garydgregory commented on PR #706: URL: https://github.com/apache/commons-parent/pull/706#issuecomment-4459304204
> The source track shows relationships between source commits, Is this the same as the commit history, the git log? Commit A's parent is B, B's parent is C, and so on? All the way to the first commit in the repo? > The build track shows relationships between a source commit and built artifacts. This is the same as above, but per JAR, POM, all the files we put on Maven Central? In our case, these would be the same for each file, right? > Built artifacts from a commit that was never part of a repo. It was a commit on a fork, which was tagged. This PR causes a build to fail if the above happens? Like if a RM tries to release from his fork instead of from the repo? Let's say a bad guy breaks into Apache's dist server and replaces a JAR file, couldn't they also replace everything related to that JAR? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
