Hi David, Please see my comments in line On Fri, May 2, 2008 at 5:17 PM, David Illsley <[EMAIL PROTECTED]> wrote:
> I disagree - I think the Apache process makes the minimum we should > vote on be the source (and I agree that on many levels, it's the most > important thing). > > However I think we need to do more. The number of problems we have had > with actual broken releases *with* posted binaries means I think we > can't do without them. > Yes - we've had problems before and very likely there would be glitches in the future. But most of the issues we've had in the past were either due to not following the protocol (changing stuff after the vote) or inadequate testing. Both these issues have been addressed to a great extent I suppose (Our release managers are experienced and well aware of the process. The test suites have improved tremendously). I don't think things will be drastically different if we do the source first approach. Again the build process is fully automated and all that is needed is a simple maven command. If all testers use the source release we might even get to issues sooner than later (failing test cases in specific platforms for example may be caught quickly with a build from source) > > I do trust the release managers, but even release managers are human > and mistakes happen. I personally want to test the thing that the > majority of users will download and use so that I can accurately vouch > for its quality. > This is actually a valid argument. We've had complaints earlier that the war distribution not containing some jars etc and I definitely see the advantage of such artifacts being tested before we hit the release. However what I see here is a situation like the following Think of the Ubuntu/Debian apt-get/Synaptic process. I usually get all my software as debs (mostly via synaptic) and these are almost always binaries. But stuff like the Apache HTTPD server are never released as binary [ I found an anomaly here. The Apache server has a win32 installer release and I've no clue how they handle the voting process regarding that ] The point here is that ubuntu/debian crowd provides the deb by themselves for convenience. If the deb for HTTPD breaks should I hold Apache responsible ? In our case we've become the provider of both the source and the convenience. But it is definitely two different things and one may even say they are orthogonal. > > Speaking for myself: > From a philosophical perspective, the source is most important > As a user of software from apache.org I want to know that the binary > I download has been tested by at least a couple of experts > I agree to you - we should cater for the needs of the user at the end of the day. However IMHO we should be careful not to violate the principles we stand for as a foundation. So here is what I suggest 1. We include a statement in every release vote noting to people that the source distribution needs to be tested (along with the binaries) 2. Whoever puts a +1 need to put the +1 after testing at least the source release (and possibly the other binary artifacts as well). This should be an agreement between ourselves. We may potentially add a statement in the download page saying that the binaries are provided as a convenience (just like the fineprint we have about the hashes and signatures) -- Ajith Ranabahu Reading, after a certain age, diverts the mind too much from its creative pursuits. Any man who reads too much and uses his own brain too little falls into lazy habits of thinking - Albert Einstein
