Return-Path: X-Original-To: apmail-legal-discuss-archive@www.apache.org Delivered-To: apmail-legal-discuss-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 813B6103E6 for ; Mon, 2 Jun 2014 20:52:18 +0000 (UTC) Received: (qmail 31414 invoked by uid 500); 2 Jun 2014 20:52:18 -0000 Delivered-To: apmail-legal-discuss-archive@apache.org Received: (qmail 31266 invoked by uid 500); 2 Jun 2014 20:52:18 -0000 Mailing-List: contact legal-discuss-help@apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: Reply-To: legal-discuss@apache.org List-Id: Delivered-To: mailing list legal-discuss@apache.org Received: (qmail 31256 invoked by uid 99); 2 Jun 2014 20:52:18 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 02 Jun 2014 20:52:18 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of elecharny@gmail.com designates 209.85.212.173 as permitted sender) Received: from [209.85.212.173] (HELO mail-wi0-f173.google.com) (209.85.212.173) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 02 Jun 2014 20:52:13 +0000 Received: by mail-wi0-f173.google.com with SMTP id bs8so5305537wib.12 for ; Mon, 02 Jun 2014 13:51:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=eSXDnHOERF9sG609c6Yd3JVwnEfIi2hNTJhd3EgSnII=; b=vgcce1Yg/QsYF4deuoi7jL/4moP2CGzdm55kCaJ7RQ8gSqZWFqnVQK7R0nEY8+wKBH MhDvAsWro1TfAvOVCBnJ+2ITZO3eSvBoTyIuXjLl45oy7jhzLUImKeDJhmnPOp8tAIlt hBEkZbi/mUxCFTPW63s6EZTa9ErTVe1vHkZPRKoXiN+5AWL5Vpz37O0rjIGy0yLLExFi K50JifO2fYUAhxhGd8Vuw0hu6v5rW4Gl/79cXpmN8TJ+vV2hxOFAySp+LU/f57qW8fXh e2Me8v0ofCPCZVMFYD3nPDRWCiZwiyLBrYfCIcvHxt/ilIBhGBvxtOpaRxT0nvFfKH0q idhg== X-Received: by 10.180.75.102 with SMTP id b6mr25726385wiw.26.1401742304543; Mon, 02 Jun 2014 13:51:44 -0700 (PDT) Received: from MacBook-Pro-de-larsonneur.local (AMontsouris-651-1-144-68.w90-46.abo.wanadoo.fr. [90.46.123.68]) by mx.google.com with ESMTPSA id cx5sm3931084wjb.8.2014.06.02.13.51.43 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 02 Jun 2014 13:51:43 -0700 (PDT) Message-ID: <538CE3DE.3090803@gmail.com> Date: Mon, 02 Jun 2014 22:51:42 +0200 From: =?UTF-8?B?RW1tYW51ZWwgTMOpY2hhcm55?= User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.5.0 MIME-Version: 1.0 To: legal-discuss@apache.org Subject: Re: Continuous release review References: <38278A5A-BBBD-4090-8DD1-9F38DCAD8EB4@jaguNET.com> <538CA9B7.90308@gmail.com> In-Reply-To: X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Virus-Checked: Checked by ClamAV on apache.org Le 02/06/2014 22:37, Jukka Zitting a écrit : > Hi, > > On Mon, Jun 2, 2014 at 12:43 PM, Emmanuel Lécharny wrote: >> Le 02/06/2014 17:18, Jukka Zitting a écrit : >>> For example, if you review and vote on releasing a specific revision >>> in the SCM, what's the added benefit of repeating the process on the >>> source bundle produced from that revision? >> AFAIU, there are two different things. As the bundle is produced by a >> automated tool (can be the maven packaging phase), the result can be >> *very* different from what we get when pulling the revision from the >> repository. > I personally don't see any compelling reasons why a source release > should be anything more than a packaged export of a tag, and some very > good reasons reasons (like the ability to verify that the sources > actually came from the scm) for why it should be just that. But I > recognize that others disagree. I don't disagree. The thing is that most of the Java projects are depending on Maven to generate the jar, which should be the same than what you get when doing a svn co/git clone followed by a tar cvf. Except that if you have made a mistake when configuring maven, you may and with a difference. Been there... Checking both should mitigate this risk. > > Anyway, this doesn't affect my main premise. As long as there is a > deterministic process that produces the source bundle from a given scm > revision (or revisions) and the steps of verifying the correctness and > quality of that bundle can be automated (given the assumption that the > correctness and quality of original source has already been reviewed), > from the "policy invariant" perspective there should be little > difference in whether the manual review is done on the input or the > output of the process. +1 --------------------------------------------------------------------- To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org For additional commands, e-mail: legal-discuss-help@apache.org