www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joseph Schaefer <joe_schae...@yahoo.com.INVALID>
Subject Re: Release Distribution Policy
Date Thu, 05 Mar 2015 04:30:24 GMT
Personally Marvin you are overthinking this.  The draft is a good step in the right direction
but nobody including me will ever invest a comparable amount of time in reviewing it to what
you've already done.  Let's just move forward with what you've got and deal with bugs just
like we would with any other document on the site.

The proof will only come in the increased ability of projects new and old to fully comply.

Sent from my iPhone

> On Feb 28, 2015, at 4:08 PM, Marvin Humphrey <marvin@apache.org> wrote:
> 
> Greetings,
> 
> I would like to propose the following draft text for a _Release Distribution
> Policy_ to be curated by Apache Infrastructure. 
> 
>    https://github.com/rectang/asfpolicy/blob/reldist-draft1/release-distribution.md
> 
> This _Release Distribution Policy_ is intended to complement the proposed
> _Release Policy_ to be curated by Legal Affairs (see
> <https://github.com/rectang/asfrelease>).  However, for now all links in the
> draft text point to the current release policy page under
> `www.apache.org/dev`, so that Infra may adopt this policy without Legal
> Affairs having to take action on the other.
> 
> The draft text collects requirements which at present are spread across the
> following pages:
> 
> *   http://www.apache.org/dev/release
> *   http://www.apache.org/dev/release-publishing
> *   http://www.apache.org/dev/release-download-pages
> *   http://www.apache.org/dev/release-signing
> *   http://www.apache.org/dev/openpgp
> *   http://www.apache.org/dev/key-transition
> *   http://www.apache.org/dev/repository-faq
> *   http://www.apache.org/dev/publishing-maven-artifacts
> 
> A central ambition of this initiative is to make it possible for someone 
> to know all requirements for releasing through `www.apache.org/dist` having
> only consulted the official _Release Policy_ and _Release Distribution Policy_
> document -- i.e. without having to trawl through all those other documents for
> hidden requirements.
> 
> Please note that the intent of this initiative is only to clarify existing
> policy, NOT TO CHANGE IT.
> 
> Please note as well that the inclusion of an FAQ section directly below the
> Policy is a deliberate design decision, intended to limit policy bloat by
> shunting non-core material into a more loosely maintained FAQ.  If any
> requirements are missing or erroneous, please suggest policy mods; if any
> points need elaboration or need to be made more stridently, please consider
> suggesting an FAQ.
> 
> This initiative was discussed last month on general@incubator:
> <http://s.apache.org/iOl>.  A thread from last year on this list is also
> germane: <http://s.apache.org/GTk>.
> 
> Per the understanding reached on general@incubator, David Nalley, as V.P. of
> Infrastructure, holds authority over whether to adopt this document and has
> final say over its content.  Thanks to David for facilitating my involvement
> and for considering this draft.
> 
> Thanks as well to anyone else who chooses to participate in review.  For your
> convenience, the draft text is pasted below, along with a commit log.
> 
> Marvin Humphrey
> 
> ****************************************************************************
> 
> Title: Release Distribution Policy
> Notice:    Licensed to the Apache Software Foundation (ASF) under one
>           or more contributor license agreements.  See the NOTICE file
>           distributed with this work for additional information
>           regarding copyright ownership.  The ASF licenses this file
>           to you under the Apache License, Version 2.0 (the
>           "License"); you may not use this file except in compliance
>           with the License.  You may obtain a copy of the License at
>           .
>             http://www.apache.org/licenses/LICENSE-2.0
>           .
>           Unless required by applicable law or agreed to in writing,
>           software distributed under the License is distributed on an
>           "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
>           KIND, either express or implied.  See the License for the
>           specific language governing permissions and limitations
>           under the License.
> 
> # Contents #
> 
> [TOC]
> 
> ----------------
> 
> # Release Distribution Policy # {#policy}
> 
> This policy governs the distribution of Apache software releases
> through channels maintained by Apache Infrastructure.  It complements Apache
> [Release Policy](http://www.apache.org/dev/release), which governs how to
> create releases.
