www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Struberg <strub...@yahoo.de>
Subject Re: Stage a Maven Repository with Signed Artifacts to qualify a Release Vote
Date Fri, 24 Dec 2010 21:30:28 GMT
Hi Senaka,!

I think exactly the opposite is correct: the old release practice was not perfect and the
new one fits much better.

One person ('build-manager') of a project creates the sources tar.gz (+ optionally the binaries)
and sign them. Then those _signed_ packages get checked and are voted upon. If the vote passes,
_exactly_ those packages must be released. 

In other words: the hash code of the packages which gets voted on ideally must not change!

The process which we have now in the current apache-parent (staging via nexus) reflects this
much better than any other. Please remember that a SVN tag is _not_ immutable! Thus in the
old process one could never be sure that exactly the sources which got voted on are identical
to the final release.

LieGrue,
strub 

--- On Fri, 12/24/10, Senaka Fernando <senaka@apache.org> wrote:

From: Senaka Fernando <senaka@apache.org>
Subject: Re: Stage a Maven Repository with Signed Artifacts to qualify a Release Vote
To: legal-discuss@apache.org
Date: Friday, December 24, 2010, 9:09 PM

Hi Ralph,

Sorry if the list was wrong. But my intention was to understand the legal requirements, should
there be any. A practice can be followed, but something that's legally required must be followed.

Yes, you are correct about the release plugin. But, normally a release is done in a single-go
once a vote has been approved; and you should not need to host a temporary Maven repo to get
a vote (for a release) passed (since that repo will never be the final destination). My concerns
are based on a discussion at [1].




[1] http://markmail.org/thread/n3z5kapk2fykn7rm

Thanks,
Senaka.

On Fri, Dec 24, 2010 at 10:13 PM, Ralph Goers <ralph.goers@dslextreme.com> wrote:





On Dec 24, 2010, at 7:31 AM, Senaka Fernando wrote:



> Hi all,

>

> Normally, it has been a practice to sign release artifacts (binary, source, and documentation
downloads), to qualify a release vote. But however, we have not been staging maven repositories
(this only applies to projects that use a Maven-based build system) with signed artifacts
in order to qualify a release vote in the past. So far, we only sign the artifacts on the
public maven repositories when those are deployed.




>

> But, has this practice changed over time, along with the recent changes to the release
process?

>

> Thanks,

> Senaka.



I'm not sure why this is on legal discuss, but I believe the release plugin signs the artifacts
as it deploys them to the ASF staging repository.



Ralph

---------------------------------------------------------------------

To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org

For additional commands, e-mail: legal-discuss-help@apache.org






-- 
Senaka Fernando
Member; Apache Software Foundation; http://apache.org




Associate Technical Lead & Product Manager - WSO2 G-Reg; 
WSO2, Inc.; http://wso2.com




E-mail: senaka AT apache.org
P: +94 11 223 2481; M: +94 77 322 1818



Linked-In: http://www.linkedin.com/in/senakafernando
Blog: http://senakafdo.blogspot.com








      

---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org


Mime
View raw message