On Sat, 22 Nov 2025 at 14:03, PJ Fanning <[email protected]> wrote: > > My issue is not really about the source release and there is some > tooling and typically the review checks are to be done at vote time. > Here is a check that might be useful to automate and that can't be > properly done without it - does the source code in the tarball match > what is announced as the git commit. If there is a pre-existing tool > that does that check, I'd love to use it.
I agree that this is vital, as the tarballs are generally created from whatever happens to be in the source directories. It's very easy for spurious files to be added to the tarball, e.g. files left over from testing. An exact match is not necessary, so long as every file in the source tarball can be derived from the source tag. I have used diff -r in the past, and some editors can show recursive directory differences. > My issue is really with the convenience binaries. Are reviewers really > unzipping jar files to check the contents and checking the text in the > pom files? > > What format are the pypi RCs supposed to be in? Are we sure that the > apache prefix appears in the target pypi project? > > And the big binary tarballs that some teams ship, full of jars or > other compiled components? Those can be a real time consumer to > manually review. > > Some reviewers do these convenience binary checks and maybe it's my > bad luck to try checking on votes but I see a lot of issues when I > review convenience binaries. > > > > On Sat, 22 Nov 2025 at 14:49, tison <[email protected]> wrote: > > > > > a mention of a GPL license can be fine > > > > Typically, you'd end up with an allow list, like [1][2] > > > > [1] > > https://github.com/apache/flink/blob/d0c9ed9ff47cd0f0fae62958521a0b18e5cd9bf3/tools/ci/flink-ci-tools/src/main/java/org/apache/flink/tools/ci/licensecheck/JarFileChecker.java#L194-L260 > > [2] > > https://github.com/apache/opendal/blob/c35da0d92442756d5742eaf70a2259dd23621b53/deny.toml#L28-L48 > > > > Best, > > tison. > > > > <[email protected]> 于2025年11月22日周六 21:44写道: > > > > > > Hi, > > > > > > One extra point that is worth mentioning. On several occasions, I’ve seen > > > automation give a false sense of security. A tool reports everything as > > > clean, and people assume the release is fine when it is not. It’s only > > > when humans look deeper that a serious issue is discovered. For example, > > > a mention of a GPL license can be fine, depending on the context, and > > > automation is unlikely to detect it. > > > > > > Kind Regards. > > > > > > Justin > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
