I followed these threads as they happened. I have not gone back and reviewed them, but my takeaway was this: A PMC cannot not use the output of a tool to determine the correctness of a release package because the determination of the correctness of LICENSE and NOTICE and the headers cannot be infallibly done by software.
Policy does not say that we cannot use a script to skip on having to manually type all of what you would normally type on the command line to validate a release, and I don't recall anything in these long threads saying that either, in fact, my takeaway was that lots of folks were doing that and it was acceptable. If you have a specific post that shows how policy prevents that, please provide a link. This script only downloads the artifacts, runs gpg to dump the sig and makes sure it matches, then dumps the rat report and each notice file to the console and asks you to decide on its correctness, then launches a build and any tests the build script runs. Could there be a bug in the script? Sure, but when checking manually I can also mis-type which NOTICE file I look at. And you are encouraged to examine the script itself if you are concerned about its correctness. And of course, you are not required to use the script. If you have further concerns about the validity of scripts in the release checking process, I will post a [MENTOR] thread on private@ to try to get Dave Fisher's attention. At ApacheCon (which was before these long threads) we discussed use of scripts and he did not say they were not allowed, and even asked for a copy of the script I had at the time. I'd rather do that before going back to legal-discuss and waking up these threads again. -Alex On 6/17/14 2:10 AM, "Justin Mclean" <jus...@classsoftware.com> wrote: >HI, > >> Link to the discussion, please? > >Been several - they are quite long - the 3rd one is probably the most >relevant. >1. >http://mail-archives.apache.org/mod_mbox/www-legal-discuss/201405.mbox/%3c >CAAS6=7jTVyaDhwepAqob-=83dxj-uams9gyg5j5xdhyybva...@mail.gmail.com%3e >2.http://mail-archives.apache.org/mod_mbox/www-legal-discuss/201405.mbox/% >3cCAAS6=7hmsjj1atztoyee_qndppqvvsxmx58vwrcqug1po2o...@mail.gmail.com%3e >3. >http://mail-archives.apache.org/mod_mbox/www-legal-discuss/201405.mbox/%3c >caofyjnaqacy-jxuesx-v0pnsicckfvo_xkdemo-n5nt7y_j...@mail.gmail.com%3e > >A release is "a legal act guarded by responsible oversight" [1] and >automating that means we lose the oversight, and "until the policy is >changed, PMCs and RMs are expected and *required* to comply." [2]. Worse >case the board will do this [3]. > >The script are certainly useful as a double check but IMO should not be >use used as the sole reason to vote +1. At the very least we need to have >a discussion re this method of checking release and a VOTE on it before >introducing it. Given the legal ramifications (and our limited legal >understanding) IMO we should err of the side of caution. > >Thanks, >Justin > >1. >http://mail-archives.apache.org/mod_mbox/www-legal-discuss/201405.mbox/%3c >6f8edb3f-12c5-4d0c-a379-e9ab4f99f...@jagunet.com%3e >2. >http://mail-archives.apache.org/mod_mbox/www-legal-discuss/201405.mbox/%3c >47681a1f-924f-496f-8209-46ef3edb7...@jagunet.com%3e >3. >http://mail-archives.apache.org/mod_mbox/www-legal-discuss/201405.mbox/%3c >80083be7-9f6c-43dc-a97f-9aed674c9...@jagunet.com%3e >
