You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@maven.apache.org by sebb <se...@gmail.com> on 2013/06/26 02:17:26 UTC
Download links for source packages - where are they?
I could not find any download links for Maven source packages.
As the ASF primary purpose is to release source, and that must be
released via the mirror system, there ought to be download pages with
links to the source package, sigs, hashes and KEYS file.
Yes, there are source packages for some Maven plugins, but that is not
the same as providing download pages.
AFAIK every single other ASF project has download pages.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
Re: Download links for source packages - where are they?
Posted by Olivier Lamy <ol...@apache.org>.
funny discussion which come back around every 3years
:-)
2013/6/26 sebb <se...@gmail.com>:
> On 26 June 2013 02:14, Barrie Treloar <ba...@gmail.com> wrote:
>> On 26 June 2013 09:47, sebb <se...@gmail.com> wrote:
>>> I could not find any download links for Maven source packages.
>>>
>>> As the ASF primary purpose is to release source, and that must be
>>> released via the mirror system, there ought to be download pages with
>>> links to the source package, sigs, hashes and KEYS file.
>>>
>>> Yes, there are source packages for some Maven plugins, but that is not
>>> the same as providing download pages.
>>>
>>> AFAIK every single other ASF project has download pages.
>>
>>
>> As a PMC member, I welcome scrutiny that we are following the
>> designated procedures.
>>
>> Apologies for the length, I had to do some digging around to actually
>> remind myself of what we are meant to do.
>>
>> According to http://www.apache.org/dev/release.html
>>
>> http://www.apache.org/dev/release.html#where-do-releases-go
>>
>> "Where do releases go?
>>
>> A release isn't 'released' until the contents are in the project's
>> distribution directory, which is a subdirectory of
>> www.apache.org/dist/. In addition to the distribution directory,
>> project that use Maven or a related build tool sometimes place their
>> releases on repository.apache.org beside some convenience binaries.
>> The distribution directory is required, while the repository system is
>> an optional convenience."
>>
>> And http://www.apache.org/dev/release.html#what-must-every-release-contain
>>
>> "What Must Every ASF Release Contain?
>>
>> Every ASF release must contain a source package, which must be
>> sufficient for a user to build and test the release provided they have
>> access to the appropriate platform and tools. The source package must
>> be cryptographically signed by the Release Manager with a detached
>> signature; and that package together with its signature must be tested
>> prior to voting +1 for release. Folks who vote +1 for release may
>> offer their own cryptographic signature to be concatenated with the
>> detached signature file (at the Release Manager's discretion) prior to
>> release.
>>
>> Note that the PMC is responsible for all artifacts in their
>> distribution directory, which is a subdirectory of
>> www.apache.org/dist/ ; and all artifacts placed in their directory
>> must be signed by a committer, preferably by a PMC member. It is also
>> necessary for the PMC to ensure that the source package is sufficient
>> to build any binary artifacts associated with the release.
>>
>> Every ASF release must comply with ASF licensing policy. This
>> requirement is of utmost importance and an audit should be performed
>> before any full release is created. In particular, every artifact
>> distributed must contain only appropriately licensed code. More
>> information can be found in the foundation website and in the release
>> licensing FAQ."
>>
>> And http://www.apache.org/dev/release.html#release-announcements
>>
>> "How Should Releases Be Announced?
>>
>> Please ensure that you wait at least 24 hours after uploading a new
>> release before updating the project download page and sending the
>> announcement email(s). This is so that mirrors have sufficient time to
>> catch up. (For time-critical security releases, the download pages
>> script supports bypassing this requirement.)"
>>
>> As far as I can tell there is no official policy requiring projects to
>> provide a download page.
>> It is just a convenience to end users to give them a direct download link.
>> The ASF documentation clearly defines where distributions must be placed.
>> Since you want people to use your project it makes sense to create a
>> download page to make it easy for them.
>>
>> For Maven itself there are clearly defined download links from the
>> main entry point http://maven.apache.org.
>>
>> For plugins I dont think it makes any sense to provide direct download
>> links to sources.
>> I checked http://www.apache.org/dev/release.html#maven-artifacts,
>> which links to http://www.apache.org/dev/publishing-maven-artifacts.html
>> doesn't provide any more guidance here either.
>>
>> So why doesn't it make sense to provide direct download links?
>> Because it is Maven that is the consumer of artifacts rather than the end users.
>> And an end user is not likely to be building a plugin from source and
>> then installing it into their local Maven cache, it is much easier to
>> get Maven to download the binaries and use them that way.
>>
>> The only reason I can think of a user wanting access to the source is
>> so they can make modifications, and if they dont know about the ASF
>> distribution pages, we give them the source repository link, e.g.
