incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Nalley <>
Subject Re: apache binary distributions
Date Fri, 28 Aug 2015 17:41:33 GMT
/me notes the mixed public and private lists

> I.e. assume you're a developer or sysadmin who is *not* an Apache
> committer.  You know you need to get a software project management tool
> for the linux machines you maintain, and you've heard of something
> called "Maven".
> - What is the actual process by which you'd find out how to get this
> software (i.e. you'd search for it), and how you'd actually install it?

If I wanted to install maven, I'd do:

yum install maven3


apt-get install maven

> - How would you normally detect if you're getting the original "Maven"
> software, versus some different software - either a different vendor's
> version, or perhaps a bogus version with adware in it, or perhaps some
> non-standard version that is apparently popular, but is *not* the
> "default" version used on your platform?

So some of this is choice.
By default your distribution is going to have package repositories
enabled for software the distribution packages.

So if the distribution packages the software, you presumably trust the
distribution to provide you with legitimate software. (if you can't
trust your kernel and things like binutils, why bother worrying about
anything else) The distributions sign their packages, and the package
management system verifies that signature prior to installation.

Third parties (to the distribution) may also provide package
repositories. Cassandra, for instance, does this. They have a debian
package repository for the various versions of Cassandra. You can
manually configure your system to access that package repository,
configure it to trust the published signing key, and then things like
'apt-get install cassandra' work, and you get cassandra from a third
party repository (in this case from the project itself)

Of course, anyone could setup a package repository - Shapeblue for
instance has done that for CloudStack - they run a package repository
and ship RPM and deb packages from it of Apache CloudStack.   How do you know they haven't
tampered with it or modified it heavily? You don't - they aren't
providing the source packages, so know way of knowing how they are


> * Separately: does anyone have links to any trademark/branding policy
> pages that common package managers have out there?  I'm wondering what
> policy or best practices that are *clearly documented* is already out
> there for the actual linux distros or package management systems is.

The only folks that I know of that have a policy explicitly dealing
with this is Mozilla. Their is a lot of drama within the distributions
about how this is/was handled.   (read
down to the software distribution section)

Essentially, Mozilla says that you may distribute your own compiled
version of their software, using their marks, only if it is built from
unaltered source. In practice this is a bit more difficult. Having
packaged software for Fedora and a few other distributions, it's not
uncommon to need to patch something. Sometimes it's environment
related (your stuff won't build with the latest glibc), sometimes it's
related to how things gets built. In Mozilla's case, they require
approval of any patches applied to source, before it's distributed.
Debian decided it was too much, and not free enough, and thus we have
Iceweasel and Icedove instead of Firefox and Thunderbird.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message