On Sat, 19 Apr 2025 at 21:48, Henrik Ingo <hen...@nyrkio.com> wrote: > This is a question mainly to mentors I guess: > > https://www.apache.org/legal/release-policy.html > > ...emphasises that: > > > Before casting +1 binding votes, individuals are REQUIRED to download all > signed source code packages onto their own hardware, verify that they meet > all requirements of ASF policy on releases as described below, validate all > cryptographic signatures, compile as provided, and test the result on their > own platform. > > Question: Is it frowned upon if project committers distribute to each other > bash scripts to automate the individually performed review? I mean do we > expect each individual to contribute some randomness and diversity, beyond > just another hw and os platform? >
Sharing scripts is fine IMHO. So long as each committer has eyeballed the script and trusts what it does. Verifying signatures on the releases is the most important aspect of the vote (even if it's not what's most typical in practice). For example cassandra's release verification script is in this PR https://github.com/apache/cassandra-builds/pull/32
