You have to be kidding me..
The only problem I see is that people are all caught up in policies /
processes but I've yet to hear what the actual root "problem" is. I'm
sure it's intended to somehow prevent something nasty that has
happened in the past but these policies don't have any logic that I'm
able to follow. Why does the ASF need to dictate how we vote on
releases?
Maybe I'm just having a bad morning, but for some reason this really
rubs me the wrong way and feels extremely inefficient.
The problem is that Vote-Then-Release leaves opportunities for the
small details to get missed and you end up with a sloppy release.
Examples include non-signed distributables, incomplete legal notices,
missing or incorrect hashes. The worst is someone slipping in some
malicious code in between the time the vote is cast and the release is
made.
I may be wrong, but the ASF already has agreements with all
committers and PMCs.
So, anyone slipping in malicious code into a release has already
agreed not to do it. Anyone doing so is tagged.
This means that any of these mistakes are "bugs". And while we want
everything to be perfect, not everything is that way.
When a PMC votes on a release they should be approving the exact bits
that hit the mirrors. That vote binds the ASF to be _legally_
responsible. The only way to have sufficient and appropriate
oversight is to give the PMC a chance to check that these final steps
of a release have been properly handled. Otherwise the PMC risks
releasing a half baked product.
So each project requires 3 release managers? The vote to release
should appoint a release manager, and the manager should make the
release. Their word is their bond. Who wants the reputation as a
screw up? If the PMCs delegate it to another person then karma is
reflected.
It is completely appropriate for the ASF to set guidelines on release
procedures.
Appropriate as long as they don't treat contributers like children.
The ASF should have policies that enable open source, and not
discourage it.
If someone screws up too many releases then the community can take
away their karma.
The ASF should automate all those bit manipulations. Didn't someone
in this thread say that ant does 99% of it?
Regards,
Dave Fisher
--
jaaron (who is not on the Jakarta PMC)
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
