On 13 October 2014 15:30, Bertrand Delacretaz <bdelacre...@apache.org> wrote: > On Mon, Oct 13, 2014 at 4:14 PM, Julian Hyde <julianh...@gmail.com> wrote: >> >> For many projects, especially "library" projects, the "convenient binaries" >> that matter most these >> days are the jars (source, binary, and javadoc) that are deployed to the >> maven repo... > >> ...Are these jars subjected to due diligence during the release vote?... > > In projects where I'm active there's reasonable due diligence as the > build processes are automated in a way that allows you to trust the > build if that's done by someone that you trust.
Automated processes can produce incorrect output, even if applied correctly by experienced RMs. The packaging can pick up extraneous files (or omit them). [I have seen this happen on at least two projects.] So it is still important that the tarball contents are checked. > That being said, we don't make any guarantees about those jars, so in > the end users can either choose to trust the build and distribution > process, or build the required jars themselves from a trusted source. I think we do guarantee that the jars we provide are ALv2 licensed (at least implicitly, if not explicitly). > In the case of Maven, the ASF doesn't control the distribution > process, so it's not a safe channel without signatures or trusted > digests, and I don't think Maven allows for those at the moment. So > even the best due diligence wouldn't really help for these binaries. > > -Bertrand > > --------------------------------------------------------------------- > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > For additional commands, e-mail: general-h...@incubator.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
