incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bertrand Delacretaz <>
Subject Re: How to review so-called "binary releases"?
Date Thu, 15 Nov 2018 07:41:21 GMT
On Thu, Oct 25, 2018 at 5:25 AM Julian Hyde <> wrote:
> there any guidance for how to review a release that contains source and binary

>... As a reviewer, how am I to vote on this release candidate?...

When that happens I just vote on the source archive and include it's
digest D in my vote - "I am +1 on the release of the source archive
having digest D".

And then just verify the digests and signatures of the binaries,
considering them as attachments to the release, and indicate that I
checked that in my vote.

I see this as a two-level thing:

a) The source release is an Act of the Foundation, it is what the
foundation produces

b) For the binaries, the PMC states that it thinks they are good and
declares that the published digests and signatures are the correct
ones. The Foundation does not state anything about them - use at your
own risk but in practice that risk is very low if the PMC members
collectively recommend using them.

That's not very different from what other open source projects do - we
need a) for our legal shield but b) is exactly like random open source
projects operate.

You have to trust an open source project when you use their binaries,
and you can use digests and signatures to verify that those binaries
are the same that everyone else uses - I don't think anyone provides
more guarantees than that, except when you pay for someone to state
that those binaries are good.

If people agree with this view we might need to explain this better,
"unofficial" does not mean much, this two-level view might be more


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message