www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joseph Schaefer <joe_schae...@yahoo.com.INVALID>
Subject Re: Release Distribution Policy
Date Wed, 04 Mar 2015 14:14:50 GMT
+1 thanks for doing the heavy lifting Marvin!

Sent from my iPhone

> On Feb 28, 2015, at 4:08 PM, Marvin Humphrey <marvin@apache.org> wrote:
> 
> Greetings,
> 
> I would like to propose the following draft text for a _Release Distribution
> Policy_ to be curated by Apache Infrastructure. 
> 
>    https://github.com/rectang/asfpolicy/blob/reldist-draft1/release-distribution.md
> 
> This _Release Distribution Policy_ is intended to complement the proposed
> _Release Policy_ to be curated by Legal Affairs (see
> <https://github.com/rectang/asfrelease>).  However, for now all links in the
> draft text point to the current release policy page under
> `www.apache.org/dev`, so that Infra may adopt this policy without Legal
> Affairs having to take action on the other.
> 
> The draft text collects requirements which at present are spread across the
> following pages:
> 
> *   http://www.apache.org/dev/release
> *   http://www.apache.org/dev/release-publishing
> *   http://www.apache.org/dev/release-download-pages
> *   http://www.apache.org/dev/release-signing
> *   http://www.apache.org/dev/openpgp
> *   http://www.apache.org/dev/key-transition
> *   http://www.apache.org/dev/repository-faq
> *   http://www.apache.org/dev/publishing-maven-artifacts
> 
> A central ambition of this initiative is to make it possible for someone 
> to know all requirements for releasing through `www.apache.org/dist` having
> only consulted the official _Release Policy_ and _Release Distribution Policy_
> document -- i.e. without having to trawl through all those other documents for
> hidden requirements.
> 
> Please note that the intent of this initiative is only to clarify existing
> policy, NOT TO CHANGE IT.
> 
> Please note as well that the inclusion of an FAQ section directly below the
> Policy is a deliberate design decision, intended to limit policy bloat by
> shunting non-core material into a more loosely maintained FAQ.  If any
> requirements are missing or erroneous, please suggest policy mods; if any
> points need elaboration or need to be made more stridently, please consider
> suggesting an FAQ.
> 
> This initiative was discussed last month on general@incubator:
> <http://s.apache.org/iOl>.  A thread from last year on this list is also
> germane: <http://s.apache.org/GTk>.
> 
> Per the understanding reached on general@incubator, David Nalley, as V.P. of
> Infrastructure, holds authority over whether to adopt this document and has
> final say over its content.  Thanks to David for facilitating my involvement
> and for considering this draft.
> 
> Thanks as well to anyone else who chooses to participate in review.  For your
> convenience, the draft text is pasted below, along with a commit log.
> 
> Marvin Humphrey
> 
> ****************************************************************************
> 
> Title: Release Distribution Policy
> Notice:    Licensed to the Apache Software Foundation (ASF) under one
>           or more contributor license agreements.  See the NOTICE file
>           distributed with this work for additional information
>           regarding copyright ownership.  The ASF licenses this file
>           to you under the Apache License, Version 2.0 (the
>           "License"); you may not use this file except in compliance
>           with the License.  You may obtain a copy of the License at
>           .
>             http://www.apache.org/licenses/LICENSE-2.0
>           .
>           Unless required by applicable law or agreed to in writing,
>           software distributed under the License is distributed on an
>           "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
>           KIND, either express or implied.  See the License for the
>           specific language governing permissions and limitations
>           under the License.
> 
> # Contents #
> 
> [TOC]
> 
> ----------------
> 
> # Release Distribution Policy # {#policy}
> 
> This policy governs the distribution of Apache software releases
> through channels maintained by Apache Infrastructure.  It complements Apache
> [Release Policy](http://www.apache.org/dev/release), which governs how to
> create releases.
