On 14 August 2013 21:21, Dennis Lundberg <denn...@apache.org> wrote: > On Wed, Aug 14, 2013 at 10:47 AM, sebb <seb...@gmail.com> wrote: > >> On 13 August 2013 18:58, Dennis Lundberg <denn...@apache.org> wrote: >> > On Tue, Aug 13, 2013 at 12:30 AM, sebb <seb...@gmail.com> wrote: >> >> On 12 August 2013 20:10, Jason van Zyl <ja...@tesla.io> wrote: >> >>> >> >>>>> >> >>>>> I have now read the threads that are referring to, and have not found >> >>>>> a single link to any ASF rule stating that we need to include these >> >>>>> things in a VOTE thread. >> >>>> >> >>>> So how do you propose that reviewers check the provenance of the files >> >>>> in the source release? >> >>> >> >>> Are you looking for files that are in a distribution that didn't come >> from source control? Everything else as far as provenance goes is covered. >> Errant content is a potential problem, but everything in a distribution >> should come from source control which no one has access to until they have >> a signed CLA on file. >> >> >> >> Yes. That is where the whole saga started. >> >> >> >> Proving provenance is why the SCM coordinates are needed for the vote. >> >> >> >> The SCM details may also be useful to discover files accidentally >> >> omitted from the source archive. >> > >> > You want to compare the contents of the *-source-release.zip with >> > something from SCM, to make nothing bad has crept into the source >> > bundle. So you need to know where in SCM you can find it. Have I >> > understood you correctly? >> >> It's vital to be able to link the files in the source release >> archive(s) to their origin in SCM. >> >> The provenance of any source files the ASF releases must be clearly >> traceable. >> > > This information is clearly traceable and available to anyone who wants to > review a release made by the Maven project. Our process uses the Release > Plugin, which will put the POM from the SCM tag in the staging directory > along with the source-release.zip. In that POM wou will find the URL to the > original sources in SCM. >
As has already been pointed out, SVN tags are not immutable, so the tag name alone is not sufficient. > >> >> >>> Thanks, >> >>> >> >>> Jason >> >>> >> >>> ---------------------------------------------------------- >> >>> Jason van Zyl >> >>> Founder, Apache Maven >> >>> http://twitter.com/jvanzyl >> >>> --------------------------------------------------------- >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> >> >> >> --------------------------------------------------------------------- >> >> To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org >> >> For additional commands, e-mail: dev-h...@maven.apache.org >> >> >> > >> > >> > >> > -- >> > Dennis Lundberg >> > >> > --------------------------------------------------------------------- >> > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org >> > For additional commands, e-mail: dev-h...@maven.apache.org >> > >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org >> For additional commands, e-mail: dev-h...@maven.apache.org >> >> -- >> Dennis Lundberg <dev-h...@maven.apache.org> >> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
