On Thu, May 10, 2018 at 6:50 PM, Julian Hyde <jh...@apache.org> wrote: > ...In other words, there are several ways to prove that a binary release > is WRONG but (to Greg’s point) there is no way to prove it RIGHT....
One useful thing that people could do with binary artifacts is to say "I use the binary with sha256 digest XYZ and it works for me" - but that doesn't make the Apache Releases, they are still unverifiable binaries regardless. -Bertrand --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
