Hello Niclas, Thanks for that.
I feel that this guidance already answers most of my questions. I volunteered to lead proposal discussion and preparation for the ASF Board on this subject (and I am sure other PMCs from Airflow will also be engaged a lot, so I hope we can work out some reasonable policies on that. I hope to have the first draft proposal for discussion this week. I also invited Apache Security team members who are already commenting on that thread, as I think those policies should at least provide guidance on all those topics: licensing, security, stability, and "rebuildability" (for the lack of a better term). Those are IMHO super important if we want to address the needs of corporate users especially (looking at the requirements of the corporates we are working with). J On Wed, Sep 9, 2020 at 8:38 AM Niclas Hedhman <[email protected]> wrote: > Hi everyone, > > The report submitted to the September Board meeting is requesting guidance > on binary releases, such as Docker and Helm. I act as the board's shepherd > of Airflow, and here to help if needed. > > First of all, Apache Software Foundation releases Open SOURCE software, and > the source release is always the primary one. There are many reasons for > this, such as security (one can know for sure what it contains), > jurisprudence (trace origin,++) and usability on platforms that the > community may not provide binaries for. > > Many communities provides additional binary releases, that has been called > "Convenience Binaries", but the term is under review/reconsideration as > they are for some communities (say, OpenOffice) the primary artifacts for > the majority of users (OpenOffice users are typically not developers). The > exact policies around this are being reviewed and worked on at the moment. > Things like credentials to DockerHub or npm are for instance of concern, as > well as the long-term stability of some of these distribution systems. > > That said; in general, as long as the binaries are buildable (with > instructions) and the product can be built and used without reliance on > such external systems, then it is mostly OK and it is up to each community > to decide if binaries are provided and how. If there are specific questions > on release policy or special requests, then contact the Infrastructure team > and ask if it is Ok with them. If there are more general > thoughts/feedback/discussion items in this space, ComDev is the place to > approach. > > I will also try to do my best to answer questions here... > > Niclas Hedhman > -- Jarek Potiuk Polidea <https://www.polidea.com/> | Principal Software Engineer M: +48 660 796 129 <+48660796129> [image: Polidea] <https://www.polidea.com/>
