Return-Path: X-Original-To: apmail-legal-discuss-archive@www.apache.org Delivered-To: apmail-legal-discuss-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id A395710678 for ; Fri, 30 May 2014 14:32:50 +0000 (UTC) Received: (qmail 96702 invoked by uid 500); 30 May 2014 14:32:50 -0000 Delivered-To: apmail-legal-discuss-archive@apache.org Received: (qmail 96543 invoked by uid 500); 30 May 2014 14:32:50 -0000 Mailing-List: contact legal-discuss-help@apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: Reply-To: legal-discuss@apache.org List-Id: Delivered-To: mailing list legal-discuss@apache.org Received: (qmail 96535 invoked by uid 99); 30 May 2014 14:32:50 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 30 May 2014 14:32:50 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of jukka.zitting@gmail.com designates 74.125.82.50 as permitted sender) Received: from [74.125.82.50] (HELO mail-wg0-f50.google.com) (74.125.82.50) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 30 May 2014 14:32:46 +0000 Received: by mail-wg0-f50.google.com with SMTP id x12so2059422wgg.33 for ; Fri, 30 May 2014 07:32:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; bh=jZML0n/bBoNC9NARjIbtVbVkqc4CN7zq3yXDsuJ0kdE=; b=ud3ej/nZEf4YoUb+2rRt509VkNDP00D6eo3MB0vyZVe3Slcoa4bmDiLHDz4lrcCK54 cRao2TY7kX6jJOc8OPFm53/Sr9upNfQlYNtoylaP/1474yK45r6JA2YLAnLX7VrBfZX2 oRto0tRLNmdQyhkOL8ueFBza+m+cLGh8iLUJSKZe/g6lBce4ALjZ/ARyd1bOGv6CIbvt 543iQvUaNsMvizBWvMpRMeKS9fCv2KDcEvvx6k5BB7+OmMhLEYd5UawOIfNB3d7NOera yPzZ6rx2D/Zakir9fybD9sOvY4Bf5C1VO11eYE09jB83U+ak5OCvT43WIVKG+kDQSvET ib9Q== X-Received: by 10.194.8.6 with SMTP id n6mr6162604wja.31.1401460343207; Fri, 30 May 2014 07:32:23 -0700 (PDT) MIME-Version: 1.0 Received: by 10.180.187.109 with HTTP; Fri, 30 May 2014 07:32:03 -0700 (PDT) In-Reply-To: References: From: Jukka Zitting Date: Fri, 30 May 2014 10:32:03 -0400 Message-ID: Subject: Re: Continuous release review To: Legal Discuss Content-Type: text/plain; charset=ISO-8859-1 X-Virus-Checked: Checked by ClamAV on apache.org Hi, Let me try to refocus this discussion. First of all, I'm not trying to argue that projects should be free to ignore or replace parts of existing policy, they shouldn't. Instead I'm looking for ways to *change* the policy to enable new ways to make releases. Second, I think we all agree that underlying goals (legal, social, technical, etc.) of the current policy are sound and shouldn't be abandoned. I only question the specific mechanisms we currently use to meet those goals. If there are alternative ways of meeting the same goals, shouldn't we consider adjusting the policy to allow such mechanisms if projects would like to use them? Finally, I believe there's an opening for us to allow radically new ways of cutting releases without abandoning any of those goals. I'll explain: On Wed, May 28, 2014 at 11:32 AM, Jukka Zitting wrote: > Thus I question the focus we're putting on the release as the point > where all this review is supposed happens. Instead I'd rather see this > becoming more of an ongoing task to be done at the level of each > commit or push, with the release review more just a final confirmation > that such a process has been followed. For the sake of the argument, assume that a project adopts a strict RTC policy where each commit is reviewed and voted on not just for it's technical content but also as if a new release was cut from that point. An audit trail of the review results and all votes cast are stored in each commit message. The project would then, after reaching consensus that it's time to release, just tag the release and have a build server take care of automatically verifying the audit trail and then packaging, signing, building, testing and deploying the release. There would be no manual review of the release package itself and no need for the "72 hours" or "3 +1s" rules, as all those things would already have been taken care of earlier in the process. Or as a simpler alternative, assume a project that identifies a specific revision as a release candidate and runs a normal release review and vote against that revision instead of a pre-built release candidate. If the vote passes, the revision would be tagged and a build server would again take care of verifying the vote results and then packaging, signing, building, testing and deploying the release. Such a process could even produce "official" binary packages, as there would be no need to double-guess what actually went into building those packages. How would such imaginary processes produce releases that are any worse than those governed by current policy? Are there any legal, social or other aspects that such processes would fail to address as well as we now do? BR, Jukka Zitting --------------------------------------------------------------------- To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org For additional commands, e-mail: legal-discuss-help@apache.org