Thanks, that looks good. I'll have a detailed look later. Is it possible to modify/delete a git tag? If so, then the git hashes ought to be provided, as accidents can happen. The mail archives should contain an immutable reference to the exact code in the repo that was used to build the release.
On 20 February 2014 19:52, Michal Mocny <mmo...@chromium.org> wrote: > Sebb, is this sufficient? Or do we want a list of git hash's? > > http://git-wip-us.apache.org/repos/asf?p=cordova-android.git;a=shortlog;h=refs/tags/3.4.0 > http://git-wip-us.apache.org/repos/asf?p=cordova-ios.git;a=shortlog;h=refs/tags/3.4.0 > http://git-wip-us.apache.org/repos/asf?p=cordova-blackberry.git;a=shortlog;h=refs/tags/3.4.0 > http://git-wip-us.apache.org/repos/asf?p=cordova-windows.git;a=shortlog;h=refs/tags/3.4.0 > http://git-wip-us.apache.org/repos/asf?p=cordova-wp8.git;a=shortlog;h=refs/tags/3.4.0 > http://git-wip-us.apache.org/repos/asf?p=cordova-firefoxos.git;a=shortlog;h=refs/tags/3.4.0 > http://git-wip-us.apache.org/repos/asf?p=cordova-ubuntu.git;a=shortlog;h=refs/tags/3.4.0 > http://git-wip-us.apache.org/repos/asf?p=cordova-amazon-fireos.git;a=shortlog;h=refs/tags/3.4.0 > http://git-wip-us.apache.org/repos/asf?p=cordova-js.git;a=shortlog;h=refs/tags/3.4.0 > http://git-wip-us.apache.org/repos/asf?p=cordova-mobile-spec.git;a=shortlog;h=refs/tags/3.4.0 > http://git-wip-us.apache.org/repos/asf?p=cordova-app-hello-world.git;a=shortlog;h=refs/tags/3.4.0 > http://git-wip-us.apache.org/repos/asf?p=cordova-docs.git;a=shortlog;h=refs/tags/3.4.0 > > http://git-wip-us.apache.org/repos/asf?p=cordova-cli.git;a=shortlog;h=refs/tags/3.4.0-0.1.0 > > > On Thu, Feb 20, 2014 at 2:28 PM, Joe Bowser <bows...@gmail.com> wrote: > >> On Thu, Feb 20, 2014 at 11:16 AM, Brian LeRoux <b...@brian.io> wrote: >> > we should start a thread about coho. it kind of grew into a tool that I'm >> > fairly certain only the googlers use and aligning our flows would be a >> good >> > thing. >> >> We're pretty much forced to use it to tag now, whether we like it or not. >> >> > >> > >> > On Thu, Feb 20, 2014 at 11:06 AM, Michal Mocny <mmo...@chromium.org> >> wrote: >> > >> >> (I was wrong about firefoxos, its just cli thats missing the tag) >> >> >> >> >> >> On Thu, Feb 20, 2014 at 1:58 PM, Brian LeRoux <b...@brian.io> wrote: >> >> >> >> > C'mon Joe, its our job to help him. You can take the high road and >> then >> >> > Sebb can start affording us the same courtesy. >> >> > >> >> > >> >> > On Thu, Feb 20, 2014 at 10:16 AM, Joe Bowser <bows...@gmail.com> >> wrote: >> >> > >> >> > > Seriously, you can't find that yourself? You clearly know nothing >> >> > > about this project. >> >> > > >> >> > > On Thu, Feb 20, 2014 at 7:30 AM, sebb <seb...@gmail.com> wrote: >> >> > > > On 20 February 2014 14:47, Andrew Grieve <agri...@chromium.org> >> >> wrote: >> >> > > >> SCM == ? >> >> > > > >> >> > > > Source Code / Software Configuration Management >> >> > > > >> >> > > >> Do you mean the git tags? >> >> > > >> All of the repositories are tagged with the version number of the >> >> > > release. >> >> > > >> So, "3.4.0" is the tag. >> >> > > > >> >> > > > OK, so where are the repos then please? >> >> > > > Also, if the tag is not immutable, it would help to have the hash. >> >> > > > >> >> > > >> >> >> > > >> On Thu, Feb 20, 2014 at 9:02 AM, sebb <seb...@gmail.com> wrote: >> >> > > >> >> >> > > >>> On 18 February 2014 23:26, Steven Gill <stevengil...@gmail.com> >> >> > wrote: >> >> > > >>> > Please review and vote on the Cordova 3.4.0 release. >> >> > > >>> > >> >> > > >>> > You can find the sample release at >> >> > http://people.apache.org/~steven/ >> >> > > >>> >> >> > > >>> At the risk of being flamed, I am concerned that the VOTE mail >> does >> >> > > >>> not include a link to the SCM tag. >> >> > > >>> >> >> > > >>> Why is this important? >> >> > > >>> >> >> > > >>> The ASF releases source files which come with a LICENSE (and >> >> NOTICE). >> >> > > >>> It is vital that the release only contains files that are >> permitted >> >> > to >> >> > > >>> be distributed, and we aren't accidentally including files that >> >> > should >> >> > > >>> not be distributed. >> >> > > >>> >> >> > > >>> Equally, it is important that the source release is not missing >> any >> >> > > >>> required files. >> >> > > >>> >> >> > > >>> The only practical way to check all the files is to compare the >> >> > source >> >> > > >>> archive against the tag(s) it is supposed to contain. >> >> > > >>> >> >> > > >>> In theory, an automated build process will ensure that the >> archive >> >> > > >>> only contains files from the tag, and does not omit any require >> >> > files. >> >> > > >>> However, in practice, the archives are built from workspaces >> that >> >> > > >>> contain other files (e.g. compilation output). >> >> > > >>> I know of at least two projects which used standard automated >> >> > > >>> procedures (Maven), yet their source releases contained files >> that >> >> > > >>> should not have been released. >> >> > > >>> >> >> > > >>> Should there be a complaint, it's important that the PMC can >> show >> >> > that >> >> > > >>> due diligence was done in checking the source archive contents. >> >> > > >>> This will be easier to prove if the VOTE thread contains >> details of >> >> > > >>> the SCM tags from which the archive was built. >> >> > > >>> >> >> > > >>> The SCM repo provides traceability of provenance. >> >> > > >>> >> >> > > >>> So please can someone provide the SCM tag(s) that were used to >> >> create >> >> > > >>> the source release? >> >> > > >>> >> >> > > >>> > Voting will go on for 24 hours. >> >> > > >>> > >> >> > > >>> > Cheers, >> >> > > >>> > >> >> > > >>> > -Steve >> >> > > >>> >> >> > > >> >> > >> >> >>
