ignite-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Branko ─îibej <br...@apache.org>
Subject Re: Apache Ignite Release Candidate is uploaded
Date Wed, 25 Mar 2015 18:55:07 GMT
On 25.03.2015 19:07, Dmitriy Setrakyan wrote:
> Brane,
> The wrong download checksum issue has been addressed (I think). Please
> double check me. The reason it happened was that I had two identical
> folders with different names sitting next to each other and grabbed the
> wrong one. The only difference was the name of the archive. (I should
> really stop working after midnight :)

Should be publishing exactly what was voted on, not even re-zipping,
IMO. This is one of the reasons why it's a good idea to have the whole
release process scripted; no manual archiving, copying, etc. anywhere.

> As far as keeping the binary bits in the "dist.apache.org", I looked around
> and many projects are doing it, e.g. Cassandra (TLP), Aurora (Incubating).

The binaries must be on dist.apache.org; that's mandatory. Any change on
that site is mirrored to a zillion places around the world.

> I believe it only poses an issue when you have massive amount of downloads,
> like Apache HTTP server for example, which is not the case for us. If it is
> OK, I would prefer to leave it as is for now, or ask the community to
> address it later.

I'd consider it a service to users to provide links to mirrors whenever
possible. It's not something that needs addressing right now, but it
would be nice to get it done soon-ish. As I said, I can help here; I
know how the direct-download links to mirrors are set up for Subversion
and APR, so it shouldn't be too hard get a similar solution working for

-- Brane

> D.
> On Wed, Mar 25, 2015 at 2:55 AM, Branko ─îibej <brane@apache.org> wrote:
>> On 25.03.2015 09:35, Dmitriy Setrakyan wrote:
>>> The first official Apache Ignite release (albeit release candidate) was
>>> uploaded and the download page is updated:
>>> https://ignite.incubator.apache.org/download.html
>> Well, I have to say I'm confused and just a bit unhappy.
>> We voted on a source package named
>>     incubator-ignite-1.0.0-rc3.zip
>> with hash
>>     68f74cff64dabf43e8f41bc478e814102a749cce
>> and now here I'm offered to download
>>     ignite-fabric-1.0.0-RC3-src.zip
>> with a different size and hash
>>     46e932dc4e05ce757ce156f0e30d0ea98920eea8
>> This is clearly not the source package we voted on, so it is not what
>> was released by the Incubator PMC. Please fix this ASAP and let's not
>> make this sort of mistake again. You have to publish the exact same
>> package that was voted for release, not something else, even if the
>> differences are trivial.
>> Next, the package name: I'm not aware of an Apache project or podling
>> called "Ignite fabric". The "incubator-ignite-x.y.z" name was fine, I
>> don't understand why you renamed it. Once the podling graduates, I'd
>> expect the package to be called 'apache-ignite-x.y.x' or just
>> 'ignite-x.y.x'.
>> Next, it would be nice if the download page stated explicitly that the
>> binary package is there for convenience and is not an official ASF
>> release. My suggestion would be to split the page into three sections:
>>   * Downloads of official ASF released sources
>>   * Instructions for building from source (either the unpacked package
>>     or from git, or both)
>>   * Link to convenience binaries built from the released sources
>> And last, I believe I mentioned at some point that posting download
>> links to the ASF dist server is frowned upon. The thing to do is to post
>> a link to a mirror; for example:
>> http://www.apache.org/dyn/closer.cgi?path=incubator/ignite/source/ignite-fabric-1.0.0-RC3-src.zip
>> this will return a link to the geographically closest mirror. Be aware
>> that it can take up to 24 hours for mirrors to synchronize once the
>> package is on the dist server, so it's a good idea to wait that long
>> before posting the download link and announcing the release.
>> There are ways, with a bit of scripting on the site, to get direct
>> download links instead of bouncing people through the mirrors page;
>> here's an example:
>>     http://httpd.apache.org/download.cgi
>> Note that this page keeps the PGP/hash links pointing to our dist server
>> so that a malicious hacker would have to hack into both your mirror and
>> the master server to fake hashes and signatures on a hacked package.
>> -- Brane

View raw message