+1 for adding the convenient binaries release check, it could help lots of incubator projects.
Willem Jiang Twitter: willemjiang Weibo: 姜宁willem On Thu, Feb 14, 2019 at 3:00 PM Huxing Zhang <hux...@apache.org> wrote: > > Hi, > > On Wed, Nov 21, 2018 at 11:06 AM Roman Shaposhnik <ro...@shaposhnik.org> > wrote: > > > > On Fri, Nov 16, 2018 at 6:59 AM Jim Jagielski <j...@jagunet.com> wrote: > > > > > > > > > > > > > On Nov 15, 2018, at 2:41 AM, Bertrand Delacretaz > > > > <bdelacre...@codeconsult.ch> wrote: > > > > > > > > > > > > I see this as a two-level thing: > > > > > > > > a) The source release is an Act of the Foundation, it is what the > > > > foundation produces > > > > > > > > b) For the binaries, the PMC states that it thinks they are good and > > > > declares that the published digests and signatures are the correct > > > > ones. The Foundation does not state anything about them - use at your > > > > own risk but in practice that risk is very low if the PMC members > > > > collectively recommend using them. > > > > > > > > That's not very different from what other open source projects do - we > > > > need a) for our legal shield but b) is exactly like random open source > > > > projects operate. > > > > > > > > You have to trust an open source project when you use their binaries, > > > > and you can use digests and signatures to verify that those binaries > > > > are the same that everyone else uses - I don't think anyone provides > > > > more guarantees than that, except when you pay for someone to state > > > > that those binaries are good. > > > > > > > > If people agree with this view we might need to explain this better, > > > > "unofficial" does not mean much, this two-level view might be more > > > > useful. > > > > > > Agree 100%. Thx for very clearly and accurately describing all this. > > > > +1 to this as well. > > +1 for what Bertrand said. > I have a quick question from a podling's perspective, should the > decision for release convenient binaries be left to PPMC or IPMC? > > > > > In fact, I love it so much that I'd like to have it published as part of our > > official guide: > > http://www.apache.org/legal/release-policy.html#compiled-packages > > > > Any objections? > > +1 to add it to the documentation, so that we do not have to search > for mail archives. > Besides [1], I think it is also better to add it to [2]. I noticed it > uses "binary distribution" rather than "binary release". > So may be we should avoid using "binary release". > > For how to do the check for binary distribution, I also suggest to add > it to [3]. > For example: > If the source release is accompanied with convenient binaries, we should > check: > - Does the LICENSE and NOTICE text exactly represent the contents of > the distribution they reside in? > - Does the jar files includes LICENSE/NOTICE/DISCLAIMER? > > Correct me if I am wrong. > > [1] http://www.apache.org/legal/release-policy.html#compiled-packages > [2] http://www.apache.org/dev/licensing-howto.html#binary > [3] https://wiki.apache.org/incubator/IncubatorReleaseChecklist > > > > > > Thanks, > > Roman. > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > > For additional commands, e-mail: general-h...@incubator.apache.org > > > > > -- > Best Regards! > Huxing > > --------------------------------------------------------------------- > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > For additional commands, e-mail: general-h...@incubator.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