> 
> ## Release Distribution Channels ## {#channels}
> 
> The Apache Software Foundation's official channel for distribution of current
> Apache software releases to the general public is `www.apache.org/dist`.  It
> is augmented by the ASF mirror network.
> 
> The public may also obtain Apache software from any number of downstream
> channels which redistribute our releases in either original or derived form.
> The vast majority of such downstream channels operate independently of Apache.
> 
> Apache Infrastructure maintains a number of developer-only channels which
> facilitate distribution of unreleased software to consenting members of a
> development community.
> 
> Finally, all historic Apache releases may be obtained from
> `archive.apache.org`.
> 
> ## Release Distribution Directory ## {#dist-dir}
> 
> Every top-level project at Apache has its own public distribution directory,
> which is a subdirectory of `www.apache.org/dist`.  The PMC is responsible for
> all artifacts within their distribution directory.
> 
> ## Release Content ## {#release-content}
> 
> The content of official Apache releases and the process by which valid
> releases are created is governed by Apache [Release
> Policy](http://www.apache.org/dev/release).
> 
> Release Policy [specifies](http://www.apache.org/dev/release#what) that binary
> packages provided by third parties which meet certain criteria may be
> distributed alongside official source packages.  Such packages are sometimes
> referred to as "convenience binaries" to distinguish them from other binary
> packages.
> 
> ## Public Distribution ## {#public-distribution}
> 
> All official releases MUST be uploaded to the official distribution channel,
> `www.apache.org/dist`.
> 
> Content suitable for the official distribution channel includes:
> 
> *   Official releases
> *   "Convenience binaries"
> *   Cryptographic signatures and checksums
> *   The [KEYS](#sigs-and-sums) file
> *   `README`, `CHANGES` and similar documents describing distributed
>    content
> 
> If an Apache PMC wishes to publish additional materials through the official
> distribution channel and there is any question about the suitability of said
> materials, the PMC MUST consult with the Board.
> 
> ## Distribution of Unreleased Materials ## {#unreleased}
> 
> Unreleased materials, in original or derived form...
> 
> *   MUST NOT be distributed through `www.apache.org/dist`.
> *   MUST NOT be distributed through channels which encourage use by anyone
>    outside the project development community.
> *   MUST NOT be advertised to anyone outside of the project development
>    community.
> *   MAY be distributed to consenting members of a development community.
> 
> ## Pre-upload Notification ## {#heads-up}
> 
> Releases of more than 1GB of artifacts MUST be coordinated with Infrastructure
> in advance, in order to mitigate strain on mirroring and download resources.
> 
> ## Cryptographic Signatures and Checksums ## {#sigs-and-sums}
> 
> Every artifact distributed to the public through Apache channels MUST be
> accompanied by one file containing an [OpenPGP compatible ASCII armored
> detached signature](release-signing#openpgp-ascii-detach-sig) and another file
> containing an [MD5 checksum](release-signing#md5). The names of these files
> MUST be formed by adding to the name of the artifact the following suffixes:
> 
> *   the signature by suffixing `.asc`
> *   the checksum by suffixing `.md5`
> 
> An [SHA](release-signing#sha-checksum) checksum SHOULD also be created and
> MUST be suffixed `.sha`.  The checksum SHOULD be generated using `SHA512`.
> 
> Projects MUST publish a "[KEYS](#release-signing#keys-policy)" file in their
> distribution directory which contains all public keys used to sign artifacts.
> 
> Signing keys used at Apache MUST be published in the KEYS file and SHOULD be
> made available through the global [public
> keyserver](release-signing#keyserver) network.  Signing keys SHOULD be linked
> into a strong [web of trust](release-signing#web-of-trust).
> 
> Keys used to sign new artifacts MUST be RSA and at least 2048 bit.  Any new
> keys SHOULD be 4096 bit RSA.
> 
> Private keys MUST NOT be stored on any ASF machine. So, signatures
> MUST NOT be created on ASF machines.
