On Tue, Aug 13, 2013 at 12:30 AM, sebb <seb...@gmail.com> wrote: > On 12 August 2013 20:10, Jason van Zyl <ja...@tesla.io> wrote: >> >>>> >>>> I have now read the threads that are referring to, and have not found >>>> a single link to any ASF rule stating that we need to include these >>>> things in a VOTE thread. >>> >>> So how do you propose that reviewers check the provenance of the files >>> in the source release? >> >> Are you looking for files that are in a distribution that didn't come from >> source control? Everything else as far as provenance goes is covered. Errant >> content is a potential problem, but everything in a distribution should come >> from source control which no one has access to until they have a signed CLA >> on file. > > Yes. That is where the whole saga started. > > Proving provenance is why the SCM coordinates are needed for the vote. > > The SCM details may also be useful to discover files accidentally > omitted from the source archive.
You want to compare the contents of the *-source-release.zip with something from SCM, to make nothing bad has crept into the source bundle. So you need to know where in SCM you can find it. Have I understood you correctly? >> Thanks, >> >> Jason >> >> ---------------------------------------------------------- >> Jason van Zyl >> Founder, Apache Maven >> http://twitter.com/jvanzyl >> --------------------------------------------------------- >> >> >> >> >> >> >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > For additional commands, e-mail: dev-h...@maven.apache.org > -- Dennis Lundberg --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
