Return-Path: X-Original-To: apmail-legal-discuss-archive@www.apache.org Delivered-To: apmail-legal-discuss-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id A1448111DB for ; Fri, 23 May 2014 19:23:41 +0000 (UTC) Received: (qmail 29452 invoked by uid 500); 23 May 2014 19:23:41 -0000 Delivered-To: apmail-legal-discuss-archive@apache.org Received: (qmail 29244 invoked by uid 500); 23 May 2014 19:23:41 -0000 Mailing-List: contact legal-discuss-help@apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: Reply-To: legal-discuss@apache.org List-Id: Delivered-To: mailing list legal-discuss@apache.org Received: (qmail 29237 invoked by uid 99); 23 May 2014 19:23:41 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 23 May 2014 19:23:41 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=RCVD_IN_DNSWL_NONE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: local policy includes SPF record at spf.trusted-forwarder.org) Received: from [76.96.30.96] (HELO qmta09.emeryville.ca.mail.comcast.net) (76.96.30.96) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 23 May 2014 19:23:36 +0000 Received: from omta17.emeryville.ca.mail.comcast.net ([76.96.30.73]) by qmta09.emeryville.ca.mail.comcast.net with comcast id 5XAH1o0021afHeLA9XPGtR; Fri, 23 May 2014 19:23:16 +0000 Received: from [192.168.199.10] ([69.251.80.74]) by omta17.emeryville.ca.mail.comcast.net with comcast id 5XPD1o00X1cCKD98dXPEPh; Fri, 23 May 2014 19:23:16 +0000 Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.2\)) Subject: Re: Release Policy From: Jim Jagielski In-Reply-To: Date: Fri, 23 May 2014 15:23:12 -0400 Content-Transfer-Encoding: quoted-printable Message-Id: <965E0CDD-728F-494A-AECB-518F60BE0E66@jaguNET.com> References: <1400784905.88428.YahooMailNeo@web28903.mail.ir2.yahoo.com> <1400790465.3527.YahooMailNeo@web28902.mail.ir2.yahoo.com> <537E5ED4.4010209@apache.org> <1400792669.96132.YahooMailNeo@web28902.mail.ir2.yahoo.com> <1400820943.12576.YahooMailNeo@web28901.mail.ir2.yahoo.com> <2C3CDF92-FD51-4932-8A1F-69188FEC2F4B@jaguNET.com> To: legal-discuss@apache.org X-Mailer: Apple Mail (2.1878.2) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20140121; t=1400872996; bh=dlYsGaaoBCL2epwohdNrsK8/LqDNnQUMVTn7+UT/qTk=; h=Received:Received:Content-Type:Mime-Version:Subject:From:Date: Message-Id:To; b=jjLEg9RalkvpOF86JAw4L5+wvOy4MrtSUYIsosQ8UiYZJ8F2sHL7LcuLpy63pa9Qf U1r8qOychoTQd/fyAUxk2Rxyec5IOyNKW0jofn0uJDsxmJoPFpyCvbFJBddShIaboC GmEwKJM9r58EGt8dtEQ5lytjmTO3Y1+ohKiJrwyyl6D+lUnH0WuUftIPVflqngJdia eqkaulcRFr4AS7W/iRN4EdojGo/RSa2OE7eN77j1rWfWvHPRMp9r3CZwTiLhOICMJj J8guKPADq6unVtLSy0kr/ExEc/wpL9dj8LhNxX1eaNmBtNWSoQ4srl4IK7BMx0GUBV JPZyqdjvAs5HQ== X-Virus-Checked: Checked by ClamAV on apache.org How nice. On May 23, 2014, at 3:14 PM, Joe Bowser wrote: >=20 > On May 23, 2014 11:47 AM, "Jim Jagielski" wrote: > > > > This was discussed, at length, both on various mailing > > lists as well as at the f2f rountable @ ApacheCon. > > >=20 > You are aware that people on this list didn't attend ApacheCon for = either personal or professional reasons? Not that I want to ever see you = personally given how miserable you are over e-mail. >=20 > > I am sorry if such clarification isn't enough for you, > > but, at the end of the day, that's your issue, not mine. > > You may disagree with it, and you are welcome to do so, > > but to claim that the justifications have been "meandering" > > is both inaccurate and self-serving. > > > > On May 23, 2014, at 2:33 PM, Brian LeRoux wrote: > > > > > Yes it is as JJ says as long as a vote happens the tools matter = not. Though why the vote has to happen is yet to be clarified other than = meandering justifications. > > > > > > On May 23, 2014 11:56 AM, "Alex Harui" wrote: > > > This current proposal no longer requires 72 hour voting. To me, = this > > > means that we could eventually automate releasing to the point = where the > > > CI prepares a set of packages with MD5 sums separately prepares a = report > > > of all new files and all files with changes to the headers. > > > > > > The RM then runs another tool that downloads the packages, = verifies the > > > MD5, signs with the PGP key (yes, the RM has to type in their = password) > > > and uploads it to the RC server. > > > > > > Then three folks run another tool that downloads the packages, = verifies > > > signatures, expands the source package, runs RAT, downloads an SCM = tag, > > > compares the source against the tag, runs the default ant or maven = target, > > > and prepares a report with the LICENSE and NOTICE files and = headers of new > > > files and changed headers and RAT output. > > > > > > As soon as three folks vote +1 and there are not more -1's, = another tool > > > is run to push it to the release server. > > > > > > Would this meet requirements and be acceptable? > > > > > > What if a machine did the downloading of packages, signature = verification, > > > RAT, SCM compare and build so the voters only need to review a = report > > > before voting. Would that also meet requirements and be = acceptable? > > > > > > Thanks, > > > -Alex > > > > > > On 5/23/14 8:43 AM, "Jim Jagielski" wrote: > > > > > > >People perform releases. They can use whatever tools > > > >they want, but at the end, the only validation check > > > >that really matters are those PMC members who test, > > > >validate and +1 the release. > > > > > > > >For example, let's say that there is a codebase that > > > >doesn't pass some test, but get's the required 3 +1s > > > >for release and the RM doesn't pull it. Even though > > > >according to the CI (or whatever) it's "not a