> 
> ## Release Distribution Channels ## {#channels}
> 
> The Apache Software Foundation's official channel for distribution of current
> Apache software releases to the general public is `www.apache.org/dist`.  It
> is augmented by the ASF mirror network.
> 
> The public may also obtain Apache software from any number of downstream
> channels which redistribute our releases in either original or derived form.
> The vast majority of such downstream channels operate independently of Apache.
> 
> Apache Infrastructure maintains a number of developer-only channels which
> facilitate distribution of unreleased software to consenting members of a
> development community.
> 
> Finally, all historic Apache releases may be obtained from
> `archive.apache.org`.
> 
> ## Release Distribution Directory ## {#dist-dir}
> 
> Every top-level project at Apache has its own public distribution directory,
> which is a subdirectory of `www.apache.org/dist`.  The PMC is responsible for
> all artifacts within their distribution directory.
> 
> ## Release Content ## {#release-content}
> 
> The content of official Apache releases and the process by which valid
> releases are created is governed by Apache [Release
> Policy](http://www.apache.org/dev/release).
> 
> Release Policy [specifies](http://www.apache.org/dev/release#what) that binary
> packages provided by third parties which meet certain criteria may be
> distributed alongside official source packages.  Such packages are sometimes
> referred to as "convenience binaries" to distinguish them from other binary
> packages.
> 
> ## Public Distribution ## {#public-distribution}
> 
> All official releases MUST be uploaded to the official distribution channel,
> `www.apache.org/dist`.
> 
> Content suitable for the official distribution channel includes:
> 
> *   Official releases
> *   "Convenience binaries"
> *   Cryptographic signatures and checksums
> *   The [KEYS](#sigs-and-sums) file
> *   `README`, `CHANGES` and similar documents describing distributed
>    content
> 
> If an Apache PMC wishes to publish additional materials through the official
> distribution channel and there is any question about the suitability of said
> materials, the PMC MUST consult with the Board.
> 
> ## Distribution of Unreleased Materials ## {#unreleased}
> 
> Unreleased materials, in original or derived form...
> 
> *   MUST NOT be distributed through `www.apache.org/dist`.
> *   MUST NOT be distributed through channels which encourage use by anyone
>    outside the project development community.
> *   MUST NOT be advertised to anyone outside of the project development
>    community.
> *   MAY be distributed to consenting members of a development community.
> 
> ## Pre-upload Notification ## {#heads-up}
> 
> Releases of more than 1GB of artifacts MUST be coordinated with Infrastructure
> in advance, in order to mitigate strain on mirroring and download resources.
> 
> ## Cryptographic Signatures and Checksums ## {#sigs-and-sums}
> 
> Every artifact distributed to the public through Apache channels MUST be
> accompanied by one file containing an [OpenPGP compatible ASCII armored
> detached signature](release-signing#openpgp-ascii-detach-sig) and another file
> containing an [MD5 checksum](release-signing#md5). The names of these files
> MUST be formed by adding to the name of the artifact the following suffixes:
> 
> *   the signature by suffixing `.asc`
> *   the checksum by suffixing `.md5`
> 
> An [SHA](release-signing#sha-checksum) checksum SHOULD also be created and
> MUST be suffixed `.sha`.  The checksum SHOULD be generated using `SHA512`.
> 
> Projects MUST publish a "[KEYS](#release-signing#keys-policy)" file in their
> distribution directory which contains all public keys used to sign artifacts.
> 
> Signing keys used at Apache MUST be published in the KEYS file and SHOULD be
> made available through the global [public
> keyserver](release-signing#keyserver) network.  Signing keys SHOULD be linked
> into a strong [web of trust](release-signing#web-of-trust).
> 
> Keys used to sign new artifacts MUST be RSA and at least 2048 bit.  Any new
> keys SHOULD be 4096 bit RSA.
> 
> Private keys MUST NOT be stored on any ASF machine. So, signatures
> MUST NOT be created on ASF machines.
> 
> Compromised signing keys MUST be revoked and replaced immediately.
