It does not have to be even a separate 'entry' in the menu. It could be a sub-page of 'Install' like 'if you want to follow the source installation, you can download and verify the installation packages from here's
Just to put it in context why it is important. The https://downloads.apache.org is really the ONLY official way of distributing the ASF software. You can find cryptographic signatures and checksums there and as of recently the PIP packages for providers (and for airflow in the next release) are the very same as the ones published via 'downloads' (so you can still verify the integrity of PIP packages by checking the checksum/signature). Those PyPI packages are 'convenience' ones and they cannot be used to make ASF liable for any damage done: https://www.apache.org/legal/release-policy.html This has very serious legal implications and PMC members of Apache are indemnified by ASF from any damage as long as they follow the rules. It is very important for some corporate customers. There are automated frameworks which check signatures/checksums when downloading (we had issues raised in the past about format of the signature in the downloads site so there are users serious about it). This also have become more and more important due to the raise of 'supply chain' attack where malicious players might inject their code in 'trusted' sources. A very recent example of that (we were also affected and we changed our amazon keys) https://www.computerweekly.com/news/252499587/Codecov-supply-chain-attack-has-echoes-of-SolarWinds - having signatures and checksums is the only way some of the corporate players might be sure of the origin of the software. J. śr., 5 maj 2021, 21:08 użytkownik Deng Xiaodong <[email protected]> napisał: > Thanks Jarek for proposing this. > > One minor question I have on this is how we put this side-by-side with the > "*Install*" tab/button on our site. > > Due to how Python packages work, for most users, there is no process of " > *Download*". Instead, it is always an "*Install*" process. So for a new > user visiting our site, does she/he click the "Install" button or click the > "Downloads" page? This may cause minor confusion from the site UX aspect. > > But overall this is a good idea to me, if it's a requirement to have such > a page in order to do the release announcement via [email protected]. > > > XD > > > On Wed, May 5, 2021 at 8:54 PM Tomasz Urbaszek <[email protected]> > wrote: > >> +1 for the idea. I think this would be another way we can emphasize >> the core/providers split and definitely. Probably we may consider >> pointing to external providers, but not sure how this is aligned with >> ASF rules. >> >> Cheers, >> Tomek >> >> On Tue, 4 May 2021 at 13:00, Jarek Potiuk <[email protected]> wrote: >> > >> > Hello everyone, >> > >> > Just wanted to ask what do you think about adding a "Downloads" page to >> the Airflow website? >> > >> > I am subscribed to "[email protected]" mailing list and see new >> releases coming from various apache projects. It's a bit sad we do not >> announce Airflow there. The main reason is that we have no "Downloads" page >> similar to those (this is a strict requirement for "announce" messages): >> > >> > Few examples: >> > >> > * https://druid.apache.org/downloads.html >> > * https://flink.apache.org/downloads.html >> > >> > Since we have now airflow core, providers, python client and soon helm >> chart - maybe we should have such a "Downloads" page where we >> (automatically) get the list of all latest packages released by Airflow, >> including the checksums. signatures etc., all pointing to the right links >> from https://downloads.apache.org/airflow/ >> > >> > Then we could officially announce releases :). >> > >> > WDYT? >> > >> > J. >> > >> > >> > -- >> > +48 660 796 129 >> >
