funny discussion which come back around every 3years :-)
2013/6/26 sebb <seb...@gmail.com>: > On 26 June 2013 02:14, Barrie Treloar <baerr...@gmail.com> wrote: >> On 26 June 2013 09:47, sebb <seb...@gmail.com> wrote: >>> I could not find any download links for Maven source packages. >>> >>> As the ASF primary purpose is to release source, and that must be >>> released via the mirror system, there ought to be download pages with >>> links to the source package, sigs, hashes and KEYS file. >>> >>> Yes, there are source packages for some Maven plugins, but that is not >>> the same as providing download pages. >>> >>> AFAIK every single other ASF project has download pages. >> >> >> As a PMC member, I welcome scrutiny that we are following the >> designated procedures. >> >> Apologies for the length, I had to do some digging around to actually >> remind myself of what we are meant to do. >> >> According to http://www.apache.org/dev/release.html >> >> http://www.apache.org/dev/release.html#where-do-releases-go >> >> "Where do releases go? >> >> A release isn't 'released' until the contents are in the project's >> distribution directory, which is a subdirectory of >> www.apache.org/dist/. In addition to the distribution directory, >> project that use Maven or a related build tool sometimes place their >> releases on repository.apache.org beside some convenience binaries. >> The distribution directory is required, while the repository system is >> an optional convenience." >> >> And http://www.apache.org/dev/release.html#what-must-every-release-contain >> >> "What Must Every ASF Release Contain? >> >> Every ASF release must contain a source package, which must be >> sufficient for a user to build and test the release provided they have >> access to the appropriate platform and tools. The source package must >> be cryptographically signed by the Release Manager with a detached >> signature; and that package together with its signature must be tested >> prior to voting +1 for release. Folks who vote +1 for release may >> offer their own cryptographic signature to be concatenated with the >> detached signature file (at the Release Manager's discretion) prior to >> release. >> >> Note that the PMC is responsible for all artifacts in their >> distribution directory, which is a subdirectory of >> www.apache.org/dist/ ; and all artifacts placed in their directory >> must be signed by a committer, preferably by a PMC member. It is also >> necessary for the PMC to ensure that the source package is sufficient >> to build any binary artifacts associated with the release. >> >> Every ASF release must comply with ASF licensing policy. This >> requirement is of utmost importance and an audit should be performed >> before any full release is created. In particular, every artifact >> distributed must contain only appropriately licensed code. More >> information can be found in the foundation website and in the release >> licensing FAQ." >> >> And http://www.apache.org/dev/release.html#release-announcements >> >> "How Should Releases Be Announced? >> >> Please ensure that you wait at least 24 hours after uploading a new >> release before updating the project download page and sending the >> announcement email(s). This is so that mirrors have sufficient time to >> catch up. (For time-critical security releases, the download pages >> script supports bypassing this requirement.)" >> >> As far as I can tell there is no official policy requiring projects to >> provide a download page. >> It is just a convenience to end users to give them a direct download link. >> The ASF documentation clearly defines where distributions must be placed. >> Since you want people to use your project it makes sense to create a >> download page to make it easy for them. >> >> For Maven itself there are clearly defined download links from the >> main entry point http://maven.apache.org. >> >> For plugins I dont think it makes any sense to provide direct download >> links to sources. >> I checked http://www.apache.org/dev/release.html#maven-artifacts, >> which links to http://www.apache.org/dev/publishing-maven-artifacts.html >> doesn't provide any more guidance here either. >> >> So why doesn't it make sense to provide direct download links? >> Because it is Maven that is the consumer of artifacts rather than the end >> users. >> And an end user is not likely to be building a plugin from source and >> then installing it into their local Maven cache, it is much easier to >> get Maven to download the binaries and use them that way. >> >> The only reason I can think of a user wanting access to the source is >> so they can make modifications, and if they dont know about the ASF >> distribution pages, we give them the source repository link, e.g. >> http://maven.apache.org/plugins/maven-compiler-plugin/source-repository.html, >> on the automatically generated web pages. To me this is better as they >> can then create patches. >> >> Does that make sense? > > The point is that the ASF release source, and it must be provided for > download via the ASF mirrors. > > See: > > http://www.apache.org/dev/release.html#host-GA > > If you don't point users to the source, I don't see how you can claim > it has been properly released. > >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org >> For additional commands, e-mail: dev-h...@maven.apache.org >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > For additional commands, e-mail: dev-h...@maven.apache.org > -- Olivier Lamy Ecetera: http://ecetera.com.au http://twitter.com/olamy | http://linkedin.com/in/olamy --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
