incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marvin Humphrey <>
Subject Re: [DISCUSS] Staged Artifact Locations (was Re: [VOTE] Release Gossip version gossip-0.1.1-incubating (RC2))
Date Thu, 12 Jan 2017 17:32:58 GMT
On Thu, Jan 12, 2017 at 8:39 AM, Josh Elser <> wrote:
> IMO, it prevents a one-line release command for Maven projects using the
> standard conventions (I'm blindly assuming is Maven is the most common tool
> used). However, I can also see where Justin is coming from with the
> provenance side of things (the disconnect between what was voted on and what
> gets placed on dist.a.o).
> * Does anyone actually verify that people use `svn mv` now?
> * Does anyone actually verify that the xsums of what was voted on is what
> gets put into dist.a.o as the official release?
> So, yes it would be nice to avoid any snafu due to any incorrectly promoted
> release, but I don't think it would actually get us any closer to a complete
> "chain of custody" than what we have now. As such, I think it is an
> unnecessary burden for an already "traumatic" release process. It would be a
> good "best practice" however not a "policy".

Here's the relevant policy requirement:

    Once a release is approved, all artifacts MUST be uploaded to the
    project's subdirectory within the canonical Apache distribution channel,

Just how the artifacts get into the canonical source dist is left unspecified.

We definitely don't want there to be mistakes leading to artifacts not being
uploaded or the wrong artifacts uploaded.  To that end, we have the workflow to make things easier and reduce the potential for
error.  If projects choose not to use the full workflow, they still have the
responsibility to get the canonical upload right.

>From the standpoint of the ASF, Maven distibution is a downstream channel.
The policy clause above later continues:

    After uploading to the canonical distribution channel, the project (or
    anyone else) MAY redistribute the artifacts in accordance with their
    licensing through other channels.

Projects generally work hard on their downstream distributions, but those
efforts are outside the scope of Release Policy.  From the ASF policy
standpoint, you have to get the official source release right, and whether you
get the Maven release right is immaterial.

It's not that we don't care if you mess up downstream distribution and damage
the project's reputation, but that it's not something we need or want to
control with policy constraints.  But we *do* care about things such as
guaranteeing that security conscious consumers will be able build from source.

Marvin Humphrey

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message