kevinjqliu commented on PR #1388: URL: https://github.com/apache/datafusion-python/pull/1388#issuecomment-3935709635
I can make the changes above to the release and verify process. Just a note from ASF perspective; It is allowed to verify releases with cloud machines, but must create release artifacts on personal hardware. From https://www.apache.org/legal/release-policy.html#owned-controlled-hardware > Must releases be built on hardware owned and controlled by the committer? Strictly speaking, releases must be [verified](https://svn.apache.org/repos/private/committers/tools/releases/compare_dirs.pl) on hardware owned and controlled by the committer. That means hardware the committer has physical possession and control of and exclusively full administrative/superuser access to. That's because only such hardware is qualified to hold a PGP private key, and the release should be verified on the machine the private key lives on or on a machine as trusted as that. > > Practically speaking, when a release consists of anything beyond an archive (e.g., tarball or zip file) of a source control tag, the only practical way to validate that archive is to build it locally; manually inspecting generated files (especially binary files) is not feasible. So, basically, "Yes". > > Note: This answer refers to the process used to produce a release artifact from a source control tag. It does not refer to testing that artifact for technical quality. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
