My issue is not really about the source release and there is some tooling and typically the review checks are to be done at vote time. Here is a check that might be useful to automate and that can't be properly done without it - does the source code in the tarball match what is announced as the git commit. If there is a pre-existing tool that does that check, I'd love to use it.
My issue is really with the convenience binaries. Are reviewers really unzipping jar files to check the contents and checking the text in the pom files? What format are the pypi RCs supposed to be in? Are we sure that the apache prefix appears in the target pypi project? And the big binary tarballs that some teams ship, full of jars or other compiled components? Those can be a real time consumer to manually review. Some reviewers do these convenience binary checks and maybe it's my bad luck to try checking on votes but I see a lot of issues when I review convenience binaries. On Sat, 22 Nov 2025 at 14:49, tison <[email protected]> wrote: > > > a mention of a GPL license can be fine > > Typically, you'd end up with an allow list, like [1][2] > > [1] > https://github.com/apache/flink/blob/d0c9ed9ff47cd0f0fae62958521a0b18e5cd9bf3/tools/ci/flink-ci-tools/src/main/java/org/apache/flink/tools/ci/licensecheck/JarFileChecker.java#L194-L260 > [2] > https://github.com/apache/opendal/blob/c35da0d92442756d5742eaf70a2259dd23621b53/deny.toml#L28-L48 > > Best, > tison. > > <[email protected]> 于2025年11月22日周六 21:44写道: > > > > Hi, > > > > One extra point that is worth mentioning. On several occasions, I’ve seen > > automation give a false sense of security. A tool reports everything as > > clean, and people assume the release is fine when it is not. It’s only when > > humans look deeper that a serious issue is discovered. For example, a > > mention of a GPL license can be fine, depending on the context, and > > automation is unlikely to detect it. > > > > Kind Regards. > > > > Justin > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
