Hi, On Thu, Jan 9, 2025 at 11:25 AM tison <wander4...@gmail.com> wrote: > ...I'd like to establish a consensus to explicitly allow making release > candidates publicly accessible during the voting period...
Aren't most or all ASF release candidates publicly accessible already? As in "you can get it if you know the URL", without requiring credentials, even though that URL is not widely published. > ...nowadays verifiers > would find it more convenient to pull the release candidate from a > central repository, like Maven Central, PyPI, crates.io, etc... I think publishing to such public channels can be problematic in terms of the legal shield that the ASF provides. For that to work, each software release must be "an act of the Foundation", so that people can't go after individual contributors if something bad happens. So, if you think publishing to those channels significantly helps validate releases, I think you need to find a way to enforce that "act of the Foundation" bit. I *think* our infrastructure team is working on improved software distribution mechanisms, what you are asking for might be a feature request for that. -Bertrand --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@community.apache.org For additional commands, e-mail: dev-h...@community.apache.org