>> http://maven.apache.org/plugins/maven-compiler-plugin/source-repository.html,
>> on the automatically generated web pages. To me this is better as they
>> can then create patches.
>>
>> Does that make sense?
>
> The point is that the ASF release source, and it must be provided for
> download via the ASF mirrors.
>
> See:
>
> http://www.apache.org/dev/release.html#host-GA
>
> If you don't point users to the source, I don't see how you can claim
> it has been properly released.
>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
>> For additional commands, e-mail: dev-help@maven.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> For additional commands, e-mail: dev-help@maven.apache.org
>
--
Olivier Lamy
Ecetera: http://ecetera.com.au
http://twitter.com/olamy | http://linkedin.com/in/olamy
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
Re: Download links for source packages - where are they?
Posted by Stephen Connolly <st...@gmail.com>.
On Wednesday, 26 June 2013, Barrie Treloar wrote:
> On 26 June 2013 18:44, sebb <sebbaz@gmail.com <javascript:;>> wrote:
> > Howewer the ASF releases source.
> > If you don't provide a download link to the source how are users
> > supposed to find it?
> >
> > I agree that most people are not going to want to download the original
> source.
> > But that does not mean it should be left unlinked.
>
> We provide all that for Maven core - the bit the users care about and run.
>
> Plugins are download by Maven.
> Few, if any, user is going to download a source distribution of a
> plugin and built it themselves.
> If they are going to do that, then they are likely to want to work on
> Jira issues or provide a patch and it makes much more sense to work
> with source control.
> And we have prominent links to the source control repositories,
> including the tags.
I do not think it would be a major harm to add a reporting plugin to
generate the dist download link for source bundles... As it can only add...
I agree that there is no *requirement* for us to provide the download
link... But there are things we can improve.
Until recently, it was not clear to us that the source bundles had to be
copied into the dist directory... Someone at infra wrote an audit script
and we copied all the missing bundles over for plugins (they were on
repository.apache.org so it is not that we hadn't generated them)
I think we should turn on rat for all plugins, not just core... I will look
into this next week if nobody else has...
Most likely I will turn on rat without strong enforcement just yet, and
then turn on zero tollerance in a month or so to give people the chance to
fix rat issues and get out any emergency releases that might be required
(eg if there is a CVE requiring a plugin release, you don't want that
blocked while we review the integration test data that may or may not
require an ASF license header for the test to be valid, and I'd rather have
a valid set of exclusions rather than a "lets just get the build passing to
make this release" approach which can get forgotten to unwind after)
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org <javascript:;>
> For additional commands, e-mail: dev-help@maven.apache.org <javascript:;>
>
>
--
Sent from my phone
Re: Download links for source packages - where are they?
Posted by Barrie Treloar <ba...@gmail.com>.
On 26 June 2013 18:44, sebb <se...@gmail.com> wrote:
> Howewer the ASF releases source.
> If you don't provide a download link to the source how are users
> supposed to find it?
>
> I agree that most people are not going to want to download the original source.
> But that does not mean it should be left unlinked.
We provide all that for Maven core - the bit the users care about and run.
Plugins are download by Maven.
Few, if any, user is going to download a source distribution of a
plugin and built it themselves.
If they are going to do that, then they are likely to want to work on
Jira issues or provide a patch and it makes much more sense to work
with source control.
And we have prominent links to the source control repositories,
including the tags.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
Re: Download links for source packages - where are they?
Posted by sebb <se...@gmail.com>.
On 26 June 2013 02:48, Barrie Treloar <ba...@gmail.com> wrote:
> On 26 June 2013 10:48, sebb <se...@gmail.com> wrote:
>> The point is that the ASF release source, and it must be provided for
>> download via the ASF mirrors.
>>
>> See:
>>
>> http://www.apache.org/dev/release.html#host-GA
>>
>> If you don't point users to the source, I don't see how you can claim
>> it has been properly released.
>
> Which part of http://www.apache.org/dev/release.html#host-GA do you
> think we are violating?
The spirit, if not the exact wording. Maybe the doc needs tweaking.
> Releases are available via http://archive.apache.org/dist/maven/plugins/
>
> We meet "Project download pages must link to the mirrors" for the
> "Maven Core Project" - but not the plugins.
>
> I can find no documentation that says you *must* provide a download page.
> Just that if there is a download page it must point to the mirrors.
Howewer the ASF releases source.
If you don't provide a download link to the source how are users
supposed to find it?
I agree that most people are not going to want to download the original source.
But that does not mean it should be left unlinked.
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> For additional commands, e-mail: dev-help@maven.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
Re: Download links for source packages - where are they?
Posted by Barrie Treloar <ba...@gmail.com>.
On 26 June 2013 10:48, sebb <se...@gmail.com> wrote:
> The point is that the ASF release source, and it must be provided for
> download via the ASF mirrors.