> 
> Compromised signing keys MUST be revoked and replaced immediately.
> 
> ## Download Links ## {#download-links}
> 
> The website documentation for any Apache product MUST provide public download
> links where current official source releases and accompanying cryptographic
> files may be obtained.
> 
> All links to mirrored distribution artifacts MUST NOT reference the main
> Apache web site. They SHOULD use the standard mechanisms to distribute the
> load between the mirrors.
> 
> All links to checksums, detached signatures and public keys MUST
> reference the main Apache web site and SHOULD use `https://` (SSL).
> 
> Old releases SHOULD be [archived](#archival) and MAY be linked from public
> download pages.
> 
> ## Release Archival ## {#archival}
> 
> All releases MUST be archived on `archive.apache.org`.  This generally happens
> via an automated process which adds releases to the archive about a day after
> they first appear on `www.apache.org/dist`.
> 
> Each project's [distribution directory](#dist-dir) SHOULD contain the latest
> release in each branch that is currently under development.  When development
> ceases on a version branch, releases of that branch SHOULD be removed.
> 
> ## Maven ## {#maven}
> 
> Infrastructure operates an Apache Maven repository manager at
> [repository.apache.org](https://repository.apache.org/).  Projects MAY
> use the repository system as a downstream channel to redistribute released
> materials, and MAY use it to distribute SNAPSHOTs containing unreleased
> materials to consenting members of a project development community.
> 
> ## Policy Administration ## {#administration}
> 
> Changes to Release Distribution Policy MUST be approved by the V.P. of Apache
> Infrastructure.
> 
> ----------------
> 
> # Release Distribution FAQ # {#faq}
> 
> TODO
> 
> 
> ****************************************************************************
> 
> commit 4887a0d1d4de4f4072a8468df9a52159d7444a2b
> Author: Marvin Humphrey <marvin@rectangular.com>
> Date:   Thu Feb 26 19:40:01 2015 -0800
> 
>    Distill sigs-and-sums section.
> 
> commit 82a87ee84cd87f5753cebd2a56c0e6ee908c0394
> Author: Marvin Humphrey <marvin@rectangular.com>
> Date:   Thu Feb 26 14:48:09 2015 -0800
> 
>    Spec Maven distribution.
> 
>    Omit redundant statements about official distribution.  They can come
>    back in an FAQ entry if necessary.
> 
> commit 3a44dade0642b0ec03b7becfbebce6c965ab84df
> Author: Marvin Humphrey <marvin@rectangular.com>
> Date:   Thu Feb 26 14:35:46 2015 -0800
> 
>    Require coord with Infra for big uploads.
> 
>    In addition, edit out another rule requiring coordination with Infra for
>    all exceptions from release policy, because only some kinds of
>    exceptions will need that.
> 
> commit a7019a74d7badf91fc79bc62da408990f20b78fe
> Author: Marvin Humphrey <marvin@rectangular.com>
> Date:   Wed Feb 25 21:33:19 2015 -0800
> 
>    Flesh out "Release archival" section.
> 
> commit 8aa0dab6116becc422b07dc55c462f132b320ceb
> Author: Marvin Humphrey <marvin@rectangular.com>
> Date:   Wed Feb 25 21:20:12 2015 -0800
> 
>    Minor mods to #download-links.
> 
>    Change formatting.  Update a URL.  Minor wordsmithing.
> 
> commit 79353d0c8552fbce3ea05a6b44fd483c91158349
> Author: Marvin Humphrey <marvin@rectangular.com>
> Date:   Wed Feb 25 21:12:57 2015 -0800
> 
>    Remove section about beta releases, etc.
> 
>    Milestone, alpha and beta releases *are* official releases, since they
>    are made available outside the project development community.  Therefore
>    they do not require a special section in the policy.  (Perhaps an FAQ is
>    warranted.)
