You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cassandra.apache.org by Mick Semb Wever <mc...@apache.org> on 2022/08/11 20:40:16 UTC
[PROPOSAL] Moving deb/rpm repositories from downloads.apache.org to apache.jfrog.io
The proposal is to move our official debian and redhat repositories from
downloads.apache.org to Apache's JFrog Artifactory server at apache.jfrog.io ,
fronting it with the url aliases debian.cassandra.apache.org and
redhat.cassandra.apache.org
That is to replace the following URLs from
https://downloads.apache.org/cassandra/debian/
https://downloads.apache.org/cassandra/redhat/
to
https://debian.cassandra.apache.org
https://redhat.cassandra.apache.org
(which in turn redirect to our jfrog repositories at)
https://apache.jfrog.io/artifactory/cassandra-deb
https://apache.jfrog.io/artifactory/cassandra-rpm
The rationale to do this is to avoid the strict checksum and signature
requirements on downloads.a.o (which is the same as dist.a.o), as the
debian and redhat repositories have their own system for integrity and
signing (which we already do).
These repositories and their binaries are "convenience binaries" and not
the official Cassandra source binaries, so they do not need to be on
downloads.a.o and can be served from apache.jfrog.io. This is similar to
maven binaries (and docker images).
This will BREAK everyone's existing
`/etc/apt/sources.list.d/cassandra.sources.list` and
`/etc/yum.repos.d/cassandra.repo` files. Folk will need to update these
files to point to the new repo URLs.
The plan is to do the following to ensure people are informed about this
breaking change:
- announcement to users@
- README.md in the original URL locations explaining the breakage and how
to fix. (The README.md must be voted on, signed and checksummed),
- A warning banner on our website downloads page,
- Every release email for the next 12 months will contain the warning.
background: https://issues.apache.org/jira/browse/CASSANDRA-17748
Anyone with any questions/objections?
Re: [PROPOSAL] Moving deb/rpm repositories from downloads.apache.org to apache.jfrog.io
Posted by Mick Semb Wever <mc...@apache.org>.
Thanks Bowen, Jeremiah, Brandon, Erick.
Without any further questions or objections, my plan is to move ahead with
these changes tomorrow.
On Fri, 12 Aug 2022 at 09:10, Erick Ramirez <er...@apache.org>
wrote:
> +1 from me. I think this will make it easier for new users. We just need
> to document the procedure and make it obvious to everyone else that they
> need to update their source. Cheers!
>
Re: [PROPOSAL] Moving deb/rpm repositories from downloads.apache.org to apache.jfrog.io
Posted by Erick Ramirez <er...@apache.org>.
+1 from me. I think this will make it easier for new users. We just need to
document the procedure and make it obvious to everyone else that they need
to update their source. Cheers!
Re: [PROPOSAL] Moving deb/rpm repositories from downloads.apache.org to apache.jfrog.io
Posted by Mick Semb Wever <mc...@apache.org>.
> 3. ASF Infra is requesting we remove the rpm/deb files from downloads.a.o
> asap.
>
To be accurate: ASF Infra is requiring that we fix by (extra superfluous)
signing and re-voting on all past rpm/deb rpm/deb files, OR remove them
from downloads.a.o, asap.
Resigning and re-voting all rpm/deb packages and repositories for all past
releases is a mammoth task that no one wants to undertake.
Furthermore, frog.io being built for this gives us a number of
improvements, e.g. these repositories contain all past patch versions on
each repo series (major/minor). downloads.a.o does not, and if you want to
downgrade you have to switch repositories to archives.a.o Improving this
situation: ease of downgrades: has been requested by users a number of
times.
Re: [PROPOSAL] Moving deb/rpm repositories from downloads.apache.org to apache.jfrog.io
Posted by Bowen Song via dev <de...@cassandra.apache.org>.
I see. In that case, stick to the original plan makes more sense.
On 11/08/2022 22:46, Mick Semb Wever wrote:
>
> We should have the new domain/URL created before the final move is
> made,
> and redirecting to the existing download.apache.org
> <http://download.apache.org> for the time being.
> This will ensure users can have a transition time and avoid causing a
> cliff edge moment.
>
>
> Good idea, but in this situation it would only complicate things,
> because (but mostly (3))
> 1. The jfrog repositories already exist, and have for a while now (we
> just have not publicised them so much).
> 2. The new URLs are already in place, redirecting to the jfrog
> repositories.
> 3. ASF Infra is requesting we remove the rpm/deb files from
> downloads.a.o asap.
>
>
>
Re: [PROPOSAL] Moving deb/rpm repositories from downloads.apache.org to apache.jfrog.io
Posted by Mick Semb Wever <mc...@apache.org>.
