I think there is a bright-line distinction between Apache binary distributions and distributions made by third parties. In particular, I don't think that taking builds off of a buildbot or any other developer or overnight builds will count, although release candidates come close.
I think it has to do with authenticity. (I am agreeing with Roman, but include verifiable provenance here.) When an Apache Project makes convenience binaries from a specific source code release and declares them authentic via release-manager control (even though not a source code release), via code signing via Apache committer signatures, including the release manager's, using and arranging publication of appropriately named files for download in some manner while housing the integrity hashes and signatures on secure Apache infrastructure, I would say that is an Apache [Convenience] Binary Distribution. Any release notes and support information about those identified binary distributions are about those and not anything else. There is clear provenance that such distributions are specifically provided for public use by the Apache Project and that the Apache Project will stand behind them in an appropriate manner. (Take bug reports against the binaries, deal with security vulnerabilities, no matter their origin in the Apache source code, etc.) - Dennis -----Original Message----- From: shaposh...@gmail.com [mailto:shaposh...@gmail.com] On Behalf Of Roman Shaposhnik Sent: Thursday, August 6, 2015 17:51 To: general@incubator.apache.org Subject: Re: apache binary distributions On Thu, Aug 6, 2015 at 1:15 AM, Jochen Theodorou <blackd...@gmx.org> wrote: [ ... ] if PMC produced a release then binary convenience artifacts are easy: anything that corresponds to that release *could* be considered an official binary convenience artifact for the release (see my point above on 3d part vs. PMCs actually producing these binaries). IOW, what makes a binary convenience artifact an official ASF artifact is not whether it got designated as such, but whether it corresponds to an official source release produced by the PMC. > Same for links for example to docker image distribution servers... > or let's say a link to an ubuntu package. On the other hand you > can put disclaimers on the pages stating they are not official... But they are. If they correspond to an official release. > Then again nightly builds should be ok, if they will have the > same disclaimer? No. Nightly builds are special precisely because they don't correspond to an official source release. > Or is it ok if the nightly build comes from > non-apache? It is ok, but at that point it becomes 3d party artifact and as such can't be promoted as part of ASF project. > If that is ok, then why does the release document > not say this and is instead very strict about not promoting anything > even beyond the dev-list? It does not make sense for me and I > am going in circles here. Perhaps the source of confusion is that ironically PMCs are *more* constrained in what they can do compared to 3dparty. They do get the Apache Branding rights in return for those constraints, though. > Of course a third person would be someone unrelated to the project. Or related. Could even be one of the PMC members. The point is: it is NOT PMC. [ ... ] --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
