On 12/18/2014 05:58 AM, John D. Ament wrote:
All,
I was looking through the incubator site and I don't see anything definite.
Whenever a podling goes for a vote, and they include a git tag in their
vote message, it's typically asked to change to a commit id. It seems to
me this is done for the reproducible builds concept. Tags are mutable, and
therefore could be changed and rebuilding a tag could give you a different
result.
So, is this the right understanding? Do we want to ask podlings to always
submit a git commit id? If so, is there a place in the website we can
clarify this?
Thanks,
John
I recently found this confusing with the first parquet-format release. I
thought that both commit id and tag were optional, given that the actual
release candidate is a signed tarball (actually, the "necessary source
code to build the project" [1]).
We can't necessarily recover the commit id from the tarball because the
parent information is lost [2], so requiring the commit id is only
useful for convenience and validating that a new tarball from git at the
commit id matches the vote tarball. Is this validation done? Is it a
requirement?
If it isn't a requirement for a commit to match what is being voted on,
then does it matter whether we use a tag for convenience or a commit id?
We could also accept signed tags, though I don't know if there are
issues that would prevent it.
rb
[1]: https://www.apache.org/dev/release-publishing.html#valid
[2]: Unless using `git archive`: http://git-scm.com/docs/git-archive
--
Ryan Blue
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