release" > > > >(it failed), as far as the PMC and the ASF is concerned, > > > >it IS a release. > > > > > > > >Conversely, no matter what a CI may test, package and > > > >drop off somewhere, if it's not voted on, it's not > > > >a release. > > > > > > > >On May 23, 2014, at 11:33 AM, Brian LeRoux wrote: > > > > > > > >> C'mon Sebb. This is circular false logic. > > > >> > > > >> On May 23, 2014 10:29 AM, "sebb" wrote: > > > >> On 23 May 2014 16:01, Brian LeRoux wrote: > > > >> > @mark agree, there are many layers to the stated legal = perception and > > > >>indeed > > > >> > most other OSS projects do not require a VOTE. It was = communicated to > > > >>me > > > >> > that the VOTE specifically mitigated risk to the releasing = individual > > > >> > (publishing artifacts to ./dist). This, and human error, are > > > >>mitigated by > > > >> > not using humans to perform those actions susceptible to = human error. > > > >>That > > > >> > is the point of a CI system and automated builds. All the = actions of a > > > >> > release could be done by a machine and ensuring the policy = will allow > > > >>that > > > >> > is what I'm looking for. > > > >> > > > >> However, the CI and automated build systems are created by = fallible > > > >>humans. > > > >> > > > >> This is why it is important to ensure that the release vote = contains > > > >> sufficient details for an independent check of the source = release > > > >> contents against the SCM tag. > > > >> > > > >> > > > > >> > On Thu, May 22, 2014 at 11:55 PM, Mark Struberg = > > > >>wrote: > > > >> >> > > > >> >> Brian, we only specifically talked about whether we should = be > > > >>allowed to > > > >> >> give_intermediate_ build artifacts like nightly builds, etc = to > > > >>interested > > > >> >> people. I personally find it a bit too restrictive to not = allow to > > > >>publish > > > >> >> those for user testing. We (the foundation) already do this = via our > > > >> >> snapshots maven repos... > > > >> >> > > > >> >> And there are also different layers of 'legal'. There is no = law in > > > >>the US > > > >> >> nor otherwhere in the world who requires a VOTE before an = opensource > > > >> >> release. JBoss doesn't do it, Eclipse doesn't do it, etc. > > > >> >> > > > >> >> BUT: it is an ASF policy and thus binding for all our = projects to > > > >>VOTE on > > > >> >> releases. > > > >> >> And it is a really good one as it increases the technical = and legal > > > >> >> quality of our products! It's really a good thing to have = 10+ people > > > >>looking > > > >> >> at a release and e.g. discovering that a file has the wrong = license > > > >>and > > > >> >> should get removed again for example. And of course it helps > > > >>reducing the > > > >> >> risk from getting sued because we obviously try to minimize = human > > > >>errors. > > > >> >> > > > >> >> @Shane I'm not sure how many ASF members are subscribed to = the legal > > > >>list, > > > >> >> maybe it is enough if we just rise awareness. > > > >> >> > > > >> >> LieGrue, > > > >> >> strub > > > >> >> > > > >> >> > > > >> >> On Thursday, 22 May 2014, 23:19, Brian LeRoux = wrote: > > > >> >> > > > >> >> > > > >> >> > > > >> >> > > > >> >> > > > >> >> "But the point already got covered and answered dozens of = times imo. > > > >>The > > > >> >> answer is that the ALv2 protects the foundation and also the = release > > > >>manager > > > >> >> already for all bona fides cases. End of story." > > > >> >> > > > >> >> > > > >> >> Interesting for myself to note that it was communicated very > > > >>directly to > > > >> >> Cordova that this *was not* the case. Votes are a necessary > > > >>component for a > > > >> >> valid (aka legal) release. Also interesting for me to = discover in > > > >>this > > > >> >> thread that the release policy is not adhered to by all ASF > > > >>projects. We > > > >> >> were lead to believe the rules are immutable, all projects = obey > > > >>them. End of > > > >> >> story. > > > >> >> > > > >> >> I am dismayed to discover this is not the case and Cordova = was > > > >>singled > > > >> >> out. > > > >> >> > > > >> >> However, clarity here is a great starting to amending the = rules, and > > > >>I > > > >> >> recognize this effort is not forum for that. My perspective: = the > > > >>vote is a > > > >> >> SHOULD and most certainly SHA verifciation SHOULD be the job = of a > > > >>computer > > > >> >> (aka CI system) and not a human and I am very happy to hear = there is > > > >> >> precedent for this with other projects. > > > >> >> > > > >> >> > > > >> >> > > > >> >> > > > >> > > > > >> > > > >> = --------------------------------------------------------------------- > > > >> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org > > > >> For additional commands, e-mail: legal-discuss-help@apache.org > > > >> > > > > > > > > > > > = >--------------------------------------------------------------------- > > > >To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org > > > >For additional commands, e-mail: legal-discuss-help@apache.org > > > > > > > > > > > > > = --------------------------------------------------------------------- > > > To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org > > > For additional commands, e-mail: legal-discuss-help@apache.org > > > > > > > > > = --------------------------------------------------------------------- > > To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org > > For additional commands, e-mail: legal-discuss-help@apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org For additional commands, e-mail: legal-discuss-help@apache.org