On 09/13/2017 09:35 AM, Clebert Suconic wrote:
On Wed, Sep 13, 2017 at 9:21 AM Robbie Gemmell <[email protected]>
wrote:
This was less about time, though there is some benefit in that regard,
with how much depending on how particular people actually verify the
checksums I guess.
Actually this is kind of moot. nexus does that check for you. You cannot
upload a release with a checksum broken. It won't let you close.
Like. Last week I had to restart the release once because MVN upload broke
the checksum somewhere.
Just for clarification here the "official release" we are referring to
here is the source and binary distributions that are uploaded to dist
and linked on the website. The bits in maven are not the official
release, we don't need to do them in order to produce an official
release of the project. The bits Robbie is referring to are the one's
uploaded to dist and are the one's you should be verifying when voting
on a release.
The benefits gained then are that the checksum files we publish are
easily validated by a review or you know by the people downloading the
official release bits who want to validate that they match. By
producing a more correct checksum file it's much easier to use CLI tools
to validate that. The other benefit is that what gets voted on (the
official thing, not the maven bits) is the same as what gets published
to the download site because you just svn cp those to their end location.
--
Tim Bish
twitter: @tabish121
blog: http://timbish.blogspot.com/
