On 26 September 2016 at 14:34, Mark Struberg <strub...@yahoo.de.invalid> wrote: > We *never* push commits for in-progress votes to hte ASF repos when we use > GIT! > The reason is that we cannot get rid of those afterwards! Of course we can > delete the branch/tag/commit from the ASF repo, but we cannot delete them > from all the hundreds downstream repos which almost immediately pull those > changes... > > You can think of pushing this to a private (but PMC owned!) github repo as > kind of parallel to the Maven 'staging' process.
Of course it is up to each project what particular release/tag practice they want to follow. Many projects do this classically even with git, e.g. using branches or tags like 0.4-RC1 - see for instance: https://lists.apache.org/list.html?d...@jena.apache.org:lte=10M:VOTE Some communities like Apache Commons even keep around all RC tags; then archived emails around failed RCs still have valid links - e.g. https://github.com/apache/commons-lang/releases I wouldn't personally see a problem with a RC branch showing up in forked repositories - branches are there to be created and removed again - if downstream want to keep them for archival purposes that's their choice - just like they can keep the commit emails. But if that's not your project's cup of tea, then I guess just a commit IDs and hashes in the email should work, no matter where the commit 'is' - in git the commit is hashed and it's not forgotten after the vote is passed. Perhaps "git tag --sign" so you get a PGP-signed tag commit would be a good idea? Without the commit ID or hashes in the email - then particularly for mutable release candidates tags hosted in third-party repositories, we don't have a record over exactly what was voted on and the commiter could easily by mistake push the 'wrong' RC commits or dists without anyone being able to notice or check later. In fact, this very vote shows two different commit IDs which this time luckily had the same content. Many projects posts RCs on https://dist.apache.org/repos/dist/dev/ - which is SVN-based - here the revision number and log is sufficient - we assume the ASF-hosted SVN repository to be 'trusted'. A closed Nexus repository is similarly tracked and immutable. -- Stian Soiland-Reyes http://orcid.org/0000-0001-9842-9718 --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