>
> See:
>
> http://www.apache.org/dev/release.html#host-GA
>
> If you don't point users to the source, I don't see how you can claim
> it has been properly released.
Which part of http://www.apache.org/dev/release.html#host-GA do you
think we are violating?
Releases are available via http://archive.apache.org/dist/maven/plugins/
We meet "Project download pages must link to the mirrors" for the
"Maven Core Project" - but not the plugins.
I can find no documentation that says you *must* provide a download page.
Just that if there is a download page it must point to the mirrors.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
Re: Download links for source packages - where are they?
Posted by sebb <se...@gmail.com>.
On 26 June 2013 02:14, Barrie Treloar <ba...@gmail.com> wrote:
> On 26 June 2013 09:47, sebb <se...@gmail.com> wrote:
>> I could not find any download links for Maven source packages.
>>
>> As the ASF primary purpose is to release source, and that must be
>> released via the mirror system, there ought to be download pages with
>> links to the source package, sigs, hashes and KEYS file.
>>
>> Yes, there are source packages for some Maven plugins, but that is not
>> the same as providing download pages.
>>
>> AFAIK every single other ASF project has download pages.
>
>
> As a PMC member, I welcome scrutiny that we are following the
> designated procedures.
>
> Apologies for the length, I had to do some digging around to actually
> remind myself of what we are meant to do.
>
> According to http://www.apache.org/dev/release.html
>
> http://www.apache.org/dev/release.html#where-do-releases-go
>
> "Where do releases go?
>
> A release isn't 'released' until the contents are in the project's
> distribution directory, which is a subdirectory of
> www.apache.org/dist/. In addition to the distribution directory,
> project that use Maven or a related build tool sometimes place their
> releases on repository.apache.org beside some convenience binaries.
> The distribution directory is required, while the repository system is
> an optional convenience."
>
> And http://www.apache.org/dev/release.html#what-must-every-release-contain
>
> "What Must Every ASF Release Contain?
>
> Every ASF release must contain a source package, which must be
> sufficient for a user to build and test the release provided they have
> access to the appropriate platform and tools. The source package must
> be cryptographically signed by the Release Manager with a detached
> signature; and that package together with its signature must be tested
> prior to voting +1 for release. Folks who vote +1 for release may
> offer their own cryptographic signature to be concatenated with the
> detached signature file (at the Release Manager's discretion) prior to
> release.
>
> Note that the PMC is responsible for all artifacts in their
> distribution directory, which is a subdirectory of
> www.apache.org/dist/ ; and all artifacts placed in their directory
> must be signed by a committer, preferably by a PMC member. It is also
> necessary for the PMC to ensure that the source package is sufficient
> to build any binary artifacts associated with the release.
>
> Every ASF release must comply with ASF licensing policy. This
> requirement is of utmost importance and an audit should be performed
> before any full release is created. In particular, every artifact
> distributed must contain only appropriately licensed code. More
> information can be found in the foundation website and in the release
> licensing FAQ."
>
> And http://www.apache.org/dev/release.html#release-announcements
>
> "How Should Releases Be Announced?
>
> Please ensure that you wait at least 24 hours after uploading a new
> release before updating the project download page and sending the
> announcement email(s). This is so that mirrors have sufficient time to
> catch up. (For time-critical security releases, the download pages
> script supports bypassing this requirement.)"
>
> As far as I can tell there is no official policy requiring projects to
> provide a download page.
> It is just a convenience to end users to give them a direct download link.
> The ASF documentation clearly defines where distributions must be placed.
> Since you want people to use your project it makes sense to create a
> download page to make it easy for them.
>
> For Maven itself there are clearly defined download links from the
> main entry point http://maven.apache.org.
>
> For plugins I dont think it makes any sense to provide direct download
> links to sources.
> I checked http://www.apache.org/dev/release.html#maven-artifacts,
> which links to http://www.apache.org/dev/publishing-maven-artifacts.html
> doesn't provide any more guidance here either.
>
> So why doesn't it make sense to provide direct download links?
> Because it is Maven that is the consumer of artifacts rather than the end users.
> And an end user is not likely to be building a plugin from source and
> then installing it into their local Maven cache, it is much easier to
> get Maven to download the binaries and use them that way.
>
> The only reason I can think of a user wanting access to the source is
> so they can make modifications, and if they dont know about the ASF
> distribution pages, we give them the source repository link, e.g.
> http://maven.apache.org/plugins/maven-compiler-plugin/source-repository.html,
> on the automatically generated web pages. To me this is better as they
> can then create patches.
>
> Does that make sense?
The point is that the ASF release source, and it must be provided for
download via the ASF mirrors.
