| Re: [eclipse.org-architecture-council] Is jar signing mandatory? |
I disagree as well. I don't even feel all that comfortable that
it's okay for an incubating project to release unsigned p2
artifacts.
I see the overall issue being a balance between the burden on the
committers, who are required to take responsibility for all
contributions, including those from non-committers, versus the
high expectations of the consumers, who, granted, may well be a
freetarded freeloader beneath our regard, or could well be another
Eclipse project working just as hard. This is clearly a very
unbalanced scale with all the burden on one side and all the
benefit on the other. In the end though, as Mike suggests,
Eclipse is a brand, and anything distributed under that brand
reflects on everything distributed under that brand. If a project
does not care to deal with the all the restrictive rules and all
the various onerous processes, perhaps that project would better
be hosted where those are completely absent. Of course we can all
clearly see the direction that reasoning is headed: It's all a
barrier and a cost. So it's certainly not unreasonable to ask,
why should I care? But perhaps its better that as a group we
focus on making it easier to conform to the restrictions and focus
on streamlining the processes to make them less onerous. It seems
to me that the Foundation staff has helped tremendously in this
regard, but they too are over burdened...
I certainly ask myself, why did I spend 5 months herding cats
just so that the 2020-03 release has only valid licenses and only
signed content? Who cares? Why do I care?
While on the topic of onerous processes, I often ask myself, who
is the consumer of my release reviews? Moreover, as a PMC lead, I
often think, oh please, mercy, no, not other release review to
approve... Burden, burden, burden...|
On 2020-03-17 5:54 p.m., Mickael Istria wrote:
2. this is not mandatory for projects, ie as long as no contributor in a project cares about such certificate of origin enough to contribute the build routine to produce them in the project, I see no point in making this mandatory to other project contributors.I disagree, because the output from Eclipse projects is a reflection on all of us. If a major and public security kerfuffle occurred because of a project who decided that they did not want to sign a release artifact that could be signed, it would reflect badly on our entire community.
--
Mike Milinkovich
Executive Director | Eclipse Foundation, Inc.
mike.milinkovich@xxxxxxxxxxxxxxxxxxxxxx
@mmilinkov
+1.613.220.3223 (m)
_______________________________________________ eclipse.org-architecture-council mailing list eclipse.org-architecture-council@xxxxxxxxxxx To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/eclipse.org-architecture-council