> 
> ## Download Links ## {#download-links}
> 
> The website documentation for any Apache product MUST provide public download
> links where current official source releases and accompanying cryptographic
> files may be obtained.
> 
> All links to mirrored distribution artifacts MUST NOT reference the main
> Apache web site. They SHOULD use the standard mechanisms to distribute the
> load between the mirrors.
> 
> All links to checksums, detached signatures and public keys MUST
> reference the main Apache web site and SHOULD use `https://` (SSL).
> 
> Old releases SHOULD be [archived](#archival) and MAY be linked from public
> download pages.
> 
> ## Release Archival ## {#archival}
> 
> All releases MUST be archived on `archive.apache.org`.  This generally happens
> via an automated process which adds releases to the archive about a day after
> they first appear on `www.apache.org/dist`.
> 
> Each project's [distribution directory](#dist-dir) SHOULD contain the latest
> release in each branch that is currently under development.  When development
> ceases on a version branch, releases of that branch SHOULD be removed.
> 
> ## Maven ## {#maven}
> 
> Infrastructure operates an Apache Maven repository manager at
> [repository.apache.org](https://repository.apache.org/).  Projects MAY
> use the repository system as a downstream channel to redistribute released
> materials, and MAY use it to distribute SNAPSHOTs containing unreleased
> materials to consenting members of a project development community.
> 
> ## Policy Administration ## {#administration}
> 
> Changes to Release Distribution Policy MUST be approved by the V.P. of Apache
> Infrastructure.
> 
> ----------------
> 
> # Release Distribution FAQ # {#faq}
> 
> TODO
> 
> 
> ****************************************************************************
> 
> commit 4887a0d1d4de4f4072a8468df9a52159d7444a2b
> Author: Marvin Humphrey <marvin@rectangular.com>
> Date:   Thu Feb 26 19:40:01 2015 -0800
> 
>    Distill sigs-and-sums section.
> 
> commit 82a87ee84cd87f5753cebd2a56c0e6ee908c0394
> Author: Marvin Humphrey <marvin@rectangular.com>
> Date:   Thu Feb 26 14:48:09 2015 -0800
> 
>    Spec Maven distribution.
> 
>    Omit redundant statements about official distribution.  They can come
>    back in an FAQ entry if necessary.
> 
> commit 3a44dade0642b0ec03b7becfbebce6c965ab84df
> Author: Marvin Humphrey <marvin@rectangular.com>
> Date:   Thu Feb 26 14:35:46 2015 -0800
> 
>    Require coord with Infra for big uploads.
> 
>    In addition, edit out another rule requiring coordination with Infra for
>    all exceptions from release policy, because only some kinds of
>    exceptions will need that.
> 
> commit a7019a74d7badf91fc79bc62da408990f20b78fe
> Author: Marvin Humphrey <marvin@rectangular.com>
> Date:   Wed Feb 25 21:33:19 2015 -0800
> 
>    Flesh out "Release archival" section.
> 
> commit 8aa0dab6116becc422b07dc55c462f132b320ceb
> Author: Marvin Humphrey <marvin@rectangular.com>
> Date:   Wed Feb 25 21:20:12 2015 -0800
> 
>    Minor mods to #download-links.
> 
>    Change formatting.  Update a URL.  Minor wordsmithing.
> 
> commit 79353d0c8552fbce3ea05a6b44fd483c91158349
> Author: Marvin Humphrey <marvin@rectangular.com>
> Date:   Wed Feb 25 21:12:57 2015 -0800
> 
>    Remove section about beta releases, etc.
> 
>    Milestone, alpha and beta releases *are* official releases, since they
>    are made available outside the project development community.  Therefore
>    they do not require a special section in the policy.  (Perhaps an FAQ is
>    warranted.)
> 
> commit ac8a8fea1de470fe0b29d293fbea31346420514c
> Author: Marvin Humphrey <marvin@rectangular.com>
> Date:   Wed Feb 25 21:08:46 2015 -0800
> 
>    Require download links.
