Hi, On Thursday, October 23, 2014, Roman Shaposhnik <ro...@shaposhnik.org> wrote:
> ...I understand the need of projects like OO to provide binaries of some sort, > I just don't understand why do they have to be 'blessed' by ASF. Once > source gets built and packaged a whole new set of issues kick in. I don't > think the foundation is well prepared to deal with those. We might as > well admit it explicitly... My understanding is that while we don't make any guarantees about convenience binaries, and while they are not ASF releases, it is good to be able to verify that the binary that you got is the one that someone from the PMC prepared. So if our PMCs distribute convenience binaries, signing them for example is a good thing to allow users to verify that they are using what the PMC built, as opposed to some rogue binary. Signing doesn't mean the binary is "blessed", it just allows users to verify that they are using what the PMC intended to distribute. -Bertrand
