Sounds good to me. Thanks Jarek.
XD On Fri, May 7, 2021 at 11:34 Jarek Potiuk <[email protected]> wrote: > Any more comments? I am happy to add such page if there are no more > comments. I think it needs no voting, and might want to start lazy > consensus thread for that one. > > On Wed, May 5, 2021 at 9:57 PM Jarek Potiuk <[email protected]> wrote: > >> It does not have to be even a separate 'entry' in the menu. It could be a >> sub-page of 'Install' like 'if you want to follow the source installation, >> you can download and verify the installation packages from here's >> >> Just to put it in context why it is important. >> >> The https://downloads.apache.org is really the ONLY official way of >> distributing the ASF software. You can find cryptographic signatures and >> checksums there and as of recently the PIP packages for providers (and for >> airflow in the next release) are the very same as the ones published via >> 'downloads' (so you can still verify the integrity of PIP packages by >> checking the checksum/signature). >> >> Those PyPI packages are 'convenience' ones and they cannot be used to >> make ASF liable for any damage done: >> https://www.apache.org/legal/release-policy.html >> >> This has very serious legal implications and PMC members of Apache are >> indemnified by ASF from any damage as long as they follow the rules. >> >> It is very important for some corporate customers. There are automated >> frameworks which check signatures/checksums when downloading (we had issues >> raised in the past about format of the signature in the downloads site so >> there are users serious about it). >> >> This also have become more and more important due to the raise of 'supply >> chain' attack where malicious players might inject their code in 'trusted' >> sources. A very recent example of that (we were also affected and we >> changed our amazon keys) >> https://www.computerweekly.com/news/252499587/Codecov-supply-chain-attack-has-echoes-of-SolarWinds >> - having signatures and checksums is the only way some of the corporate >> players might be sure of the origin of the software. >> >> J. >> >> śr., 5 maj 2021, 21:08 użytkownik Deng Xiaodong <[email protected]> >> napisał: >> >>> Thanks Jarek for proposing this. >>> >>> One minor question I have on this is how we put this side-by-side >>> with the "*Install*" tab/button on our site. >>> >>> Due to how Python packages work, for most users, there is no process of " >>> *Download*". Instead, it is always an "*Install*" process. So for a new >>> user visiting our site, does she/he click the "Install" button or click the >>> "Downloads" page? This may cause minor confusion from the site UX aspect. >>> >>> But overall this is a good idea to me, if it's a requirement to have >>> such a page in order to do the release announcement via >>> [email protected]. >>> >>> >>> XD >>> >>> >>> On Wed, May 5, 2021 at 8:54 PM Tomasz Urbaszek <[email protected]> >>> wrote: >>> >>>> +1 for the idea. I think this would be another way we can emphasize >>>> the core/providers split and definitely. Probably we may consider >>>> pointing to external providers, but not sure how this is aligned with >>>> ASF rules. >>>> >>>> Cheers, >>>> Tomek >>>> >>>> On Tue, 4 May 2021 at 13:00, Jarek Potiuk <[email protected]> wrote: >>>> > >>>> > Hello everyone, >>>> > >>>> > Just wanted to ask what do you think about adding a "Downloads" page >>>> to the Airflow website? >>>> > >>>> > I am subscribed to "[email protected]" mailing list and see new >>>> releases coming from various apache projects. It's a bit sad we do not >>>> announce Airflow there. The main reason is that we have no "Downloads" page >>>> similar to those (this is a strict requirement for "announce" messages): >>>> > >>>> > Few examples: >>>> > >>>> > * https://druid.apache.org/downloads.html >>>> > * https://flink.apache.org/downloads.html >>>> > >>>> > Since we have now airflow core, providers, python client and soon >>>> helm chart - maybe we should have such a "Downloads" page where we >>>> (automatically) get the list of all latest packages released by Airflow, >>>> including the checksums. signatures etc., all pointing to the right links >>>> from https://downloads.apache.org/airflow/ >>>> > >>>> > Then we could officially announce releases :). >>>> > >>>> > WDYT? >>>> > >>>> > J. >>>> > >>>> > >>>> > -- >>>> > +48 660 796 129 >>> >>> >>>> > > -- > +48 660 796 129 >