>
> We should have the new domain/URL created before the final move is made,
> and redirecting to the existing download.apache.org for the time being.
> This will ensure users can have a transition time and avoid causing a
> cliff edge moment.
>
Good idea, but in this situation it would only complicate things, because
(but mostly (3))
1. The jfrog repositories already exist, and have for a while now (we just
have not publicised them so much).
2. The new URLs are already in place, redirecting to the jfrog repositories.
3. ASF Infra is requesting we remove the rpm/deb files from downloads.a.o
asap.
Re: [PROPOSAL] Moving deb/rpm repositories from downloads.apache.org to apache.jfrog.io
Posted by Bowen Song via dev <de...@cassandra.apache.org>.
I see. Now I fully understand the change. There's no objections from me,
everything sounds fine.
We should have the new domain/URL created before the final move is made,
and redirecting to the existing download.apache.org for the time being.
This will ensure users can have a transition time and avoid causing a
cliff edge moment.
On 11/08/2022 22:24, Brandon Williams wrote:
> Nothing is changing in regard to signing. Both package management
> systems have their own system for that which will remain. The package
> locations are being moved because downloads.apache.org wants another
> level of (superfluous) signing on top of that, which we do not
> currently have.
>
> Kind Regards,
> Brandon
>
> On Thu, Aug 11, 2022 at 4:20 PM Bowen Song via dev
> <de...@cassandra.apache.org> wrote:
>> In that case, the move from signed RPM/DEB to unsigned can be quiet problematic to some enterprise users.
>>
>> On 11/08/2022 22:16, Jeremiah D Jordan wrote:
>>
>> For ASF project the binary release are always considered as “convenience binaries”, the official release is always just the source artifacts. See the ASF release policy for more information.
>>
>> https://www.apache.org/legal/release-policy.html#compiled-packages
>>
>>
>> On Aug 11, 2022, at 4:12 PM, Bowen Song via dev <de...@cassandra.apache.org> wrote:
>>
>> I'm a bit unclear what's the scope of this change. Is it limited to the "*-bin.tar.gz" files only?
>>
>> I would assume the RPM/DEB packages are considered as parts of the "official releases", and aren't affected by this change. Am I right?
>>
>>
>> On 11/08/2022 21:59, Mick Semb Wever wrote:
>>
>>
>>>> These repositories and their binaries are "convenience binaries" and not the official Cassandra source binaries
>>> Then where are the official binaries?
>>
>>
>> Wrong wording there., thanks for catching me.
>> The official *releases* are the source artefacts, e.g. the *-src.tar.gz in https://downloads.apache.org/cassandra/4.0.5/
>>
>> The binaries (e.g. *-bin.tar.gz) are not considered official, but convenience.
>>
>> https://infra.apache.org/release-distribution.html#release-content
>> https://www.apache.org/legal/release-policy.html#artifacts
>>
>>
>>
>>
Re: [PROPOSAL] Moving deb/rpm repositories from downloads.apache.org to apache.jfrog.io
Posted by Brandon Williams <dr...@gmail.com>.
Nothing is changing in regard to signing. Both package management
systems have their own system for that which will remain. The package
locations are being moved because downloads.apache.org wants another
level of (superfluous) signing on top of that, which we do not
currently have.
Kind Regards,
Brandon
On Thu, Aug 11, 2022 at 4:20 PM Bowen Song via dev
<de...@cassandra.apache.org> wrote:
>
> In that case, the move from signed RPM/DEB to unsigned can be quiet problematic to some enterprise users.
>
> On 11/08/2022 22:16, Jeremiah D Jordan wrote:
>
> For ASF project the binary release are always considered as “convenience binaries”, the official release is always just the source artifacts. See the ASF release policy for more information.
>
> https://www.apache.org/legal/release-policy.html#compiled-packages
>
>
> On Aug 11, 2022, at 4:12 PM, Bowen Song via dev <de...@cassandra.apache.org> wrote:
>
> I'm a bit unclear what's the scope of this change. Is it limited to the "*-bin.tar.gz" files only?
>
> I would assume the RPM/DEB packages are considered as parts of the "official releases", and aren't affected by this change. Am I right?
>
>
> On 11/08/2022 21:59, Mick Semb Wever wrote:
>
>
>> > These repositories and their binaries are "convenience binaries" and not the official Cassandra source binaries
>>
>> Then where are the official binaries?
>
>
>
> Wrong wording there., thanks for catching me.
> The official *releases* are the source artefacts, e.g. the *-src.tar.gz in https://downloads.apache.org/cassandra/4.0.5/
>
> The binaries (e.g. *-bin.tar.gz) are not considered official, but convenience.
