Any more comments? I am happy to add such page if there are no more comments. I think it needs no voting, and might want to start lazy consensus thread for that one.
On Wed, May 5, 2021 at 9:57 PM Jarek Potiuk <[email protected]> wrote: > It does not have to be even a separate 'entry' in the menu. It could be a > sub-page of 'Install' like 'if you want to follow the source installation, > you can download and verify the installation packages from here's > > Just to put it in context why it is important. > > The https://downloads.apache.org is really the ONLY official way of > distributing the ASF software. You can find cryptographic signatures and > checksums there and as of recently the PIP packages for providers (and for > airflow in the next release) are the very same as the ones published via > 'downloads' (so you can still verify the integrity of PIP packages by > checking the checksum/signature). > > Those PyPI packages are 'convenience' ones and they cannot be used to make > ASF liable for any damage done: > https://www.apache.org/legal/release-policy.html > > This has very serious legal implications and PMC members of Apache are > indemnified by ASF from any damage as long as they follow the rules. > > It is very important for some corporate customers. There are automated > frameworks which check signatures/checksums when downloading (we had issues > raised in the past about format of the signature in the downloads site so > there are users serious about it). > > This also have become more and more important due to the raise of 'supply > chain' attack where malicious players might inject their code in 'trusted' > sources. A very recent example of that (we were also affected and we > changed our amazon keys) > https://www.computerweekly.com/news/252499587/Codecov-supply-chain-attack-has-echoes-of-SolarWinds > - having signatures and checksums is the only way some of the corporate > players might be sure of the origin of the software. > > J. > > śr., 5 maj 2021, 21:08 użytkownik Deng Xiaodong <[email protected]> > napisał: > >> Thanks Jarek for proposing this. >> >> One minor question I have on this is how we put this side-by-side >> with the "*Install*" tab/button on our site. >> >> Due to how Python packages work, for most users, there is no process of " >> *Download*". Instead, it is always an "*Install*" process. So for a new >> user visiting our site, does she/he click the "Install" button or click the >> "Downloads" page? This may cause minor confusion from the site UX aspect. >> >> But overall this is a good idea to me, if it's a requirement to have such >> a page in order to do the release announcement via [email protected]. >> >> >> XD >> >> >> On Wed, May 5, 2021 at 8:54 PM Tomasz Urbaszek <[email protected]> >> wrote: >> >>> +1 for the idea. I think this would be another way we can emphasize >>> the core/providers split and definitely. Probably we may consider >>> pointing to external providers, but not sure how this is aligned with >>> ASF rules. >>> >>> Cheers, >>> Tomek >>> >>> On Tue, 4 May 2021 at 13:00, Jarek Potiuk <[email protected]> wrote: >>> > >>> > Hello everyone, >>> > >>> > Just wanted to ask what do you think about adding a "Downloads" page >>> to the Airflow website? >>> > >>> > I am subscribed to "[email protected]" mailing list and see new >>> releases coming from various apache projects. It's a bit sad we do not >>> announce Airflow there. The main reason is that we have no "Downloads" page >>> similar to those (this is a strict requirement for "announce" messages): >>> > >>> > Few examples: >>> > >>> > * https://druid.apache.org/downloads.html >>> > * https://flink.apache.org/downloads.html >>> > >>> > Since we have now airflow core, providers, python client and soon helm >>> chart - maybe we should have such a "Downloads" page where we >>> (automatically) get the list of all latest packages released by Airflow, >>> including the checksums. signatures etc., all pointing to the right links >>> from https://downloads.apache.org/airflow/ >>> > >>> > Then we could officially announce releases :). >>> > >>> > WDYT? >>> > >>> > J. >>> > >>> > >>> > -- >>> > +48 660 796 129 >>> >> -- +48 660 796 129
