incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sebb <>
Subject Re: [VOTE] Apache Drill 0.6.0-incubating release
Date Tue, 14 Oct 2014 11:34:30 GMT
On 13 October 2014 15:30, Bertrand Delacretaz <> wrote:
> On Mon, Oct 13, 2014 at 4:14 PM, Julian Hyde <> wrote:
>> For many projects, especially "library" projects, the "convenient binaries" that
matter most these
>> days are the jars (source, binary, and javadoc) that are deployed to the maven repo...
>> ...Are these jars subjected to due diligence during the release vote?...
> In projects where I'm active there's reasonable due diligence as the
> build processes are automated in a way that allows you to trust the
> build if that's done by someone that you trust.

Automated processes can produce incorrect output, even if applied
correctly by experienced RMs.
The packaging can pick up extraneous files (or omit them).
[I have seen this happen on at least two projects.]

So it is still important that the tarball contents are checked.

> That being said, we don't make any guarantees about those jars, so in
> the end users can either choose to trust the build and distribution
> process, or build the required jars themselves from a trusted source.

I think we do guarantee that the jars we provide are ALv2 licensed (at
least implicitly, if not explicitly).

> In the case of Maven, the ASF doesn't control the distribution
> process, so it's not a safe channel without signatures or trusted
> digests, and I don't think Maven allows for those at the moment. So
> even the best due diligence wouldn't really help for these binaries.
> -Bertrand
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message