[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [eclipse.org-architecture-council] Is jar signing mandatory?
|
I disagree as well. I don't even feel all that comfortable that
it's okay for an incubating project to release unsigned p2
artifacts.
I see the overall issue being a balance between the burden on the
committers, who are required to take responsibility for all
contributions, including those from non-committers, versus the
high expectations of the consumers, who, granted, may well be a
freetarded freeloader beneath our regard, or could well be another
Eclipse project working just as hard. This is clearly a very
unbalanced scale with all the burden on one side and all the
benefit on the other. In the end though, as Mike suggests,
Eclipse is a brand, and anything distributed under that brand
reflects on everything distributed under that brand. If a project
does not care to deal with the all the restrictive rules and all
the various onerous processes, perhaps that project would better
be hosted where those are completely absent. Of course we can all
clearly see the direction that reasoning is headed: It's all a
barrier and a cost. So it's certainly not unreasonable to ask,
why should I care? But perhaps its better that as a group we
focus on making it easier to conform to the restrictions and focus
on streamlining the processes to make them less onerous. It seems
to me that the Foundation staff has helped tremendously in this
regard, but they too are over burdened...
I certainly ask myself, why did I spend 5 months herding cats
just so that the 2020-03 release has only valid licenses and only
signed content? Who cares? Why do I care?
While on the topic of onerous processes, I often ask myself, who
is the consumer of my release reviews? Moreover, as a PMC lead, I
often think, oh please, mercy, no, not other release review to
approve... Burden, burden, burden...|
On 17.03.2020 23:06, Mike Milinkovich
wrote:
On 2020-03-17 5:54 p.m., Mickael
Istria wrote:
2.
this is not mandatory for projects, ie as long as no contributor
in a project cares about such certificate of origin enough to
contribute the build routine to produce them in the project, I
see no point in making this mandatory to other project
contributors.
I disagree, because the output from Eclipse projects is a
reflection on all of us. If a major and public security
kerfuffle occurred because of a project who decided that they
did not want to sign a release artifact that could be signed, it
would reflect badly on our entire community.
_______________________________________________
eclipse.org-architecture-council mailing list
eclipse.org-architecture-council@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/eclipse.org-architecture-council