>
> https://infra.apache.org/release-distribution.html#release-content
> https://www.apache.org/legal/release-policy.html#artifacts
>
>
>
>
Re: [PROPOSAL] Moving deb/rpm repositories from downloads.apache.org to apache.jfrog.io
Posted by Mick Semb Wever <mc...@apache.org>.
The signing of the rpm/deb packages (and their repos) will not change.
Only the URL to the rpm/deb repo changes. All files (checksums and
signatures) otherwise remain identical.
On Thu, 11 Aug 2022 at 23:20, Bowen Song via dev <de...@cassandra.apache.org>
wrote:
> In that case, the move from signed RPM/DEB to unsigned can be quiet
> problematic to some enterprise users.
> On 11/08/2022 22:16, Jeremiah D Jordan wrote:
>
> For ASF project the binary release are always considered as “convenience
> binaries”, the official release is always just the source artifacts. See
> the ASF release policy for more information.
>
> https://www.apache.org/legal/release-policy.html#compiled-packages
>
>
> On Aug 11, 2022, at 4:12 PM, Bowen Song via dev <de...@cassandra.apache.org>
> wrote:
>
> I'm a bit unclear what's the scope of this change. Is it limited to the
> "*-bin.tar.gz" files only?
>
> I would assume the RPM/DEB packages are considered as parts of the
> "official releases", and aren't affected by this change. Am I right?
>
>
> On 11/08/2022 21:59, Mick Semb Wever wrote:
>
>
> > *These repositories and their binaries are "convenience binaries" and
>> not the official Cassandra source binaries*
>>
>> Then where are the official binaries?
>>
>
>
> Wrong wording there., thanks for catching me.
> The official *releases* are the source artefacts, e.g. the *-src.tar.gz in
> https://downloads.apache.org/cassandra/4.0.5/
>
> The binaries (e.g. *-bin.tar.gz) are not considered official, but
> convenience.
>
> https://infra.apache.org/release-distribution.html#release-content
> https://www.apache.org/legal/release-policy.html#artifacts
>
>
Re: [PROPOSAL] Moving deb/rpm repositories from downloads.apache.org to apache.jfrog.io
Posted by Bowen Song via dev <de...@cassandra.apache.org>.
In that case, the move from signed RPM/DEB to unsigned can be quiet
problematic to some enterprise users.
On 11/08/2022 22:16, Jeremiah D Jordan wrote:
> For ASF project the binary release are always considered as
> “convenience binaries”, the official release is always just the source
> artifacts. See the ASF release policy for more information.
>
> https://www.apache.org/legal/release-policy.html#compiled-packages
>
>
>> On Aug 11, 2022, at 4:12 PM, Bowen Song via dev
>> <de...@cassandra.apache.org> wrote:
>>
>> I'm a bit unclear what's the scope of this change. Is it limited to
>> the "*-bin.tar.gz" files only?
>>
>> I would assume the RPM/DEB packages are considered as parts of the
>> "official releases", and aren't affected by this change. Am I right?
>>
>>
>> On 11/08/2022 21:59, Mick Semb Wever wrote:
>>>
>>> > /These repositories and their binaries are "convenience
>>> binaries" and not the official Cassandra source binaries/
>>>
>>> Then where are the official binaries?
>>>
>>>
>>>
>>> Wrong wording there., thanks for catching me.
>>> The official *releases* are the source artefacts, e.g. the
>>> *-src.tar.gz in https://downloads.apache.org/cassandra/4.0.5/
>>>
>>> The binaries (e.g. *-bin.tar.gz) are not considered official, but
>>> convenience.
>>>
>>> https://infra.apache.org/release-distribution.html#release-content
>>> https://www.apache.org/legal/release-policy.html#artifacts
>>>
>>>
>>>
>
Re: [PROPOSAL] Moving deb/rpm repositories from downloads.apache.org to apache.jfrog.io
Posted by Jeremiah D Jordan <je...@gmail.com>.
For ASF project the binary release are always considered as “convenience binaries”, the official release is always just the source artifacts. See the ASF release policy for more information.
https://www.apache.org/legal/release-policy.html#compiled-packages <https://www.apache.org/legal/release-policy.html#compiled-packages>
> On Aug 11, 2022, at 4:12 PM, Bowen Song via dev <de...@cassandra.apache.org> wrote:
>
> I'm a bit unclear what's the scope of this change. Is it limited to the "*-bin.tar.gz" files only?
> I would assume the RPM/DEB packages are considered as parts of the "official releases", and aren't affected by this change. Am I right?
>
>
>
> On 11/08/2022 21:59, Mick Semb Wever wrote:
>>
>> > These repositories and their binaries are "convenience binaries" and not the official Cassandra source binaries
>>
>> Then where are the official binaries?
>>
>>
>>
>> Wrong wording there., thanks for catching me.