See:
http://www.apache.org/dev/release.html#host-GA
If you don't point users to the source, I don't see how you can claim
it has been properly released.
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> For additional commands, e-mail: dev-help@maven.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
Re: Download links for source packages - where are they?
Posted by Barrie Treloar <ba...@gmail.com>.
On 26 June 2013 09:47, sebb <se...@gmail.com> wrote:
> I could not find any download links for Maven source packages.
>
> As the ASF primary purpose is to release source, and that must be
> released via the mirror system, there ought to be download pages with
> links to the source package, sigs, hashes and KEYS file.
>
> Yes, there are source packages for some Maven plugins, but that is not
> the same as providing download pages.
>
> AFAIK every single other ASF project has download pages.
As a PMC member, I welcome scrutiny that we are following the
designated procedures.
Apologies for the length, I had to do some digging around to actually
remind myself of what we are meant to do.
According to http://www.apache.org/dev/release.html
http://www.apache.org/dev/release.html#where-do-releases-go
"Where do releases go?
A release isn't 'released' until the contents are in the project's
distribution directory, which is a subdirectory of
www.apache.org/dist/. In addition to the distribution directory,
project that use Maven or a related build tool sometimes place their
releases on repository.apache.org beside some convenience binaries.
The distribution directory is required, while the repository system is
an optional convenience."
And http://www.apache.org/dev/release.html#what-must-every-release-contain
"What Must Every ASF Release Contain?
Every ASF release must contain a source package, which must be
sufficient for a user to build and test the release provided they have
access to the appropriate platform and tools. The source package must
be cryptographically signed by the Release Manager with a detached
signature; and that package together with its signature must be tested
prior to voting +1 for release. Folks who vote +1 for release may
offer their own cryptographic signature to be concatenated with the
detached signature file (at the Release Manager's discretion) prior to
release.
Note that the PMC is responsible for all artifacts in their
distribution directory, which is a subdirectory of
www.apache.org/dist/ ; and all artifacts placed in their directory
must be signed by a committer, preferably by a PMC member. It is also
necessary for the PMC to ensure that the source package is sufficient
to build any binary artifacts associated with the release.
Every ASF release must comply with ASF licensing policy. This
requirement is of utmost importance and an audit should be performed
before any full release is created. In particular, every artifact
distributed must contain only appropriately licensed code. More
information can be found in the foundation website and in the release
licensing FAQ."
And http://www.apache.org/dev/release.html#release-announcements
"How Should Releases Be Announced?
Please ensure that you wait at least 24 hours after uploading a new
release before updating the project download page and sending the
announcement email(s). This is so that mirrors have sufficient time to
catch up. (For time-critical security releases, the download pages
script supports bypassing this requirement.)"
As far as I can tell there is no official policy requiring projects to
provide a download page.
It is just a convenience to end users to give them a direct download link.
The ASF documentation clearly defines where distributions must be placed.
Since you want people to use your project it makes sense to create a
download page to make it easy for them.
For Maven itself there are clearly defined download links from the
main entry point http://maven.apache.org.
For plugins I dont think it makes any sense to provide direct download
links to sources.
I checked http://www.apache.org/dev/release.html#maven-artifacts,
which links to http://www.apache.org/dev/publishing-maven-artifacts.html
doesn't provide any more guidance here either.
So why doesn't it make sense to provide direct download links?
Because it is Maven that is the consumer of artifacts rather than the end users.
And an end user is not likely to be building a plugin from source and
then installing it into their local Maven cache, it is much easier to
get Maven to download the binaries and use them that way.
The only reason I can think of a user wanting access to the source is
so they can make modifications, and if they dont know about the ASF
distribution pages, we give them the source repository link, e.g.
http://maven.apache.org/plugins/maven-compiler-plugin/source-repository.html,
on the automatically generated web pages. To me this is better as they
can then create patches.
Does that make sense?
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
Re: Download links for source packages - where are they?
Posted by Olivier Lamy <ol...@apache.org>.
2013/6/26 sebb <se...@gmail.com>:
> I could not find any download links for Maven source packages.
>
> As the ASF primary purpose is to release source, and that must be
> released via the mirror system, there ought to be download pages with
> links to the source package, sigs, hashes and KEYS file.
>
> Yes, there are source packages for some Maven plugins, but that is not
> the same as providing download pages.
>
> AFAIK every single other ASF project has download pages.
Is that mandatory ? Do you have any link saying that ?
At least for core I understand but for plugins...
BTW we started to put everything is here: http://www.us.apache.org/dist/maven/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> For additional commands, e-mail: dev-help@maven.apache.org
>
--
Olivier Lamy
Ecetera: http://ecetera.com.au
http://twitter.com/olamy | http://linkedin.com/in/olamy
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org