On 15 August 2013 08:53, sebb <seb...@gmail.com> wrote: > On 14 August 2013 21:21, Dennis Lundberg <denn...@apache.org> wrote: >> On Wed, Aug 14, 2013 at 10:47 AM, sebb <seb...@gmail.com> wrote: >> >>> On 13 August 2013 18:58, Dennis Lundberg <denn...@apache.org> wrote: >>> > On Tue, Aug 13, 2013 at 12:30 AM, sebb <seb...@gmail.com> wrote: >>> >> On 12 August 2013 20:10, Jason van Zyl <ja...@tesla.io> wrote: >>> >>> >>> >>>>> >>> >>>>> I have now read the threads that are referring to, and have not found >>> >>>>> a single link to any ASF rule stating that we need to include these >>> >>>>> things in a VOTE thread. >>> >>>> >>> >>>> So how do you propose that reviewers check the provenance of the files >>> >>>> in the source release? >>> >>> >>> >>> Are you looking for files that are in a distribution that didn't come >>> from source control? Everything else as far as provenance goes is covered. >>> Errant content is a potential problem, but everything in a distribution >>> should come from source control which no one has access to until they have >>> a signed CLA on file. >>> >> >>> >> Yes. That is where the whole saga started. >>> >> >>> >> Proving provenance is why the SCM coordinates are needed for the vote. >>> >> >>> >> The SCM details may also be useful to discover files accidentally >>> >> omitted from the source archive. >>> > >>> > You want to compare the contents of the *-source-release.zip with >>> > something from SCM, to make nothing bad has crept into the source >>> > bundle. So you need to know where in SCM you can find it. Have I >>> > understood you correctly? >>> >>> It's vital to be able to link the files in the source release >>> archive(s) to their origin in SCM. >>> >>> The provenance of any source files the ASF releases must be clearly >>> traceable. >>> >> >> This information is clearly traceable and available to anyone who wants to >> review a release made by the Maven project. Our process uses the Release >> Plugin, which will put the POM from the SCM tag in the staging directory >> along with the source-release.zip. In that POM wou will find the URL to the >> original sources in SCM. >> > > As has already been pointed out, SVN tags are not immutable, so the > tag name alone is not sufficient.
I think Stephen perfectly sum up the situation. If you're not happy follow that. But please STOP the troll! Thanks! > >> >>> >>> >>> Thanks, >>> >>> >>> >>> Jason >>> >>> >>> >>> ---------------------------------------------------------- >>> >>> Jason van Zyl >>> >>> Founder, Apache Maven >>> >>> http://twitter.com/jvanzyl >>> >>> --------------------------------------------------------- >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >> >>> >> --------------------------------------------------------------------- >>> >> To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org >>> >> For additional commands, e-mail: dev-h...@maven.apache.org >>> >> >>> > >>> > >>> > >>> > -- >>> > Dennis Lundberg >>> > >>> > --------------------------------------------------------------------- >>> > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org >>> > For additional commands, e-mail: dev-h...@maven.apache.org >>> > >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org >>> For additional commands, e-mail: dev-h...@maven.apache.org >>> >>> -- >>> Dennis Lundberg <dev-h...@maven.apache.org> >>> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > For additional commands, e-mail: dev-h...@maven.apache.org > -- Olivier Lamy Ecetera: http://ecetera.com.au http://twitter.com/olamy | http://linkedin.com/in/olamy --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
