On 23/07/2019 15.23, Eric Barboni wrote:
Hi Daniel,
Thanks for the precision. But do we need vote for the conveniences that need
post release (installer, maven artefacts) ?
If it's not source code, you cannot reliably vote on anything.
Convenience binaries _may_ be added without a vote, but should have
various caveats appended to them. What we should be aiming for here is
reproducible builds...
The documentation on https://www.apache.org/foundation/voting.html say
release package,( sound like installer / maven artefacts can be considered as
release package).
And here https://www.apache.org/legal/release-policy.html source package +
compiled package but that's done alongside so it's not the case for us
(installer and maven artefacts).
What is our situation in regards to those pages?
Best Regards
Eric
-----Message d'origine-----
De : Daniel Gruno <[email protected]>
Envoyé : mardi 23 juillet 2019 14:23
À : [email protected]
Objet : Re: Convenience binary policy?
The 72h is an informal agreement. You _can_ bypass it if needed, but you would
have to explain your rationale to the board. It is *preferred* that 72h passes,
to allow for proper async decisions to take place.
Other than that, standard rules are:
- 3x+1 required
- more +1s than -1s, there are no vetoes allowed.
- -1's should be considered if accompanied with a technical reason, but are not
vetoes.
On 23/07/2019 14.05, Eric Barboni wrote:
Hi,
Asking for 3+1 binding is very near to a vote.
I would prefer voting to have something formal to every bits that go to dist
or repository.
I did not see a major difference full-on vote and 3+1 requirement. Maybe the
72h hour delay ?
I feel better to wait the 72h that allow PMC with different time constraint
to check.
I hope that for next round 11.2 maven artefacts can be part of conveniences for no more bothering for this particular case.
Regards
Eric
-----Message d'origine-----
De : Neil C Smith <[email protected]>
Envoyé : mardi 23 juillet 2019 11:00
À : dev <[email protected]>
Objet : Convenience binary policy?
Hi All,
OK, starting a discussion thread, as we seem to have two quite different
threads ongoing about installers and Maven artefacts for 11.1, and I'd quite
like to see the completion of the binaries aspect of the release!
The release vote was on the sources. Some binaries were linked from that vote
thread, and were checked by some, but are not strictly part of that process.
And it's likely in future we'll have convenience binaries made after a release
vote for a variety of reasons. We don't need to have a vote on convenience
binaries (from an ASF point of view, as far as I'm aware).
Eric made the point that "Not voting means we can put binaries/artefacts without
control of PMC I find this path dangerous."
I personally agree that some oversight across the PMC is a good idea,
although I don't think it requires a full-on vote.
We need to have a process that ensures we meet our PMC obligations at
http://www.apache.org/legal/release-policy.html#what-must-every-release-contain
"Note that the PMC is responsible for all artifacts in their distribution directory,
which is a subdirectory of www.apache.org/dist/ ; and all artifacts placed in their
directory must be signed by a committer, preferably by a PMC member. It is also necessary
for the PMC to ensure that the source package is sufficient to build any binary artifacts
associated with the release."
In one respect, I think that anyone that is trusted to be on the PMC should be
trusted to act correctly on behalf of the PMC! However, a little extra
oversight might not be a bad thing, which is why I'd suggested beforehand to
Reema to start a thread about the installers to get 3 +1s from other PMC
members to verify keys, checksums, locations, functionality. It's quicker and
less formal than a vote, but does involve at least 4 PMC members, which feels
like oversight enough personally.
So, thoughts? Do we do this, or do we let any PMC member just get on with
binary releases, or do we require a full on vote?
There's also probably a separate question around clarifying requirements on
externally distributed convenience binaries and use of the Apache NetBeans name
too.
Thanks and best wishes,
Neil
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
