Le 15 août 2013 10:51, "Jörg Schaible" <joerg.schai...@scalaris.com> a écrit : > > Hi Oliver, > > Olivier Lamy wrote: > > > On 15 August 2013 08:53, sebb <seb...@gmail.com> wrote: > >> On 14 August 2013 21:21, Dennis Lundberg <denn...@apache.org> wrote: > >>> On Wed, Aug 14, 2013 at 10:47 AM, sebb <seb...@gmail.com> wrote: > >>> > >>>> On 13 August 2013 18:58, Dennis Lundberg <denn...@apache.org> wrote: > >>>> > On Tue, Aug 13, 2013 at 12:30 AM, sebb <seb...@gmail.com> wrote: > >>>> >> On 12 August 2013 20:10, Jason van Zyl <ja...@tesla.io> wrote: > >>>> >>> > >>>> >>>>> > >>>> >>>>> I have now read the threads that are referring to, and have not > >>>> >>>>> found a single link to any ASF rule stating that we need to > >>>> >>>>> include these things in a VOTE thread. > >>>> >>>> > >>>> >>>> So how do you propose that reviewers check the provenance of the > >>>> >>>> files in the source release? > >>>> >>> > >>>> >>> Are you looking for files that are in a distribution that didn't > >>>> >>> come > >>>> from source control? Everything else as far as provenance goes is > >>>> covered. Errant content is a potential problem, but everything in a > >>>> distribution should come from source control which no one has access to > >>>> until they have a signed CLA on file. > >>>> >> > >>>> >> Yes. That is where the whole saga started. > >>>> >> > >>>> >> Proving provenance is why the SCM coordinates are needed for the > >>>> >> vote. > >>>> >> > >>>> >> The SCM details may also be useful to discover files accidentally > >>>> >> omitted from the source archive. > >>>> > > >>>> > You want to compare the contents of the *-source-release.zip with > >>>> > something from SCM, to make nothing bad has crept into the source > >>>> > bundle. So you need to know where in SCM you can find it. Have I > >>>> > understood you correctly? > >>>> > >>>> It's vital to be able to link the files in the source release > >>>> archive(s) to their origin in SCM. > >>>> > >>>> The provenance of any source files the ASF releases must be clearly > >>>> traceable. > >>>> > >>> > >>> This information is clearly traceable and available to anyone who wants > >>> to review a release made by the Maven project. Our process uses the > >>> Release Plugin, which will put the POM from the SCM tag in the staging > >>> directory along with the source-release.zip. In that POM wou will find > >>> the URL to the original sources in SCM. > >>> > >> > >> As has already been pointed out, SVN tags are not immutable, so the > >> tag name alone is not sufficient. > > > > I think Stephen perfectly sum up the situation. > > If you're not happy follow that. > > > > But please STOP the troll! > > The Maven PMC has made clear, that it knows about the problems and want to > ignore it. However, please understand that Sebb is playing devil's advocate > here, because the same release process is used for other Apache projects > where the PMCs will *not* ignore this flaws. Sebb is more or less pestering > you, because he is tired of having the same discussions in projects where he > *is* PMC and is therefore responsible for the release. So, it is a bit short > sighted to declare him as troll, simply because you (the Maven PMC) decided > to ignore the problem.
Having followed all the debates, I think it's certainly wrong to state the problem has been "ignored". There were actually *many* answers, and it has merely been disagreed on. I've personally already expressed my take on it: * I basically don't really mind * adding this information would be nothing (a few seconds of work) compared to the weight of re-reading always the same mails here :) Cheers
