----- Original Message ----- Allen Wittenauer <a...@effectivemachines.com> wrote: > > On Dec 11, 2018, at 9:09 AM, Joan Touzet <woh...@apache.org> wrote: > > Perhaps I'm misunderstanding...are the Nexus-published builds not treated > > the same because they're not on dist.apache.org? Or are they not release > > versions? > Yes, you are misunderstanding. > 1) Officially (legally?), source code distributions are "the release." > Any and all binaries are considered to be convenience binaries so users don’t > have to compile. They are not official. [Statements like “verify a > release by rebuilding” don’t really parse as a result.] > 2) As far as I’m aware/all the projects I’ve ever worked with, the > uploads to Nexus are to the snapshot repo, not the release repo. The release > repos are still done manually.
Thanks, Allen. So I am still fighting against the system here. If binaries are conveniences, and they are not official, we should be able to auto-push binaries built on trusted infrastructure out to the world. Why can't that be our (Infra maintained & supported, costly from a non-profit perspective) CI/CD infrastructure? -Joan