> 
> commit ac8a8fea1de470fe0b29d293fbea31346420514c
> Author: Marvin Humphrey <marvin@rectangular.com>
> Date:   Wed Feb 25 21:08:46 2015 -0800
> 
>    Require download links.
> 
> commit 73f7996d375fb826bafd363d6157d09b8172fff9
> Author: Marvin Humphrey <marvin@rectangular.com>
> Date:   Wed Feb 25 16:19:14 2015 -0800
> 
>    Describe public dist dirs.
> 
> commit 67d9ec54a1d920f903f8527b494ca68172be83df
> Author: Marvin Humphrey <marvin@rectangular.com>
> Date:   Wed Feb 25 13:11:32 2015 -0800
> 
>    Constrain distribution of unreleased materials.
> 
> commit 1f8886348e337d26cf4bf631aba6e2cf674a1639
> Author: Marvin Humphrey <marvin@rectangular.com>
> Date:   Wed Feb 25 12:45:36 2015 -0800
> 
>    Specify content suitable for public distribution.
> 
>    The whitelist of suitable content is intentionally not exhaustive;
>    instead, an clear exception mechanism is described.  This keeps the
>    policy short and hopefully leads to quick adjudication of exceptions.
> 
>    Additionally, the phrase "and there is any question about its
>    suitability" is included to grandfather in content such as "deps"
>    packages without needing to spell out every last exception.
> 
> commit 07db2af1577c5cb399a2c95c750e8f1115f226d1
> Author: Marvin Humphrey <marvin@rectangular.com>
> Date:   Tue Feb 24 18:43:57 2015 -0800
> 
>    Require VP Infra approval for policy changes.
> 
> commit d185dc750b5a2a1482026773364f654e530fcc95
> Author: Marvin Humphrey <marvin@rectangular.com>
> Date:   Mon Feb 23 08:15:13 2015 -0800
> 
>    Gather passages from existing docs.
> 
>    Pull in passages from the following documents under www.apache.org/dev
>    at revision r1661773:
> 
>    *   release.mdtext
>    *   release-publishing.mdtext
>    *   release-download-pages.mdtext
>    *   release-signing.mdtext
>    *   openpgp.mdtext
>    *   key-transition.mdtext
>    *   repository-faq.mdtext
>    *   publishing-maven-artifacts.mdtext
> 
> commit 6022d667a40d9f68299f712ea143aa2d84656c05
> Author: Marvin Humphrey <marvin@rectangular.com>
> Date:   Fri Feb 20 10:26:14 2015 -0800
> 
>    Refer to Release Policy for some defs.
> 
>    Leave definition of "official" release content and process and
>    "convenience binaries" to the Release Policy.
> 
> commit 6522dbeaaffcc279494a005a36a2177b00e3c68f
> Author: Marvin Humphrey <marvin@rectangular.com>
> Date:   Fri Feb 20 10:20:17 2015 -0800
> 
>    Add abstract describing policy scope.
> 
> commit c6ab15e4464d6a765a48c571284d01677a3ccbfb
> Author: Marvin Humphrey <marvin@rectangular.com>
> Date:   Fri Feb 20 08:29:07 2015 -0800
> 
>    Fill out section on distribution channels.
> 
>    Describe four different types of distribution channels: official,
>    downstream, developer and archive.
> 
> commit d3d37de6d56f18e0f84036246e10ad6533ec5bf0
> Author: Marvin Humphrey <marvin@rectangular.com>
> Date:   Tue Feb 17 16:30:45 2015 -0800
> 
>    Add outline and empty FAQ.
> 
>    The inclusion of an FAQ directly below the Policy is a deliberate design
>    decision.  The intent is to guard against policy bloat by shunting as
>    many potential policy modifications as possible into a less-stringently
>    maintained FAQ.
> 
> commit 13ec1a57458d025192f177ac3fc5d2d81e7c9d12
> Author: Marvin Humphrey <marvin@rectangular.com>
> Date:   Mon Feb 16 10:41:23 2015 -0800
> 
>    Create release-distribution.md.
> 
>    Only title and TOC.
> 

Mime
View raw message