www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mar...@apache.org (Marvin Humphrey)
Subject Release Distribution Policy
Date Sat, 28 Feb 2015 21:08:05 GMT

I would like to propose the following draft text for a _Release Distribution
Policy_ to be curated by Apache Infrastructure. 


This _Release Distribution Policy_ is intended to complement the proposed
_Release Policy_ to be curated by Legal Affairs (see
<https://github.com/rectang/asfrelease>).  However, for now all links in the
draft text point to the current release policy page under
`www.apache.org/dev`, so that Infra may adopt this policy without Legal
Affairs having to take action on the other.

The draft text collects requirements which at present are spread across the
following pages:

*   http://www.apache.org/dev/release
*   http://www.apache.org/dev/release-publishing
*   http://www.apache.org/dev/release-download-pages
*   http://www.apache.org/dev/release-signing
*   http://www.apache.org/dev/openpgp
*   http://www.apache.org/dev/key-transition
*   http://www.apache.org/dev/repository-faq
*   http://www.apache.org/dev/publishing-maven-artifacts

A central ambition of this initiative is to make it possible for someone 
to know all requirements for releasing through `www.apache.org/dist` having
only consulted the official _Release Policy_ and _Release Distribution Policy_
document -- i.e. without having to trawl through all those other documents for
hidden requirements.

Please note that the intent of this initiative is only to clarify existing

Please note as well that the inclusion of an FAQ section directly below the
Policy is a deliberate design decision, intended to limit policy bloat by
shunting non-core material into a more loosely maintained FAQ.  If any
requirements are missing or erroneous, please suggest policy mods; if any
points need elaboration or need to be made more stridently, please consider
suggesting an FAQ.

This initiative was discussed last month on general@incubator:
<http://s.apache.org/iOl>.  A thread from last year on this list is also
germane: <http://s.apache.org/GTk>.

Per the understanding reached on general@incubator, David Nalley, as V.P. of
Infrastructure, holds authority over whether to adopt this document and has
final say over its content.  Thanks to David for facilitating my involvement
and for considering this draft.

Thanks as well to anyone else who chooses to participate in review.  For your
convenience, the draft text is pasted below, along with a commit log.

Marvin Humphrey


Title: Release Distribution Policy
Notice:    Licensed to the Apache Software Foundation (ASF) under one
           or more contributor license agreements.  See the NOTICE file
           distributed with this work for additional information
           regarding copyright ownership.  The ASF licenses this file
           to you under the Apache License, Version 2.0 (the
           "License"); you may not use this file except in compliance
           with the License.  You may obtain a copy of the License at
           Unless required by applicable law or agreed to in writing,
           software distributed under the License is distributed on an
           KIND, either express or implied.  See the License for the
           specific language governing permissions and limitations
           under the License.

# Contents #



# Release Distribution Policy # {#policy}

This policy governs the distribution of Apache software releases
through channels maintained by Apache Infrastructure.  It complements Apache
[Release Policy](http://www.apache.org/dev/release), which governs how to
create releases.

## Release Distribution Channels ## {#channels}

The Apache Software Foundation's official channel for distribution of current
Apache software releases to the general public is `www.apache.org/dist`.  It
is augmented by the ASF mirror network.

The public may also obtain Apache software from any number of downstream
channels which redistribute our releases in either original or derived form.
The vast majority of such downstream channels operate independently of Apache.

Apache Infrastructure maintains a number of developer-only channels which
facilitate distribution of unreleased software to consenting members of a
development community.

Finally, all historic Apache releases may be obtained from

## Release Distribution Directory ## {#dist-dir}

Every top-level project at Apache has its own public distribution directory,
which is a subdirectory of `www.apache.org/dist`.  The PMC is responsible for
all artifacts within their distribution directory.

## Release Content ## {#release-content}

The content of official Apache releases and the process by which valid
releases are created is governed by Apache [Release

Release Policy [specifies](http://www.apache.org/dev/release#what) that binary
packages provided by third parties which meet certain criteria may be
distributed alongside official source packages.  Such packages are sometimes
referred to as "convenience binaries" to distinguish them from other binary

## Public Distribution ## {#public-distribution}

All official releases MUST be uploaded to the official distribution channel,

Content suitable for the official distribution channel includes:

*   Official releases
*   "Convenience binaries"
*   Cryptographic signatures and checksums
*   The [KEYS](#sigs-and-sums) file
*   `README`, `CHANGES` and similar documents describing distributed

If an Apache PMC wishes to publish additional materials through the official
distribution channel and there is any question about the suitability of said
materials, the PMC MUST consult with the Board.

