On 5/11/07, Craig L Russell <[EMAIL PROTECTED]> wrote:
Part of the vetting process for a release is to check that the signatures are ok (verify the signature is valid, looking for the signature in the KEYS file, etc.) Once the release bits (including signatures and checksums) are voted, it's not ok to change (add or remove) anything.
Makes sense, though for checking the bits you only need a checksum, not the signing. But anyway, I'll run Robert's RAT tool and check the POM, and then cut a RC2 that is completely signed and everything :-)
I've heard folks say that "Apache is an open source organization, and the releases are source releases". Projects are free to release binaries as a convenience to users who might not want to build, but it's not the primary objective.
Indeed, makes perfect sense. cheers, Tom
