On Wed, Nov 14, 2018 at 11:32 PM Daniel Shahaf <d...@daniel.shahaf.name> wrote: <snip> > > I think Jim and Greg were describing theory, not practice. We can shout > from the rooftops that We Do Not Release Binaries, but then you have > download pages like [1] that present binary artifacts on equal footing > with source artifacts, without even paying lip service by including the > term "convenience" somewhere. > > The PMC in [1] _is_ releasing binaries as official artifacts — possibly > in contravention of Board policy, but that's neither here nor there: > users who visit download pages are not expected to know Board policies. > A user who visits [1] _will_ consider the binary artifacts official, > because they are presented as such. > > If that's an undesirable outcome, then the Board should enforce its > policy that download pages aren't to present binaries as official > artifacts. (Which, I think, is what David was getting at.) > <snip> > [1] <http://redacted.apache.org/download.html>. (I won't name and > shame, sorry. Could someone volunteer his own PMC's download page for > a case study? I would volunteer Subversion but I think our download > page is compliant.) >
Yes, we can say they aren't official, but that denies the reality of what projects are doing, and how the foundation celebrates them[1]. We also have multiple projects producing binaries, and signing those binaries with the ASF's code signing keys[2] which we had to jump through a lot of hoops to verify our identity as being the real Apache Software Foundation. We have another project about to use the ASF's corporate Apple Developer account to 'notarize' releases so they are identified as originating from the ASF.[3] IMO, we can label them as 'not releases' and put stickers on that say 'unofficial' but the reality is that we are distributing terabytes of binaries every day from Foundation resources, occasionally even stamping them with our official signing certificates, and that should dispel any illusions we have about those not being actions of the Foundation. In my opinion as a single IPMC member (and only wearing that particular hat), if your podling is shipping binaries, you should review and vote on them. To ignore them seems irresponsible. --David [1] https://www.cnbc.com/2014/04/17/globe-newswire-the-apache-software-foundation-announces-100-million-downloads-of-apachetm-openofficetm.html in which we issue a press release to celebrate that individuals all over the world downloaded 100 million copies of a binary "non-release". [2] https://blogs.apache.org/infra/entry/code_signing_service_now_available [3] https://lists.apache.org/thread.html/15ef4c390c6eba7ca80836c214b1121681310d44fe79b32f175aedc3@%3Cprivate.openoffice.apache.org%3E --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
