On 10/21/06, Tim Ellison <[EMAIL PROTECTED]> wrote:
On 20/10/06, Roy T. Fielding <[EMAIL PROTECTED]> wrote: > On Oct 20, 2006, at 3:34 AM, Tim Ellison wrote: > > > To be clear, our snapshots are more than a simple snap of > > Subversion -- > > we (the Harmony community) discuss the right time to create the > > development snapshot to accommodate known instability caused by > > work in > > flight, publish the snapshot with the required incubator disclaimers, > > license and notice files etc., and encourage people to test them and > > report problems before we announce them on our website news page. > > No, to be clear, a snapshot is (by definition) a simple snap of svn. > > What you are calling a snapshot would be what *we* call a developer > release -- the only difference is that you haven't tagged the revisions > (just using recorded revision numbers) and you haven't signed the > packages.
+1
> In other words, if you have a PGP/GPG key, it would take you less time > to satisfy the Incubator PMC than it did for me to write this message.
+1
> > Conducting a release, even a faux release, is probably a make-work > > task > > -- I believe we can do it if that is the only concern, just don't move > > the goalposts until we get back ;-) > > You see, this is why the process is needed. You have apparently been > doing developer releases all this time, minus the two tiny steps needed > to make them complete. A full release is just a developer release plus > formal vote, which is not necessary at this time given the roadmap.
+1
> Becoming a TLP means that you already know this stuff and can enforce > it without any worries from the board. If this is the last thing you > needed to know, that's great. [And if the mentors would just shut up > for a minute and let the project prove itself, maybe you can graduate. > That is, if anyone ever bothers to call a vote.] Ack -- comments duly taken on-board. I was able to attend a US an EU ApacheCon and get my key signed by a number of members, and in turn sign a number of other peoples',
connection is great but using key that is well connected is not necessary. what's vital is that the release manager can verify where an artifact has been tampered with or not. connection to the web of trust is powerful and adds security but is not necessary for this. all that's required is knowing or learning enough about signing releases to produce a valid signature. hopefully our documentation (http://www.apache.org/dev/release-signing.html) should cover this.
so I believe that all the pieces are in place for me, and others in Harmony, to conduct a bona fide release (development release or otherwise).
it's wise not to underestimate the task. the IPMC has historically underestimated the difficult that podlings had in creating releases given the poor standard of documentation on this subject. writing good documentation is tough and takes time :-/ we're not trying to make work, just trying to encourage podlings to take advantage of the help that's on offer... - robert --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
