Added Niclas to my response :). Responding to devlist when someone from outside of it sends a message is tricky :)
On Wed, Sep 9, 2020 at 12:35 PM Jarek Potiuk <[email protected]> wrote: > Hello Niclas, > > Thanks for that. > > I feel that this guidance already answers most of my questions. > > I volunteered to lead proposal discussion and preparation for the ASF > Board on this subject (and I am sure other PMCs from Airflow will also be > engaged a lot, so I hope we can work out some reasonable policies on that. > I hope to have the first draft proposal for discussion this week. I also > invited Apache Security team members who are already commenting on that > thread, as I think those policies should at least provide guidance on all > those topics: licensing, security, stability, and "rebuildability" (for the > lack of a better term). Those are IMHO super important if we want to > address the needs of corporate users especially (looking at the > requirements of the corporates we are working with). > > J > > > On Wed, Sep 9, 2020 at 8:38 AM Niclas Hedhman <[email protected]> wrote: > >> Hi everyone, >> >> The report submitted to the September Board meeting is requesting guidance >> on binary releases, such as Docker and Helm. I act as the board's shepherd >> of Airflow, and here to help if needed. >> >> First of all, Apache Software Foundation releases Open SOURCE software, >> and >> the source release is always the primary one. There are many reasons for >> this, such as security (one can know for sure what it contains), >> jurisprudence (trace origin,++) and usability on platforms that the >> community may not provide binaries for. >> >> Many communities provides additional binary releases, that has been called >> "Convenience Binaries", but the term is under review/reconsideration as >> they are for some communities (say, OpenOffice) the primary artifacts for >> the majority of users (OpenOffice users are typically not developers). The >> exact policies around this are being reviewed and worked on at the moment. >> Things like credentials to DockerHub or npm are for instance of concern, >> as >> well as the long-term stability of some of these distribution systems. >> >> That said; in general, as long as the binaries are buildable (with >> instructions) and the product can be built and used without reliance on >> such external systems, then it is mostly OK and it is up to each community >> to decide if binaries are provided and how. If there are specific >> questions >> on release policy or special requests, then contact the Infrastructure >> team >> and ask if it is Ok with them. If there are more general >> thoughts/feedback/discussion items in this space, ComDev is the place to >> approach. >> >> I will also try to do my best to answer questions here... >> >> Niclas Hedhman >> > > > -- > > Jarek Potiuk > Polidea <https://www.polidea.com/> | Principal Software Engineer > > M: +48 660 796 129 <+48660796129> > [image: Polidea] <https://www.polidea.com/> > > -- Jarek Potiuk Polidea <https://www.polidea.com/> | Principal Software Engineer M: +48 660 796 129 <+48660796129> [image: Polidea] <https://www.polidea.com/>
