Hey Vladimir! Thanks for the review! I will address remarks inline.
On Mon, Jul 3, 2023 at 1:13 PM Vladimir Sitnikov < sitnikov.vladi...@gmail.com> wrote: > I have downloaded the release artifact apache-log4j-tools-0.4.0.zip, and I > fail to find the source package there. > Would you please advise? > You are right. It was a mistake (code typo) by my side. I will cancel the vote and start a new one. > > I simplified the VOTE email to *only* include details necessary for an > > ASF-compliant release. > > It is unfair to omit the link to the published binary/bytecode packages. > For instance, if the version in maven publication was different from 0.4.0, > then it would > violate the ASF policy. > > The ASF policy does impose several MUST requirements on the released > binary/bytecode packages, see > https://www.apache.org/legal/release-policy.html#compiled-packages > > >the binary/bytecode package MUST have the same version number as the > source release > >and MUST only add binary/bytecode files that are the result of compiling > that version of > >the source code release and its dependencies. > I did not omit the link to "the distribution", it is there in the VOTE email: https://dist.apache.org/repos/dist/dev/logging/log4j The version number matches the one cited in the VOTE email title (yup, there was a typo in the email body) and the source code referenced by the commit ID shared. >Signing key: 0x077e8893a6dcc33dd4a4d5b256e73ba9a0b592d0 > > Could you please clarify who owns and controls the key? > See INFRA-23996 for details. There you can find reference to the approval of Mark J. Cox, the VP of Security, on the employed technique. > >This is a lazy vote to release > > Could you please clarify what do you mean by "This is a lazy vote to > release"? > The only thing coming to my mind is "lazy consensus", however I do not > think lazy consensus > can be used for release voting. > The ASF policy requires that every time a member of PMC votes, they are > REQUIRED to download all signed code > onto their hardware and verify it: > https://www.apache.org/legal/release-policy.html#release-approval > > Could you please clarify the meaning of "lazy" in both mail text and the > subject? > Apache Log4j Tools is an internal project used by Apache Logging Services to support Apache Log4j infrastructure and it is not intended for public consumption. This is made clear in its documentation too. If you still think this is an issue, let me know, we can discuss this further in `members@`.
