incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis E. Hamilton" <>
Subject RE: apache binary distributions
Date Fri, 07 Aug 2015 03:25:04 GMT
I think there is a bright-line distinction between Apache binary distributions and distributions
made by third parties.  In particular, I don't think that taking builds off of a buildbot
or any other developer or overnight builds will count, although release candidates come close.

I think it has to do with authenticity. (I am agreeing with Roman, but include verifiable
provenance here.) When an Apache Project makes convenience binaries from a specific source
code release and declares them authentic via release-manager control (even though not a source
code release), via code signing via Apache committer signatures, including the release manager's,
using and arranging publication of appropriately named files for download in some manner while
housing the integrity hashes and signatures on secure Apache infrastructure, I would say that
is an Apache [Convenience] Binary Distribution.  Any release notes and support information
about those identified binary distributions are about those and not anything else.  There
is clear provenance that such distributions are specifically provided for public use by the
Apache Project and that the Apache Project will stand behind them in an appropriate manner.
 (Take bug reports against the binaries, deal with security vulnerabilities, no matter their
origin in the Apache source code, etc.)

 - Dennis

-----Original Message-----
From: [] On Behalf Of Roman Shaposhnik
Sent: Thursday, August 6, 2015 17:51
Subject: Re: apache binary distributions

On Thu, Aug 6, 2015 at 1:15 AM, Jochen Theodorou <> wrote:
[ ... ]
 if PMC produced a release then binary convenience
artifacts are easy: anything that corresponds to that release *could*
be considered an official binary convenience artifact for the release
(see my point above on 3d part vs. PMCs actually producing these

IOW, what makes a binary convenience artifact an official ASF
artifact is not whether it got designated as such, but whether it
corresponds to an official source release produced by the PMC.

> Same for links for example to docker image distribution servers...
> or let's say a link to an ubuntu package. On the other hand you
> can put disclaimers on the pages stating they are not official...

But they are. If they correspond to an official release.

> Then again nightly builds should be ok, if they will have the
> same disclaimer?

No. Nightly builds are special precisely because they don't
correspond to an official source release.

> Or is it ok if the nightly build comes from
> non-apache?

It is ok, but at that point it becomes 3d party artifact and as
such can't be promoted as part of ASF project.

> If that is ok, then why does the release document
> not say this and is instead very strict about not promoting anything
> even beyond the dev-list? It does not make sense for me and I
> am going in circles here.

Perhaps the source of confusion is that ironically PMCs are *more*
constrained in what they can do compared to 3dparty. They do get
the Apache Branding rights in return for those constraints, though.

> Of course a third person would be someone unrelated to the project.

Or related. Could even be one of the PMC members. The point
is: it is NOT PMC.

[ ... ]

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message