>> The official *releases* are the source artefacts, e.g. the *-src.tar.gz in https://downloads.apache.org/cassandra/4.0.5/ <https://downloads.apache.org/cassandra/4.0.5/>
>>
>> The binaries (e.g. *-bin.tar.gz) are not considered official, but convenience.
>>
>> https://infra.apache.org/release-distribution.html#release-content <https://infra.apache.org/release-distribution.html#release-content>
>> https://www.apache.org/legal/release-policy.html#artifacts <https://www.apache.org/legal/release-policy.html#artifacts>
>>
>>
>>
Re: [PROPOSAL] Moving deb/rpm repositories from downloads.apache.org to apache.jfrog.io
Posted by Bowen Song via dev <de...@cassandra.apache.org>.
I'm a bit unclear what's the scope of this change. Is it limited to the
"*-bin.tar.gz" files only?
I would assume the RPM/DEB packages are considered as parts of the
"official releases", and aren't affected by this change. Am I right?
On 11/08/2022 21:59, Mick Semb Wever wrote:
>
> > /These repositories and their binaries are "convenience
> binaries" and not the official Cassandra source binaries/
>
> Then where are the official binaries?
>
>
>
> Wrong wording there., thanks for catching me.
> The official *releases* are the source artefacts, e.g. the
> *-src.tar.gz in https://downloads.apache.org/cassandra/4.0.5/
>
> The binaries (e.g. *-bin.tar.gz) are not considered official, but
> convenience.
>
> https://infra.apache.org/release-distribution.html#release-content
> https://www.apache.org/legal/release-policy.html#artifacts
>
>
>
Re: [PROPOSAL] Moving deb/rpm repositories from downloads.apache.org to apache.jfrog.io
Posted by Mick Semb Wever <mc...@apache.org>.
> > *These repositories and their binaries are "convenience binaries" and
> not the official Cassandra source binaries*
>
> Then where are the official binaries?
>
Wrong wording there., thanks for catching me.
The official *releases* are the source artefacts, e.g. the *-src.tar.gz in
https://downloads.apache.org/cassandra/4.0.5/
The binaries (e.g. *-bin.tar.gz) are not considered official, but
convenience.
https://infra.apache.org/release-distribution.html#release-content
https://www.apache.org/legal/release-policy.html#artifacts
Re: [PROPOSAL] Moving deb/rpm repositories from downloads.apache.org to apache.jfrog.io
Posted by Bowen Song via dev <de...@cassandra.apache.org>.
> /These repositories and their binaries are "convenience binaries" and
not the official Cassandra source binaries/
Then where are the official binaries?
On 11/08/2022 21:40, Mick Semb Wever wrote:
>
> The proposal is to move our official debian and redhat repositories
> from downloads.apache.org <http://downloads.apache.org> to Apache's
> JFrog Artifactory server at apache.jfrog.io <http://apache.jfrog.io> ,
> fronting it with the url aliases debian.cassandra.apache.org
> <http://debian.cassandra.apache.org> and redhat.cassandra.apache.org
> <http://redhat.cassandra.apache.org>
>
> That is to replace the following URLs from
> https://downloads.apache.org/cassandra/debian/
> https://downloads.apache.org/cassandra/redhat/
>
> to
> https://debian.cassandra.apache.org
> <https://debian.cassandra.apache.org>
> https://redhat.cassandra.apache.org
> <https://redhat.cassandra.apache.org>
>
> (which in turn redirect to our jfrog repositories at)
> https://apache.jfrog.io/artifactory/cassandra-deb
> https://apache.jfrog.io/artifactory/cassandra-rpm
>
>
> The rationale to do this is to avoid the strict checksum and signature
> requirements on downloads.a.o (which is the same as dist.a.o), as the
> debian and redhat repositories have their own system for integrity and
> signing (which we already do).
>
> These repositories and their binaries are "convenience binaries" and
> not the official Cassandra source binaries, so they do not need to be
> on downloads.a.o and can be served from apache.jfrog.io
> <http://apache.jfrog.io>. This is similar to maven binaries (and
> docker images).
>
> This will BREAK everyone's existing
> `/etc/apt/sources.list.d/cassandra.sources.list` and
> `/etc/yum.repos.d/cassandra.repo` files. Folk will need to update
> these files to point to the new repo URLs.
>
> The plan is to do the following to ensure people are informed about
> this breaking change:
> - announcement to users@
> - README.md in the original URL locations explaining the breakage and
> how to fix. (The README.md must be voted on, signed and checksummed),
> - A warning banner on our website downloads page,
> - Every release email for the next 12 months will contain the warning.
>
>
> background: https://issues.apache.org/jira/browse/CASSANDRA-17748
>
> Anyone with any questions/objections?
>