Hi, > I followed these threads as they happened. I have not gone back and > reviewed them, but my takeaway was this: A PMC cannot not use the output > of a tool to determine the correctness of a release package because the > determination of the correctness of LICENSE and NOTICE and the headers > cannot be infallibly done by software.
That's my meaning as well. Of course you don't have to manually type everything, but the files headers, LICENSE and NOTICE need to be checked manually not via a script. Also each PMC member should be free to check the release how they want , IMO multiple methods == more chance an error is caught. So you would agree that in this case Peter's vote is invalid as he only run the script and pasted the output of that into the vote? Sorry Peter, I don't mean to single you out, but it does illustrate the danger of using a script to validate releases. Tools like you script and rat help with validating releases but are not a replacement for manual checks. I think your script is useful and helpful but it can't be the sole reason for voting +1. > This script only downloads the artifacts, runs gpg to dump the sig and > makes sure it matches, then dumps the rat report and each notice file to > the console and asks you to decide on its correctness IMO That's a little misleading are you need to look at the source (and perhaps the source of dependancies) in conjunction with NOTICE/LICENSE to see if they are correct. IMO the script should ask you to manually check the headers, LICENSE and NOTICE and not prompt you for a y/n. There's to much temptation to say it all looks good and just to hit "Y'. > I will post a [MENTOR] thread on private@ to try to get Dave Fisher's > attention. Feel free but I don't think that requires mentor attention, we as a PMC should be able to sort this out. At the very least this should of been discussed (and perhaps VOTEed on) before being implemented in 2 releases. Thanks, Justin
