On 16 September 2014 20:12, Oleg Kalnichevski <[email protected]> wrote: > On 16/09/14 17:13 , sebb wrote: >> >> On 16 September 2014 15:15, Oleg Kalnichevski <[email protected]> wrote: >>> >>> On Tue, 2014-09-09 at 14:22 +0200, Oleg Kalnichevski wrote: >>>> >>>> Sebastian et al >>>> >>>> I would like to cut HC 4.4b1 releases soon. >>>> >>>> Could you please find a few minutes to review the latest snapshots with >>>> regards to legal compliance? >>>> >>>> This would also be the right time to discuss and if necessary revise our >>>> release process. >>>> >> >> IMO the release vote e-mail must include everything needed to perform >> a check of the tarballs. >> It should be possible for an outsider to perform the audit directly >> from the provided info. >> This means links to KEYS, > > > What should be considered the master copy of KEYS file?
I would choose the one that is published to downloaders, i.e. from www.apache.org/dist > source repo tag (with unique id), link to >> >> Clirr and Rat report. >> > > Where should these reports be stored? Does not matter so long as they are accessible. Could be your personal people login. I don't think these need to be kept after the vote finishes, but they are necessary for the audit. >> Also it should be possible to trace the provenance of the published >> tarballs back to the vote e-mail. >> This means that it should be possible to compare a published tarball >> against the one in the vote e-mail. >> The e-mail can contain hashes of the tarballs. > > > This can be done. > > Oleg > >> If the RC tarballs are published via the dist/dev repo, then the URL >> and revision should be enough to identify them. > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
