OK - I would now update my spec for a download page to be:
Your Apache Download page...
- ...must have at least one link to the current release. This link must
use the "closer" utility. For example:
https://www.apache.org/dyn/closer.lua/PROJECT/VERSION/SOURCE-RELEASE
- ...must have a link to the checksum and hash for the current
release. These links must use direct links to the Apache distribution
server. For example:
https://www.apache.org/dist/PROJECT/VERSION/HASH-OR-CHECKSUM
- ...must have a link to the keys file for your project. This link
must use direct links to the Apache distribution server. For example:
https://www.apache.org/dist/PROJECT/KEYS
- ...should have instructions on how to verify downloads. For this
you can include a link to the Apache documentation on verification:
http://www.apache.org/info/verification.html
- ...must not include a link to the top level "closer" utility (e.g.
http://www.apache.org/dyn/closer.cgi/PROJECT) as the KEYS, sigs and
hashes are missing, as are any verification instructions.
I still need an answer on where it should be hosted. Is it acceptable to
host on Apache's wiki or must it be hosted from the project's page (
PROJECT.apache.org)?
Thank you! Once we get this agreed on I'll post a patch for the docs (I've
never done that before though - will figure it out).
On Fri, Dec 21, 2018 at 10:41 AM sebb <seb...@gmail.com> wrote:
> On Fri, 21 Dec 2018 at 14:58, Jordan Zimmerman
> <jor...@jordanzimmerman.com> wrote:
> >
> > I still don't understand whether or not this link "
> > http://www.apache.org/dyn/closer.cgi/curator/"; is allowed on the
> download
> > page at all. Sebb's last comment was "yes and no". I have trouble
> following
> > that reply. Clear guidance is needed here. Is it allowed or not? Curator
> > was told no. What I need is a more detailed response instead of short,
> > terse directives. If it's not allow then what should I use for a link to
> > mirrors? Must I include the full list of mirrors like other sites do?
> Much
> > more guidance is needed please - over specify if you can.
>
> I meant that the generic URL
>
> http://www.apache.org/dyn/closer.cgi/curator/
>
> should not be used on download pages, as the KEYS, sigs and hashes are
> missing, as are any verification instructions.
>
> Whereas of course links to release artifacts must use a URL that starts
> with
>
> http://www.apache.org/dyn/closer.cgi/curator/
>
> but must include the full link to the specific download, e.g.
>
>
> https://www.apache.org/dyn/closer.lua/curator/4.1.0/apache-curator-4.1.0-source-release.zip
>
> > There are now ~6 responses above and I'm still not clear on if it's
> > acceptable to have this link "
> https://www.apache.org/dyn/closer.cgi#verify";
>
> That is possibly OK, but it would be better to use
>
> https://www.apache.org/info/verification.html
>
> > or this link "http://www.apache.org/dyn/closer.cgi/curator/"; on our
> > downloads page.
>
> As noted above, I think that link should not be used as it bypasses
> the verification.
>
> > I now understand that the asc, sha and keys file should
> > link directly to "https://www.apache.org/dist/curator/..."; but I don't
> know
> > what is allowed for linking to a mirror page, etc.
>
> See above.
>
> > At this point, I would
> > not be able to write a specification for how to successfully create a
> > download page. Pointing at other sites is useful. Pointing at other
> > generators is useful. However, Curator uses Maven Doxia, not cgi, etc.
>
> Commons uses Maven.
>
> > Currently, our downloads page is on Apache's wiki as it's easier for us
> to
> > manage. Then Mark Thomas says "A separate concern may be that the Curator
> > download page is being served directly from cwikia.a.o.". Are we required
> > to host our download page from "curator.apache.org"?
> >
> > So far, here's what I know if I were to start a spec for a proper
> downloads
> > page...
> >
> > Your Apache Download page...
> >
> >
> > - ...must have at least one link to the current release. This link
> must
> > use the "closer" utility. For example:
> >
> https://www.apache.org/dyn/closer.lua/PROJECT/VERSION/SOURCE-RELEASE
> > - ...must have a link to the checksum and hash for the current
> > release. These links must use direct links to the Apache
> distribution
> > server. For example:
> > https://www.apache.org/dist/PROJECT/VERSION/HASH-OR-CHECKSUM
> > - ...must have a link to the keys file for your project. This link
> > must use direct links to the Apache distribution server. For
> example:
> > https://www.apache.org/dist/PROJECT/KEYS
> >
> > At this point, these are the only three things I can say with certainty.
> > Please advise (with as much detail as you can afford).
>
> The page also needs to provide info on download verification.
>
> > -Jordan
> >
> > On Fri, Dec 21, 2018 at 4:05 AM Bertrand Delacretaz <
> bdelacre...@apache.org>
> > wrote:
> >
> > > Hi,
> > >
> > > On Thu, Dec 20, 2018 at 11:36 PM Jordan Zimmerman <randg...@apache.org
> >
> > > wrote:
> > > > ...A template with correct links
> > > > (with simple replacements for project name and version) would be
> > > > very helpful....
> > >
> > > It's not really a generic template but maybe what Sling is doing
> > > helps, the download page at https://sling.apache.org/downloads.cgi is
> > > generated using JBake and this template:
> > >
> > >
> > >
> https://github.com/apache/sling-site/blob/master/src/main/jbake/templates/downloads.tpl
> > >
> > > merged with this content page which includes the mirror selection form:
> > >
> > >
> > >
> https://github.com/apache/sling-site/blob/master/src/main/jbake/content/downloads.md
> > >
> > > and this default cgi page:
> > >
> > >
> > >
> https://github.com/apache/sling-site/blob/master/src/main/jbake/assets/downloads.cgi
> > >
> > > -Bertrand
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: dev-unsubscr...@community.apache.org
> > > For additional commands, e-mail: dev-h...@community.apache.org
> > >
> > >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscr...@community.apache.org
> For additional commands, e-mail: dev-h...@community.apache.org
>
>
