Corporate requirements are typically that they can build everything from sources and have clear instructions (preferably scriptable) on how to do that.
Good to hear that ComDev is in the loop and you are together working on draft proposals. It will be greatly appreciated. Niclas On Wed, Sep 9, 2020, 13:00 Jarek Potiuk <[email protected]> wrote: > Added Niclas to my response :). Responding to devlist when someone from > outside of it sends a message is tricky :) > > On Wed, Sep 9, 2020 at 12:35 PM Jarek Potiuk <[email protected]> > wrote: > >> Hello Niclas, >> >> Thanks for that. >> >> I feel that this guidance already answers most of my questions. >> >> I volunteered to lead proposal discussion and preparation for the ASF >> Board on this subject (and I am sure other PMCs from Airflow will also be >> engaged a lot, so I hope we can work out some reasonable policies on that. >> I hope to have the first draft proposal for discussion this week. I also >> invited Apache Security team members who are already commenting on that >> thread, as I think those policies should at least provide guidance on all >> those topics: licensing, security, stability, and "rebuildability" (for the >> lack of a better term). Those are IMHO super important if we want to >> address the needs of corporate users especially (looking at the >> requirements of the corporates we are working with). >> >> J >> >> >> On Wed, Sep 9, 2020 at 8:38 AM Niclas Hedhman <[email protected]> wrote: >> >>> Hi everyone, >>> >>> The report submitted to the September Board meeting is requesting >>> guidance >>> on binary releases, such as Docker and Helm. I act as the board's >>> shepherd >>> of Airflow, and here to help if needed. >>> >>> First of all, Apache Software Foundation releases Open SOURCE software, >>> and >>> the source release is always the primary one. There are many reasons for >>> this, such as security (one can know for sure what it contains), >>> jurisprudence (trace origin,++) and usability on platforms that the >>> community may not provide binaries for. >>> >>> Many communities provides additional binary releases, that has been >>> called >>> "Convenience Binaries", but the term is under review/reconsideration as >>> they are for some communities (say, OpenOffice) the primary artifacts >>> for >>> the majority of users (OpenOffice users are typically not developers). >>> The >>> exact policies around this are being reviewed and worked on at the >>> moment. >>> Things like credentials to DockerHub or npm are for instance of concern, >>> as >>> well as the long-term stability of some of these distribution systems. >>> >>> That said; in general, as long as the binaries are buildable (with >>> instructions) and the product can be built and used without reliance on >>> such external systems, then it is mostly OK and it is up to each >>> community >>> to decide if binaries are provided and how. If there are specific >>> questions >>> on release policy or special requests, then contact the Infrastructure >>> team >>> and ask if it is Ok with them. If there are more general >>> thoughts/feedback/discussion items in this space, ComDev is the place to >>> approach. >>> >>> I will also try to do my best to answer questions here... >>> >>> Niclas Hedhman >>> >> >> >> -- >> >> Jarek Potiuk >> Polidea <https://www.polidea.com/> | Principal Software Engineer >> >> M: +48 660 796 129 <+48660796129> >> [image: Polidea] <https://www.polidea.com/> >> >> > > -- > > Jarek Potiuk > Polidea <https://www.polidea.com/> | Principal Software Engineer > > M: +48 660 796 129 <+48660796129> > [image: Polidea] <https://www.polidea.com/> > >
