Adam R. B. Jack wrote:
One of the questions that haven't really been answered/resolved by the board (IIRC) is whether automated snapshots are considered releases.
This is really a big deal (for me & probably others).
NOTE: board hat off.
If a nightly build is a release, then it is a svn|cvs checkout and if you want the PMC to approve any checkout, we clearly kill our ability to scale.
I agree with Leo that the problem of jar distribution is absolutely not technical, it's legal and security. Gump executes code downloaded from repositories that the ASF doesn't consider legally trustful.
say I was the author of a weird library that some weird commons code depended on, it is entirely possible to write a task in a build.xml file that recompiles a class in tomcat and opens a back door, it might take a while to notice.
Releasing executable artifacts by gump will have my permanent -1 *FOREVER*. The way gump works is intrinsically unsafe, but this is not a problem if what gump is producing is "metadata" about code, not executable code directly.
As for making gump both a nightly build and a continuous integration system, I think projects should be allowed to specify their "preferred" checkout tag of any dependency, that would allow gump to be *way* more useful.
-- Stefano.
smime.p7s
Description: S/MIME Cryptographic Signature