## Distribution of Unreleased Materials ## {#unreleased}

Unreleased materials, in original or derived form...

*   MUST NOT be distributed through `www.apache.org/dist`.
*   MUST NOT be distributed through channels which encourage use by anyone
    outside the project development community.
*   MUST NOT be advertised to anyone outside of the project development
*   MAY be distributed to consenting members of a development community.

## Pre-upload Notification ## {#heads-up}

Releases of more than 1GB of artifacts MUST be coordinated with Infrastructure
in advance, in order to mitigate strain on mirroring and download resources.

## Cryptographic Signatures and Checksums ## {#sigs-and-sums}

Every artifact distributed to the public through Apache channels MUST be
accompanied by one file containing an [OpenPGP compatible ASCII armored
detached signature](release-signing#openpgp-ascii-detach-sig) and another file
containing an [MD5 checksum](release-signing#md5). The names of these files
MUST be formed by adding to the name of the artifact the following suffixes:

*   the signature by suffixing `.asc`
*   the checksum by suffixing `.md5`

An [SHA](release-signing#sha-checksum) checksum SHOULD also be created and
MUST be suffixed `.sha`.  The checksum SHOULD be generated using `SHA512`.

Projects MUST publish a "[KEYS](#release-signing#keys-policy)" file in their
distribution directory which contains all public keys used to sign artifacts.

Signing keys used at Apache MUST be published in the KEYS file and SHOULD be
made available through the global [public
keyserver](release-signing#keyserver) network.  Signing keys SHOULD be linked
into a strong [web of trust](release-signing#web-of-trust).

Keys used to sign new artifacts MUST be RSA and at least 2048 bit.  Any new
keys SHOULD be 4096 bit RSA.

Private keys MUST NOT be stored on any ASF machine. So, signatures
MUST NOT be created on ASF machines.

Compromised signing keys MUST be revoked and replaced immediately.

## Download Links ## {#download-links}

The website documentation for any Apache product MUST provide public download
links where current official source releases and accompanying cryptographic
files may be obtained.

All links to mirrored distribution artifacts MUST NOT reference the main
Apache web site. They SHOULD use the standard mechanisms to distribute the
load between the mirrors.

All links to checksums, detached signatures and public keys MUST
reference the main Apache web site and SHOULD use `https://` (SSL).

Old releases SHOULD be [archived](#archival) and MAY be linked from public
download pages.

## Release Archival ## {#archival}

All releases MUST be archived on `archive.apache.org`.  This generally happens
via an automated process which adds releases to the archive about a day after
they first appear on `www.apache.org/dist`.

Each project's [distribution directory](#dist-dir) SHOULD contain the latest
release in each branch that is currently under development.  When development
ceases on a version branch, releases of that branch SHOULD be removed.

## Maven ## {#maven}

Infrastructure operates an Apache Maven repository manager at
[repository.apache.org](https://repository.apache.org/).  Projects MAY
use the repository system as a downstream channel to redistribute released
materials, and MAY use it to distribute SNAPSHOTs containing unreleased
materials to consenting members of a project development community.

## Policy Administration ## {#administration}

Changes to Release Distribution Policy MUST be approved by the V.P. of Apache


# Release Distribution FAQ # {#faq}



commit 4887a0d1d4de4f4072a8468df9a52159d7444a2b
Author: Marvin Humphrey <marvin@rectangular.com>
Date:   Thu Feb 26 19:40:01 2015 -0800

    Distill sigs-and-sums section.

commit 82a87ee84cd87f5753cebd2a56c0e6ee908c0394
Author: Marvin Humphrey <marvin@rectangular.com>
Date:   Thu Feb 26 14:48:09 2015 -0800

    Spec Maven distribution.
    Omit redundant statements about official distribution.  They can come
    back in an FAQ entry if necessary.

commit 3a44dade0642b0ec03b7becfbebce6c965ab84df
Author: Marvin Humphrey <marvin@rectangular.com>
Date:   Thu Feb 26 14:35:46 2015 -0800

    Require coord with Infra for big uploads.
    In addition, edit out another rule requiring coordination with Infra for
    all exceptions from release policy, because only some kinds of
    exceptions will need that.

commit a7019a74d7badf91fc79bc62da408990f20b78fe
Author: Marvin Humphrey <marvin@rectangular.com>
Date:   Wed Feb 25 21:33:19 2015 -0800

