Hi, > My issue is really with the convenience binaries. Are reviewers really > unzipping jar files to check the contents and checking the text in the > pom files?
Well, I do that for most of the releases I review. Sadly, my experience is that it is not possible to automate. Dependencies have incorrect licensing; for instance, they claim MIT licensed but include GPL-licensed code. > What format are the pypi RCs supposed to be in? Are we sure that the > apache prefix appears in the target pypi project? See https://incubator.apache.org/guides/distribution.html - again, this has existed for > 5 years. However, PiPy is not an official release platform, so I assume not all incubating projects comply. If you find an issue, bring it up with the project, and I’m sure they will fix it. > And the big binary tarballs that some teams ship, full of jars or > other compiled components? Those can be a real time consumer to > manually review. From experience, automation can help, but not solve this issue. Kind Regards, Justin
