Le 14/10/2013 07:45, Henri Yandell a écrit : > On Sun, Oct 13, 2013 at 9:12 PM, Phil Steitz <phil.ste...@gmail.com> wrote: > >> >> >> Could be I am misunderstanding the proposal. Do you mean a) RM is >> not obligated to do anything but tag a release and create tarballs >> or b) RM should just be trusted to "do the right thing" in getting >> stuff published and other other PMC members should review / help >> with "post-release" stuff ad hoc? Could be b) could work as long as >> we collectively agree to keep an eye on things / review stuff >> outside of RC votes. >> > > Officially, b). > > But, I do think a) is a very interesting stance.
Sorry, I don't agree. I think that we at Apache have also deep concerns about being sure what is published really *is* what is on svn. Many people rely on us doing the right thing. We have all seen release candidate where some files are missing. Of course this would not happen with a more automated and streamlined process, but this is only tehcnical. In todays world, we also have to remain clear about pressure that could be done on people to force them to subrepticely introduce or remove something in published code that is used throughout the world and that does not publickly appear in SVN. OF course, this could also be spotted afterwards and the people will immediately lose their karma. I am a bit paranoid, I know, but I think voting on *signed* packages and with a consisten web of trust accross our GPG keys is a very important part of the release process. So the tag in source code revision system is a start point, it is not the whole process. Having the community "keep an eye on things / review stuff outside of RC votes" is really not sufficient for me. best regards, Luc > > Let's say I think Lang 3.2 is ready and call a vote. Currently the > community is going to vote -1 simply because I'm not interested in doing > lots of bells and whistles. > > However, > > svn tag LANG_3.2 <url> > > We're done. Release is done and the only step potentially missing is svn > export, tar cf, put in a web directory for download. Now those who care > about having a source tarball in some special place (it's not in svn > somewhere right?) and all the other things can go do them. I know I've sat > and kept JIRA's updated for projects who weren't doing so, why is a maven > repo or whatever else any different? > > I'm being extreme, but I think it's an interesting challenge for our > 'everyone must meet this bar' approach. The more we raise the bar, the more > star systems slip through our fingers. Erm. Something like that :) > > Hen > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