    Flesh out "Release archival" section.

commit 8aa0dab6116becc422b07dc55c462f132b320ceb
Author: Marvin Humphrey <marvin@rectangular.com>
Date:   Wed Feb 25 21:20:12 2015 -0800

    Minor mods to #download-links.
    Change formatting.  Update a URL.  Minor wordsmithing.

commit 79353d0c8552fbce3ea05a6b44fd483c91158349
Author: Marvin Humphrey <marvin@rectangular.com>
Date:   Wed Feb 25 21:12:57 2015 -0800

    Remove section about beta releases, etc.
    Milestone, alpha and beta releases *are* official releases, since they
    are made available outside the project development community.  Therefore
    they do not require a special section in the policy.  (Perhaps an FAQ is

commit ac8a8fea1de470fe0b29d293fbea31346420514c
Author: Marvin Humphrey <marvin@rectangular.com>
Date:   Wed Feb 25 21:08:46 2015 -0800

    Require download links.

commit 73f7996d375fb826bafd363d6157d09b8172fff9
Author: Marvin Humphrey <marvin@rectangular.com>
Date:   Wed Feb 25 16:19:14 2015 -0800

    Describe public dist dirs.

commit 67d9ec54a1d920f903f8527b494ca68172be83df
Author: Marvin Humphrey <marvin@rectangular.com>
Date:   Wed Feb 25 13:11:32 2015 -0800

    Constrain distribution of unreleased materials.

commit 1f8886348e337d26cf4bf631aba6e2cf674a1639
Author: Marvin Humphrey <marvin@rectangular.com>
Date:   Wed Feb 25 12:45:36 2015 -0800

    Specify content suitable for public distribution.
    The whitelist of suitable content is intentionally not exhaustive;
    instead, an clear exception mechanism is described.  This keeps the
    policy short and hopefully leads to quick adjudication of exceptions.
    Additionally, the phrase "and there is any question about its
    suitability" is included to grandfather in content such as "deps"
    packages without needing to spell out every last exception.

commit 07db2af1577c5cb399a2c95c750e8f1115f226d1
Author: Marvin Humphrey <marvin@rectangular.com>
Date:   Tue Feb 24 18:43:57 2015 -0800

    Require VP Infra approval for policy changes.

commit d185dc750b5a2a1482026773364f654e530fcc95
Author: Marvin Humphrey <marvin@rectangular.com>
Date:   Mon Feb 23 08:15:13 2015 -0800

    Gather passages from existing docs.
    Pull in passages from the following documents under www.apache.org/dev
    at revision r1661773:
    *   release.mdtext
    *   release-publishing.mdtext
    *   release-download-pages.mdtext
    *   release-signing.mdtext
    *   openpgp.mdtext
    *   key-transition.mdtext
    *   repository-faq.mdtext
    *   publishing-maven-artifacts.mdtext

commit 6022d667a40d9f68299f712ea143aa2d84656c05
Author: Marvin Humphrey <marvin@rectangular.com>
Date:   Fri Feb 20 10:26:14 2015 -0800

    Refer to Release Policy for some defs.
    Leave definition of "official" release content and process and
    "convenience binaries" to the Release Policy.

commit 6522dbeaaffcc279494a005a36a2177b00e3c68f
Author: Marvin Humphrey <marvin@rectangular.com>
Date:   Fri Feb 20 10:20:17 2015 -0800

    Add abstract describing policy scope.

commit c6ab15e4464d6a765a48c571284d01677a3ccbfb
Author: Marvin Humphrey <marvin@rectangular.com>
Date:   Fri Feb 20 08:29:07 2015 -0800

    Fill out section on distribution channels.
    Describe four different types of distribution channels: official,
    downstream, developer and archive.

commit d3d37de6d56f18e0f84036246e10ad6533ec5bf0
Author: Marvin Humphrey <marvin@rectangular.com>
Date:   Tue Feb 17 16:30:45 2015 -0800

    Add outline and empty FAQ.
    The inclusion of an FAQ directly below the Policy is a deliberate design
    decision.  The intent is to guard against policy bloat by shunting as
    many potential policy modifications as possible into a less-stringently
    maintained FAQ.

commit 13ec1a57458d025192f177ac3fc5d2d81e7c9d12
Author: Marvin Humphrey <marvin@rectangular.com>
Date:   Mon Feb 16 10:41:23 2015 -0800

    Create release-distribution.md.
    Only title and TOC.

View raw message