On 6/17/14 10:29 AM, "Justin Mclean" <jus...@classsoftware.com> wrote:
>Hi, > >> I followed these threads as they happened. I have not gone back and >> reviewed them, but my takeaway was this: A PMC cannot not use the >>output >> of a tool to determine the correctness of a release package because the >> determination of the correctness of LICENSE and NOTICE and the headers >> cannot be infallibly done by software. > >That's my meaning as well. Of course you don't have to manually type >everything, but the files headers, LICENSE and NOTICE need to be checked >manually not via a script. Also each PMC member should be free to check >the release how they want , IMO multiple methods == more chance an error >is caught. > >So you would agree that in this case Peter's vote is invalid as he only >run the script and pasted the output of that into the vote? Sorry Peter, >I don't mean to single you out, but it does illustrate the danger of >using a script to validate releases. No, the script stops and asks him to read the text of the notice files. Which he did. > >Tools like you script and rat help with validating releases but are not a >replacement for manual checks. I think your script is useful and helpful >but it can't be the sole reason for voting +1. Hmm. What step from policy is not in the script? It is the steps I perform when I vote. > >> This script only downloads the artifacts, runs gpg to dump the sig and >> makes sure it matches, then dumps the rat report and each notice file to >> the console and asks you to decide on its correctness > >IMO That's a little misleading are you need to look at the source (and >perhaps the source of dependancies) in conjunction with NOTICE/LICENSE to >see if they are correct. What do you look for in the source and how do you do it? I run Rat which the script does, and try to watch commits@, but I don't read every source file before voting. I don't see that mandated by policy either. > >IMO the script should ask you to manually check the headers, LICENSE and >NOTICE and not prompt you for a y/n. There's to much temptation to say it >all looks good and just to hit "Y'. It does ask you to check what was dumped to the console and even offers reminders of what to look for. I don't see how that is any more error prone than bringing up the file in an editor. I can skim the file in an editor just as easily. > >> I will post a [MENTOR] thread on private@ to try to get Dave Fisher's >>attention. >Feel free but I don't think that requires mentor attention, we as a PMC >should be able to sort this out. > >At the very least this should of been discussed (and perhaps VOTEed on) >before being implemented in 2 releases. I don't think there is anything to discuss and vote on as long as it doesn't violate policy. Nobody has to use it. I'm just offering it up as a convenience. -Alex
