Patrick Hunt wrote:
Ah, thanks for clarify that Doug. To take it a bit further, when you say "bug" you really mean "serious breach of Apache process/rules", would that be valid? i.e. it would be something that the responsible Apache team should work to address with highest of priority.
To some degree that depends on the Apache project. I don't know of a project that does not create release tags and that would accept an incorrect one lightly. That said, release tags are not required nor authoritative: the thing that counts is the signed artifact.
I'd certainly encourage developers to leverage tags when convenient e.g., for automated testing against and comparison with prior releases, for IDE source browsing, etc. But if someone wants to package an alternate distribution of an Apache release, I think they're better starting from the release artifact than the tag. The artifact can be validated against the signature at http://www.apache.org/dist/, while there's currently no good means of validating the contents of a tag. I suppose one could rebuild the tarball from the tag and try to validate its checksum against that at http://www.apache.org/dist/, but that seems both fragile and less secure.
Doug
