You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@community.apache.org by sebb <se...@gmail.com> on 2021/03/08 11:41:02 UTC
Unclear/ambiguous statement in Maturity Model - RE30
What does "and/or" in RE30 really mean?
Is it intentional?
---------
RE30
Releases are signed and/or distributed along with digests that can be
reliably used to validate the downloaded archives.
---------
Expanding the and/or, I read this two ways:
1) Releases are signed and distributed along with digests that can be
reliably used to validate the downloaded archives.
2) Releases are signed or distributed along with digests that can be
reliably used to validate the downloaded archives.
Statement 1 seems clear to me.
Statement 2 appears to imply that releases don't have to be signed --
if it means anything.
Sebb.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
For additional commands, e-mail: dev-help@community.apache.org
Re: Unclear/ambiguous statement in Maturity Model - RE30
Posted by Matt Sicker <bo...@gmail.com>.
Perhaps it's a reference that some file formats can include the
signature attached while others detach the signature into its own
file?
On Mon, 8 Mar 2021 at 09:23, Craig Russell <ap...@gmail.com> wrote:
>
> Hi Sebb,
>
> https://community.apache.org/apache-way/apache-project-maturity-model.html
>
>
> > On Mar 8, 2021, at 3:41 AM, sebb <se...@gmail.com> wrote:
> >
> > What does "and/or" in RE30 really mean?
> > Is it intentional?
> >
> > ---------
> > RE30
> > Releases are signed and/or distributed along with digests that can be
> > reliably used to validate the downloaded archives.
> > ---------
> >
> > Expanding the and/or, I read this two ways:
> >
> > 1) Releases are signed and distributed along with digests that can be
> > reliably used to validate the downloaded archives.
> >
> > 2) Releases are signed or distributed along with digests that can be
> > reliably used to validate the downloaded archives.
> >
> > Statement 1 seems clear to me.
>
> I agree. It could even be clearer that signatures and digests (SHA256 and/or SHA512) are both required. Maybe the type of digest was the origin of the and/or...
> >
> > Statement 2 appears to imply that releases don't have to be signed --
> > if it means anything.
>
> I cannot parse this one either.
>
> Craig
> >
> > Sebb.
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
> > For additional commands, e-mail: dev-help@community.apache.org
> >
>
> Craig L Russell
> clr@apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
> For additional commands, e-mail: dev-help@community.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
For additional commands, e-mail: dev-help@community.apache.org
Re: Unclear/ambiguous statement in Maturity Model - RE30
Posted by Craig Russell <ap...@gmail.com>.
Hi Sebb,
https://community.apache.org/apache-way/apache-project-maturity-model.html
> On Mar 8, 2021, at 3:41 AM, sebb <se...@gmail.com> wrote:
>
> What does "and/or" in RE30 really mean?
> Is it intentional?
>
> ---------
> RE30
> Releases are signed and/or distributed along with digests that can be
> reliably used to validate the downloaded archives.
> ---------
>
> Expanding the and/or, I read this two ways:
>
> 1) Releases are signed and distributed along with digests that can be
> reliably used to validate the downloaded archives.
>
> 2) Releases are signed or distributed along with digests that can be
> reliably used to validate the downloaded archives.
>
> Statement 1 seems clear to me.
I agree. It could even be clearer that signatures and digests (SHA256 and/or SHA512) are both required. Maybe the type of digest was the origin of the and/or...
>
> Statement 2 appears to imply that releases don't have to be signed --
> if it means anything.
I cannot parse this one either.
Craig
>
> Sebb.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
> For additional commands, e-mail: dev-help@community.apache.org
>
Craig L Russell
clr@apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
For additional commands, e-mail: dev-help@community.apache.org