There may be binary convenience artifacts, but let's not dignify them by the name release. They aren't, after all.
On Thu, May 10, 2018 at 8:56 AM, Matt Sicker <boa...@gmail.com> wrote: > I still minimally require proper gpg signatures on binary artifacts. The > source artifacts are what get far more scrutiny, but the binaries are > released on apache.org after all. > > On 10 May 2018 at 10:20, Roman Shaposhnik <ro...@shaposhnik.org> wrote: > > > On Thu, May 10, 2018 at 4:17 AM, sebb <seb...@gmail.com> wrote: > > > On 10 May 2018 at 11:37, Greg Stein <gst...@gmail.com> wrote: > > >> On Thu, May 10, 2018 at 3:31 AM, Huxing Zhang <hux...@apache.org> > > wrote: > > >> > > >>> Hi, > > >>> > > >>> On Thu, May 10, 2018 at 3:59 PM, Willem Jiang < > willem.ji...@gmail.com> > > >>> wrote: > > >>> > Is there any plan for going through the vote process of Binary > file? > > >>> > > >>> Yes, binaries will also go through the vote process. > > >> > > >> > > >> No. It makes no sense. > > >> > > >> There is NO WAY to verify a binary. Even compiling from source to > > binary on > > >> your machine, and trying to compare against a target binary will > > generally > > >> fail since timestamps are embedded. Or maybe there are different > > compilers > > >> being used. > > >> > > >> The Foundation *never* votes on binaries, because the Foundation DOES > > NOT > > >> RELEASE BINARIES. The Foundation only votes/authorizes/releases source > > >> code. REPEAT: only source code. > > >> > > >> Only source. Which is verifiable. Which has provenance. > > > > > > The LICENCE and NOTICE files that accompany the binary artifact are > > > text, and IMO should be checked against the contents of the binary > > > artifact. > > > For example, if the binary bundles jars from other projects, the L&N > > > need to agree with the bundled contents. > > > > +1000! That has been a well established practice in the Incubator and > > as such I see no reason not to keep following it. > > > > In addition to that, a reasonable effort should be put into making sure > > that the binary bundle doesn't drag in bits with incompatible licenses > > (such as GPL). That's why verifying LICENSE in the binary bundle > > is NOT a simple exersize of comparing it to the source bundle. > > > > Thanks, > > Roman. > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > > For additional commands, e-mail: general-h...@incubator.apache.org > > > > > > > -- > Matt Sicker <boa...@gmail.com> >
