On 14 August 2013 10:23, Stephen Connolly <steph...@apache.org> wrote: > On 14 August 2013 09:47, sebb <seb...@gmail.com> wrote: > >> On 13 August 2013 18:58, Dennis Lundberg <denn...@apache.org> wrote: >> > On Tue, Aug 13, 2013 at 12:30 AM, sebb <seb...@gmail.com> wrote: >> >> On 12 August 2013 20:10, Jason van Zyl <ja...@tesla.io> wrote: >> >>> >> >>>>> >> >>>>> I have now read the threads that are referring to, and have not found >> >>>>> a single link to any ASF rule stating that we need to include these >> >>>>> things in a VOTE thread. >> >>>> >> >>>> So how do you propose that reviewers check the provenance of the files >> >>>> in the source release? >> >>> >> >>> Are you looking for files that are in a distribution that didn't come >> from source control? Everything else as far as provenance goes is covered. >> Errant content is a potential problem, but everything in a distribution >> should come from source control which no one has access to until they have >> a signed CLA on file. >> >> >> >> Yes. That is where the whole saga started. >> >> >> >> Proving provenance is why the SCM coordinates are needed for the vote. >> >> >> >> The SCM details may also be useful to discover files accidentally >> >> omitted from the source archive. >> > >> > You want to compare the contents of the *-source-release.zip with >> > something from SCM, to make nothing bad has crept into the source >> > bundle. So you need to know where in SCM you can find it. Have I >> > understood you correctly? >> >> It's vital to be able to link the files in the source release >> archive(s) to their origin in SCM. >> > > Simply not true. It is a nice convenience for somebody tracing the > provenance of files in a source release, but it is by no means vital. >
What other means do you suggest then? > >> >> The provenance of any source files the ASF releases must be clearly >> traceable. >> > > Being able to link the files in the source release archive(s) to their > origin in SCM is certainly one way to make the provenance of source files > the ASF releases easily traceable, but there is *no* foundation requirement > for such. Is there any other way to check provenance? > As I understand it, we *could*, as a project, decide to abandon SCM > entirely for some specific module - something I would be strongly against - > and we would be within our rights to do so. > > All that the foundation requires is that the PMC have verified the > provenance of the files in the source releases they vote on. Which is not currently possible with the information provided in the vote e-mail. > If you feel that individual members of the PMC are voting without having > taken their required due diligence into account then I suggest you take > that up with those individual members. I just want to make sure that the reviewers have the information they need to be able to do the due diligence. At present that is not possible from the information provided in the vote e-mails. > -Stephen > > >> >> >>> Thanks, >> >>> >> >>> Jason >> >>> >> >>> ---------------------------------------------------------- >> >>> Jason van Zyl >> >>> Founder, Apache Maven >> >>> http://twitter.com/jvanzyl >> >>> --------------------------------------------------------- >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> >> >> >> --------------------------------------------------------------------- >> >> To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org >> >> For additional commands, e-mail: dev-h...@maven.apache.org >> >> >> > >> > >> > >> > -- >> > Dennis Lundberg >> > >> > --------------------------------------------------------------------- >> > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org >> > For additional commands, e-mail: dev-h...@maven.apache.org >> > >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org >> For additional commands, e-mail: dev-h...@maven.apache.org >> >> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
