incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Nalley <da...@gnsa.us>
Subject Re: How to review so-called "binary releases"?
Date Wed, 28 Nov 2018 03:54:57 GMT
On Wed, Nov 14, 2018 at 11:32 PM Daniel Shahaf <d.s@daniel.shahaf.name> wrote:
<snip>
>
> I think Jim and Greg were describing theory, not practice.  We can shout
> from the rooftops that We Do Not Release Binaries, but then you have
> download pages like [1] that present binary artifacts on equal footing
> with source artifacts, without even paying lip service by including the
> term "convenience" somewhere.
>
> The PMC in [1] _is_ releasing binaries as official artifacts — possibly
> in contravention of Board policy, but that's neither here nor there:
> users who visit download pages are not expected to know Board policies.
> A user who visits [1] _will_ consider the binary artifacts official,
> because they are presented as such.
>
> If that's an undesirable outcome, then the Board should enforce its
> policy that download pages aren't to present binaries as official
> artifacts.  (Which, I think, is what David was getting at.)
>
<snip>
> [1] <http://redacted.apache.org/download.html>.  (I won't name and
> shame, sorry.  Could someone volunteer his own PMC's download page for
> a case study?  I would volunteer Subversion but I think our download
> page is compliant.)
>

Yes, we can say they aren't official, but that denies the reality of
what projects are doing, and how the foundation celebrates them[1].
 We also have multiple projects producing binaries, and signing those
binaries with the ASF's code signing keys[2] which we had to jump
through a lot of hoops to verify our identity as being the real Apache
Software Foundation. We have another project about to use the ASF's
corporate Apple Developer account to 'notarize' releases so they are
identified as originating from the ASF.[3]

IMO, we can label them as 'not releases' and put stickers on that say
'unofficial' but the reality is that we are distributing terabytes of
binaries every day from Foundation resources, occasionally even
stamping them with our official signing certificates, and that should
dispel any illusions we have about those not being actions of the
Foundation.

In my opinion as a single IPMC member (and only wearing that
particular hat), if your podling is shipping binaries, you should
review and vote on them. To ignore them seems irresponsible.

--David

[1] https://www.cnbc.com/2014/04/17/globe-newswire-the-apache-software-foundation-announces-100-million-downloads-of-apachetm-openofficetm.html
in which we issue a press release to celebrate that individuals all
over the world downloaded 100 million copies of a binary
"non-release".
[2] https://blogs.apache.org/infra/entry/code_signing_service_now_available
[3] https://lists.apache.org/thread.html/15ef4c390c6eba7ca80836c214b1121681310d44fe79b32f175aedc3@%3Cprivate.openoffice.apache.org%3E

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message