Credits to Jarek on that one, he is the one who is actually drafting the proposal.
On Wed, Sep 9, 2020, 13:31 Niclas Hedhman <[email protected]> wrote: > Corporate requirements are typically that they can build everything from > sources and have clear instructions (preferably scriptable) on how to do > that. > > Good to hear that ComDev is in the loop and you are together working on > draft proposals. It will be greatly appreciated. > > > Niclas > > > > On Wed, Sep 9, 2020, 13:00 Jarek Potiuk <[email protected]> wrote: > > > Added Niclas to my response :). Responding to devlist when someone from > > outside of it sends a message is tricky :) > > > > On Wed, Sep 9, 2020 at 12:35 PM Jarek Potiuk <[email protected]> > > wrote: > > > >> Hello Niclas, > >> > >> Thanks for that. > >> > >> I feel that this guidance already answers most of my questions. > >> > >> I volunteered to lead proposal discussion and preparation for the ASF > >> Board on this subject (and I am sure other PMCs from Airflow will also > be > >> engaged a lot, so I hope we can work out some reasonable policies on > that. > >> I hope to have the first draft proposal for discussion this week. I also > >> invited Apache Security team members who are already commenting on that > >> thread, as I think those policies should at least provide guidance on > all > >> those topics: licensing, security, stability, and "rebuildability" (for > the > >> lack of a better term). Those are IMHO super important if we want to > >> address the needs of corporate users especially (looking at the > >> requirements of the corporates we are working with). > >> > >> J > >> > >> > >> On Wed, Sep 9, 2020 at 8:38 AM Niclas Hedhman <[email protected]> > wrote: > >> > >>> Hi everyone, > >>> > >>> The report submitted to the September Board meeting is requesting > >>> guidance > >>> on binary releases, such as Docker and Helm. I act as the board's > >>> shepherd > >>> of Airflow, and here to help if needed. > >>> > >>> First of all, Apache Software Foundation releases Open SOURCE software, > >>> and > >>> the source release is always the primary one. There are many reasons > for > >>> this, such as security (one can know for sure what it contains), > >>> jurisprudence (trace origin,++) and usability on platforms that the > >>> community may not provide binaries for. > >>> > >>> Many communities provides additional binary releases, that has been > >>> called > >>> "Convenience Binaries", but the term is under review/reconsideration as > >>> they are for some communities (say, OpenOffice) the primary artifacts > >>> for > >>> the majority of users (OpenOffice users are typically not developers). > >>> The > >>> exact policies around this are being reviewed and worked on at the > >>> moment. > >>> Things like credentials to DockerHub or npm are for instance of > concern, > >>> as > >>> well as the long-term stability of some of these distribution systems. > >>> > >>> That said; in general, as long as the binaries are buildable (with > >>> instructions) and the product can be built and used without reliance on > >>> such external systems, then it is mostly OK and it is up to each > >>> community > >>> to decide if binaries are provided and how. If there are specific > >>> questions > >>> on release policy or special requests, then contact the Infrastructure > >>> team > >>> and ask if it is Ok with them. If there are more general > >>> thoughts/feedback/discussion items in this space, ComDev is the place > to > >>> approach. > >>> > >>> I will also try to do my best to answer questions here... > >>> > >>> Niclas Hedhman > >>> > >> > >> > >> -- > >> > >> Jarek Potiuk > >> Polidea <https://www.polidea.com/> | Principal Software Engineer > >> > >> M: +48 660 796 129 <+48660796129> > >> [image: Polidea] <https://www.polidea.com/> > >> > >> > > > > -- > > > > Jarek Potiuk > > Polidea <https://www.polidea.com/> | Principal Software Engineer > > > > M: +48 660 796 129 <+48660796129> > > [image: Polidea] <https://www.polidea.com/> > > > > >
