incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Julian Hyde <jh...@apache.org>
Subject Re: How to review so-called "binary releases"?
Date Wed, 14 Nov 2018 19:33:55 GMT
The question with which I started this discussion has not been
answered. Given that a collection of artifacts is up for a vote, and
those artifacts are a mixture of source and binary artifacts, what is
a reviewer to do:

1. Vote -1. The release contains binaries.

2. Perform some cursory checks on the binaries (e.g. L&N) and vote accordingly.

3. Ignore the binaries. Vote only based on the source artifacts, but
allow the binary artifacts to appear alongside them in
https://www.apache.org/dist/ (and other places such as Maven Central).

Current policy, for both the incubator and many other projects, seems
to be 3. Yet this seems to me to contradict statements by Jim and Greg
that we only produce source releases.

My favorite is 2. It reflects reality - we DO release binary artifacts
along with releases, we have to trust the release manager to have not
compromised the binaries during the build process, but reviewers can
help by running cursory checks.

I would like to achieve clarity by voting on the 3 alternatives above
(plus any other alternatives people would like to propose).

Julian
On Wed, Nov 14, 2018 at 8:19 AM Myrle Krantz <myrle@apache.org> wrote:
>
> On Wed, Nov 14, 2018 at 1:12 PM Daniel Shahaf <d.s@daniel.shahaf.name>
> wrote:
>
> > The answer to (1) depends on the build platform and toolchain.
> > Reproducible builds [in the sense of "building the same source twice
> > gives bit-for-bit identical binaries"] can help with it.  When the
> > answer is negative, the next question is whether those unauditable
> > artifacts should be carried by ASF mirrors alongside the source
> > artifacts.
> >
>
> So if a project puts in the effort to
> a.) make their build reproducible (which can actually be very difficult to
> do), and
> b.) do a bit-for bid compare on a release across at least two build
> artifacts, created by different people on different machines...
>
> ...would we be willing to see that threat as sufficiently eliminated for
> our purposes?  Would we then be willing to "officially" release binaries?
>
> Best Regards,
> Myrle

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message