Hi! Russel, Justin, JB, thanks for your comments!
I started this thread because i believe that source and binary verification are very important verification steps we should be doing, especially in the light of supply chain attacks that we've witnessed (XZ). We should have processes in the Iceberg community which would discourage any rogue participant from even coming close, so we can sleep peacefully. Compare this with a broken release like missing a flink jar, or a new bug or perf regression. These are *relatively* harmless and (*relatively*) easy to recover from. Similar to dev/check-license script, maybe we can add a script helping > reviewers (somelike like dev/check-rc) to already do some checks. you're absolutely right! the release process isn't free today and it is not a good idea to make it more expensive, or we discourage people from participating. thus, yes, it would be ideal to have verification scripts that do as much as possible Best Piotr On Wed, 21 Aug 2024 at 14:44, Jean-Baptiste Onofré <j...@nanthrax.net> wrote: > Hi Justin, > > Thanks for clarifying, I was not clear in my previous email (I tried > to mean even gradle wrapper is *not* OK). > > We don't package any binary in the Iceberg source distribution though. > > Regards > JB > > On Tue, Aug 20, 2024 at 11:55 PM Justin Mclean <jus...@classsoftware.com> > wrote: > > > > Hi, > > > > > I would add an additional check on the source distribution: the source > > > distribution should not contain any unexpected binary file (gradle > > > wrapper is OK, but other binary should be avoided). > > > > It’s not OK to include the gradle wrapper in the source release. A > source release can't include any jars with compiled code in them. > > > > Kind Regards, > > Justin >
