[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Can the RM contribute towards the three +1s ? (Re: Subversion 1.4.2 tarballs up for testing/signing)

From: Malcolm Rowe <malcolm-svn-dev_at_farside.org.uk>
Date: 2006-11-03 22:07:34 CET

On Fri, Nov 03, 2006 at 02:37:52PM +0000, Max Bowsher wrote:
> And, on IRC, once my 6-way had completed, I asserted +1 unix sig towards
> the total. People, to my surprise, objected that the RM was not entitled
> to contribute toward the 3 +1s.
>

I was one of those who objected (although I'm not sure that's the right
word, since it's hardly as though it was going to make any significant
change immediately). Not through any really strongly-held belief, but
just because, in the past, I didn't think that the previous RMs had
included their sigs.

[It makes some sense: the RM's sig could be seen as just ensuring that we
all test the same tarball - and the test sigs verify that people have
confirmed that the tarball was correctly rolled, and that it's good to
release. In that model, it makes some sense that the RM sig can't also
roleplay as a test sig.]

However, Max makes a good point that it's pretty hard to verify that the
tarball contents exactly match the repository output (because some of it
is non-deterministically autogenerated, and much of the autogenerated
stuff depends upon specific autoconf, libtool, etc, versions) - I try to
check as much as possible, but even then I usually skip past the
generated SWIG output. And in any case, I don't think we need to worry
about a malicious RM!

To sum up, the only thing I had a problem with was making an assumption
that everyone would be okay with the RM also being a tester -- and it
looks like everyone is, so I have no objection :-)

We should absolutely document this, though.

> Further discussion made it clear that we don't share a single consensus
> about what level of testing is required to cast a +1.
>

That's come up before. I thought that the outcome was that it wasn't so
important exactly what people tested so long as they documented what
they'd done when they gave their +1. That way, the community could
judge for themselves whether a given set of sigs was good enough to
bless a release or not.

(For example, if we had a full set of +1's, but no-one in that set had
tested the Java bindings, let's say, it would be completely reasonable
for someone to suggest we held off blessing the release until that had
been done).

Regards,
Malcolm

  • application/pgp-signature attachment: stored
Received on Fri Nov 3 22:07:46 2006

This is an archived mail posted to the Subversion Dev mailing list.