On Thu, Aug 16, 2012 at 1:32 PM, Alex Harui <aha...@adobe.com> wrote:
> > > > On 8/16/12 1:07 PM, "Carol Frampton" <cfram...@adobe.com> wrote: > > > >>> > >> I understand the installer needs a Mac binary and a Win binary, but > since > >> they are not official releases, I don't see why the release manager > can't > >> ask someone else to build a package for them. > > > > I would think the release manager should not sign "the apache way" a > > binary or a binary distro with a binary in it that they didn't build. > > Everything on the distro site needs to be signed. I did not sign the > > asdoc package when we released and I was asked not too long ago, I think > > by someone from infra, to do that. > > > > Maybe the mentors know the real answer to this. > > > > Carol > > > I would think if someone supplies the other platform's binary in a secure > way it should be good enough, but we'll see what the mentors say. > > I agree with Carol. When a release manager signs a binary, they are implicitly guaranteeing that what is in the binary was really built from the sources. If they did not create the binary themselves, how can they verify what exactly went into the binary. Now, since any committer can be a release manager[1], a release manager can probably accept another committer's binary and sign it. The better option would be that two committers create the binaries on the two platforms and sign them separately. Essentially - two release managers that I mentioned earlier. In [1] the section says (emphasis mine): The *common practice* at Apache is for a *single individual* to take > responsibility for the mechanics of a release. That individual is called > the 'release manager.' Release managers take care of shepherding a release > from an initial community consensus to make it to final distribution. > This is certainly not a common scenario. I think it is okay to have two release managers in our case. Thanks, Om [1] http://www.apache.org/dev/release-publishing.html#release_manager > -- > Alex Harui > Flex SDK Team > Adobe Systems, Inc. > http://blogs.adobe.com/aharui > >
