> On Nov 15, 2018, at 2:41 AM, Bertrand Delacretaz <bdelacre...@codeconsult.ch>
> wrote:
>
>
> I see this as a two-level thing:
>
> a) The source release is an Act of the Foundation, it is what the
> foundation produces
>
> b) For the binaries, the PMC states that it thinks they are good and
> declares that the published digests and signatures are the correct
> ones. The Foundation does not state anything about them - use at your
> own risk but in practice that risk is very low if the PMC members
> collectively recommend using them.
>
> That's not very different from what other open source projects do - we
> need a) for our legal shield but b) is exactly like random open source
> projects operate.
>
> You have to trust an open source project when you use their binaries,
> and you can use digests and signatures to verify that those binaries
> are the same that everyone else uses - I don't think anyone provides
> more guarantees than that, except when you pay for someone to state
> that those binaries are good.
>
> If people agree with this view we might need to explain this better,
> "unofficial" does not mean much, this two-level view might be more
> useful.
Agree 100%. Thx for very clearly and accurately describing all this.
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org
