On Mar 28, 2012, at 9:35 AM, Roy T. Fielding wrote: > If you want to do it right, build the whole thing from scratch -- nothing > but the source code. If there isn't at least one person (or CI bot) > doing that per project, we're screwed.
I think the problem has gotten more challenging over time as many projects (at least the Java related ones) have a large number of dependencies on other Java projects. The examples like Ant are good. I'll point out Geronimo and a number of the other open source projects that build around JEE. There is no JEE project per se, there are lots of different implementations that get woven together. Geronimo is probably hardest hit because the project had to include dependencies from many other projects. In some cases, the project took snapshots from the other projects in order to ship because not all projects release in sync. To avoid the problem, at least a few years ago, we built a repo where we would capture the maven artifacts so a Geronimo release could be built with a set of known and "versioned" dependencies. To provide any sense of repeatability this practice was necessary. Perhaps we need a clarification on wording. We have a release and we have distributions. The release is the vote on the source of the project and the distributions are a versioned source tar-ball plus other binaries for different platforms or configurations. We do release source and we do distribute binaries and source. In some cases, the source contains binaries which are dependencies but in no case that I'm aware of are the binaries not from an open, referenceable and verifiable open source project. Matt Hogstrom m...@hogstrom.org A Day Without Nuclear Fusion Is a Day Without Sunshine --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
