incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Justin Mclean <>
Subject Re: Publishing Maven artifacts under third-party coordinates (was: Set up Nexus staging profile for Dubbo ...)
Date Fri, 11 May 2018 04:15:58 GMT

> There is NO WAY to verify a binary. Even compiling from source to binary on
> your machine, and trying to compare against a target binary will generally
> fail since timestamps are embedded. Or maybe there are different compilers
> being used.

As per ASF policy a connivance binary can be release as the same time [1] and it needs to
comply with license and notice policy [2].

It usually very easy to check a binary (and I’ve done it 100’s of time) by uncompress
the jar or just editing it directly to see what is bundled inside it.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message