Home | About | Sematext search-lucene.com search-hadoop.com
 Search Hadoop and all its subprojects:

Switch to Threaded View
Hadoop >> mail # general >> additional source only release tarball


Copy link to this message
-
Re: additional source only release tarball
Patrick Hunt wrote:
> Ah, thanks for clarify that Doug. To take it a bit further, when you say
> "bug" you really mean "serious breach of Apache process/rules", would
> that be valid? i.e. it would be something that the responsible Apache
> team should work to address with highest of priority.

To some degree that depends on the Apache project.  I don't know of a
project that does not create release tags and that would accept an
incorrect one lightly.  That said, release tags are not required nor
authoritative: the thing that counts is the signed artifact.

I'd certainly encourage developers to leverage tags when convenient
e.g., for automated testing against and comparison with prior releases,
for IDE source browsing, etc.  But if someone wants to package an
alternate distribution of an Apache release, I think they're better
starting from the release artifact than the tag.  The artifact can be
validated against the signature at http://www.apache.org/dist/, while
there's currently no good means of validating the contents of a tag.  I
suppose one could rebuild the tarball from the tag and try to validate
its checksum against that at http://www.apache.org/dist/, but that seems
both fragile and less secure.

Doug