On Mon, Oct 13, 2014 at 4:14 PM, Julian Hyde <julianh...@gmail.com> wrote: > > For many projects, especially "library" projects, the "convenient binaries" > that matter most these > days are the jars (source, binary, and javadoc) that are deployed to the > maven repo...
> ...Are these jars subjected to due diligence during the release vote?... In projects where I'm active there's reasonable due diligence as the build processes are automated in a way that allows you to trust the build if that's done by someone that you trust. That being said, we don't make any guarantees about those jars, so in the end users can either choose to trust the build and distribution process, or build the required jars themselves from a trusted source. In the case of Maven, the ASF doesn't control the distribution process, so it's not a safe channel without signatures or trusted digests, and I don't think Maven allows for those at the moment. So even the best due diligence wouldn't really help for these binaries. -Bertrand --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
