incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Roman Shaposhnik <>
Subject Re: Publishing Maven artifacts under third-party coordinates (was: Set up Nexus staging profile for Dubbo ...)
Date Thu, 10 May 2018 15:20:29 GMT
On Thu, May 10, 2018 at 4:17 AM, sebb <> wrote:
> On 10 May 2018 at 11:37, Greg Stein <> wrote:
>> On Thu, May 10, 2018 at 3:31 AM, Huxing Zhang <> wrote:
>>> Hi,
>>> On Thu, May 10, 2018 at 3:59 PM, Willem Jiang <>
>>> wrote:
>>> > Is there any plan for going through the vote process of Binary file?
>>> Yes, binaries will also go through the vote process.
>> No. It makes no sense.
>> There is NO WAY to verify a binary. Even compiling from source to binary on
>> your machine, and trying to compare against a target binary will generally
>> fail since timestamps are embedded. Or maybe there are different compilers
>> being used.
>> The Foundation *never* votes on binaries, because the Foundation DOES NOT
>> RELEASE BINARIES. The Foundation only votes/authorizes/releases source
>> code. REPEAT: only source code.
>> Only source. Which is verifiable. Which has provenance.
> The LICENCE and NOTICE files that accompany the binary artifact are
> text, and IMO should be checked against the contents of the binary
> artifact.
> For example, if the binary bundles jars from other projects, the L&N
> need to agree with the bundled contents.

+1000! That has been a well established practice in the Incubator and
as such I see no reason not to keep following it.

In addition to that, a reasonable effort should be put into making sure
that the binary bundle doesn't drag in bits with incompatible licenses
(such as GPL). That's why verifying LICENSE in the binary bundle
is NOT a simple exersize of comparing it to the source bundle.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message