ignite-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dmitriy Setrakyan <dsetrak...@apache.org>
Subject Re: Apache Ignite Release Candidate is uploaded
Date Wed, 25 Mar 2015 14:20:37 GMT
Looking into it...

On Wed, Mar 25, 2015 at 2:55 AM, Branko ─îibej <brane@apache.org> wrote:

> On 25.03.2015 09:35, Dmitriy Setrakyan wrote:
> > The first official Apache Ignite release (albeit release candidate) was
> > uploaded and the download page is updated:
> >
> > https://ignite.incubator.apache.org/download.html
>
>
> Well, I have to say I'm confused and just a bit unhappy.
>
> We voted on a source package named
>
>     incubator-ignite-1.0.0-rc3.zip
>
> with hash
>
>     68f74cff64dabf43e8f41bc478e814102a749cce
>
> and now here I'm offered to download
>
>     ignite-fabric-1.0.0-RC3-src.zip
>
> with a different size and hash
>
>     46e932dc4e05ce757ce156f0e30d0ea98920eea8
>
> This is clearly not the source package we voted on, so it is not what
> was released by the Incubator PMC. Please fix this ASAP and let's not
> make this sort of mistake again. You have to publish the exact same
> package that was voted for release, not something else, even if the
> differences are trivial.
>
>
> Next, the package name: I'm not aware of an Apache project or podling
> called "Ignite fabric". The "incubator-ignite-x.y.z" name was fine, I
> don't understand why you renamed it. Once the podling graduates, I'd
> expect the package to be called 'apache-ignite-x.y.x' or just
> 'ignite-x.y.x'.
>
>
> Next, it would be nice if the download page stated explicitly that the
> binary package is there for convenience and is not an official ASF
> release. My suggestion would be to split the page into three sections:
>
>   * Downloads of official ASF released sources
>   * Instructions for building from source (either the unpacked package
>     or from git, or both)
>   * Link to convenience binaries built from the released sources
>
>
> And last, I believe I mentioned at some point that posting download
> links to the ASF dist server is frowned upon. The thing to do is to post
> a link to a mirror; for example:
>
>
> http://www.apache.org/dyn/closer.cgi?path=incubator/ignite/source/ignite-fabric-1.0.0-RC3-src.zip
>
> this will return a link to the geographically closest mirror. Be aware
> that it can take up to 24 hours for mirrors to synchronize once the
> package is on the dist server, so it's a good idea to wait that long
> before posting the download link and announcing the release.
>
> There are ways, with a bit of scripting on the site, to get direct
> download links instead of bouncing people through the mirrors page;
> here's an example:
>
>     http://httpd.apache.org/download.cgi
>
> Note that this page keeps the PGP/hash links pointing to our dist server
> so that a malicious hacker would have to hack into both your mirror and
> the master server to fake hashes and signatures on a hacked package.
>
>
> -- Brane
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message