brocess.

More commonly, I think that the build should be done based on the
signed sources, not from SVN.

Emmanuel L├ęcharny

To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

View raw message