> 
> commit 73f7996d375fb826bafd363d6157d09b8172fff9
> Author: Marvin Humphrey <marvin@rectangular.com>
> Date:   Wed Feb 25 16:19:14 2015 -0800
> 
>    Describe public dist dirs.
> 
> commit 67d9ec54a1d920f903f8527b494ca68172be83df
> Author: Marvin Humphrey <marvin@rectangular.com>
> Date:   Wed Feb 25 13:11:32 2015 -0800
> 
>    Constrain distribution of unreleased materials.
> 
> commit 1f8886348e337d26cf4bf631aba6e2cf674a1639
> Author: Marvin Humphrey <marvin@rectangular.com>
> Date:   Wed Feb 25 12:45:36 2015 -0800
> 
>    Specify content suitable for public distribution.
> 
>    The whitelist of suitable content is intentionally not exhaustive;
>    instead, an clear exception mechanism is described.  This keeps the
>    policy short and hopefully leads to quick adjudication of exceptions.
> 
>    Additionally, the phrase "and there is any question about its
>    suitability" is included to grandfather in content such as "deps"
>    packages without needing to spell out every last exception.
> 
> commit 07db2af1577c5cb399a2c95c750e8f1115f226d1
> Author: Marvin Humphrey <marvin@rectangular.com>
> Date:   Tue Feb 24 18:43:57 2015 -0800
> 
>    Require VP Infra approval for policy changes.
> 
> commit d185dc750b5a2a1482026773364f654e530fcc95
> Author: Marvin Humphrey <marvin@rectangular.com>
> Date:   Mon Feb 23 08:15:13 2015 -0800
> 
>    Gather passages from existing docs.
> 
>    Pull in passages from the following documents under www.apache.org/dev
>    at revision r1661773:
> 
>    *   release.mdtext
>    *   release-publishing.mdtext
>    *   release-download-pages.mdtext
>    *   release-signing.mdtext
>    *   openpgp.mdtext
>    *   key-transition.mdtext
>    *   repository-faq.mdtext
>    *   publishing-maven-artifacts.mdtext
> 
> commit 6022d667a40d9f68299f712ea143aa2d84656c05
> Author: Marvin Humphrey <marvin@rectangular.com>
> Date:   Fri Feb 20 10:26:14 2015 -0800
> 
>    Refer to Release Policy for some defs.
> 
>    Leave definition of "official" release content and process and
>    "convenience binaries" to the Release Policy.
> 
> commit 6522dbeaaffcc279494a005a36a2177b00e3c68f
> Author: Marvin Humphrey <marvin@rectangular.com>
> Date:   Fri Feb 20 10:20:17 2015 -0800
> 
>    Add abstract describing policy scope.
> 
> commit c6ab15e4464d6a765a48c571284d01677a3ccbfb
> Author: Marvin Humphrey <marvin@rectangular.com>
> Date:   Fri Feb 20 08:29:07 2015 -0800
> 
>    Fill out section on distribution channels.
> 
>    Describe four different types of distribution channels: official,
>    downstream, developer and archive.
> 
> commit d3d37de6d56f18e0f84036246e10ad6533ec5bf0
> Author: Marvin Humphrey <marvin@rectangular.com>
> Date:   Tue Feb 17 16:30:45 2015 -0800
> 
>    Add outline and empty FAQ.
> 
>    The inclusion of an FAQ directly below the Policy is a deliberate design
>    decision.  The intent is to guard against policy bloat by shunting as
>    many potential policy modifications as possible into a less-stringently
>    maintained FAQ.
> 
> commit 13ec1a57458d025192f177ac3fc5d2d81e7c9d12
> Author: Marvin Humphrey <marvin@rectangular.com>
> Date:   Mon Feb 16 10:41:23 2015 -0800
> 
>    Create release-distribution.md.
> 
>    Only title and TOC.
> 

Mime
View raw message