I had a thought for an alternative approach to the whole release process discussion we had on the last call and wanted to see if it would spark some discussion.
First off, I think we should approach things from the basic belief that projects want to follow the spirit of the IP process and make their decisions based on the belief that everything they are using or referencing exist in their IP Log.
The current Release Review process is more of a pre-flight check for an actual release that should, but doesn't actually _have_ to, maintain adhereance to the IP log, mistakes can happen . I got the sense from the last call that some projects were approaching each release as something demanding full review each time and others double down on the bugfix release process bypassing much of the official release and only checking in with that process on minor version bumped (1.4.x -> 1.5.x, etc).
I propose the addition of a post-release review process path, the Postmortem Review. Something like this:
* project checks itself to make sure everything is in their iplog
* project builds out their release and publishes it, in the case of Jetty into Maven Central
* project then pushes to Wayne links to all published binaries, in Jetty's case its Distribution
* Wayne diligently downloads and checks the release binary for IP cleanliness and it either gets a yellow or a green mark.
* if Green means everything is good and no further review is necessary, skip to end and profit
* if yellow it triggers a mandatory postmortem review process to address the issue, most likely Wayne isn't able to link together an actual binary to its IP approved self, or there needs to be an expedited CQ review to get something green
* If someone screwed up and included something wrong wrong wrong in the release binaries then it is time to get it fixed and notice pushed to their mailing lists, mea culpas, etc etc
A couple of key points, the primary one being that Wayne can, and in many cases already has been, replaced by a series of small highly talented shell scripts (or python or perl, dunno). I remember him having this ability to run something against a binary and get a sanity check out of it from an IP perspective, he did it against our downloads directory a number of times. Ideally, a project would have the ability to trigger this review against an arbitrary list of urls to get their little green checkmarks for a given release. If it goes yellow then Wayne the human has to get involved. Given proper access to the tooling the projects could run it themselves to sanity check their own output.
It would be neat if this could be extended out into the project management tooling as well, I will say right now that I am terrible about updating the project-settings.xml file that we have somewhere that is supposed to contain information about various releases. That file has precious little of interest to our project so it gets updated once in a blue moon. Now if it was the place that we could put those links to file to review, or if the output of Wayne the script could be deterministic and we could preemptively put in a link in there that would make it clear that a release had passed the automated release review postmortem there is now a reason for me to go update that file or the general project metadata on a more regular basis.
A process like this would suit the continuous release folks better as well I would think and it could eventually be expanded to review published maven pom files if so inclined.