On 25.03.2015 19:07, Dmitriy Setrakyan wrote: > Brane, > > The wrong download checksum issue has been addressed (I think). Please > double check me. The reason it happened was that I had two identical > folders with different names sitting next to each other and grabbed the > wrong one. The only difference was the name of the archive. (I should > really stop working after midnight :)
Should be publishing exactly what was voted on, not even re-zipping, IMO. This is one of the reasons why it's a good idea to have the whole release process scripted; no manual archiving, copying, etc. anywhere. > As far as keeping the binary bits in the "dist.apache.org", I looked around > and many projects are doing it, e.g. Cassandra (TLP), Aurora (Incubating). The binaries must be on dist.apache.org; that's mandatory. Any change on that site is mirrored to a zillion places around the world. > I believe it only poses an issue when you have massive amount of downloads, > like Apache HTTP server for example, which is not the case for us. If it is > OK, I would prefer to leave it as is for now, or ask the community to > address it later. I'd consider it a service to users to provide links to mirrors whenever possible. It's not something that needs addressing right now, but it would be nice to get it done soon-ish. As I said, I can help here; I know how the direct-download links to mirrors are set up for Subversion and APR, so it shouldn't be too hard get a similar solution working for Ignite. -- Brane > > D. > > On Wed, Mar 25, 2015 at 2:55 AM, Branko Čibej <br...@apache.org> wrote: > >> On 25.03.2015 09:35, Dmitriy Setrakyan wrote: >>> The first official Apache Ignite release (albeit release candidate) was >>> uploaded and the download page is updated: >>> >>> https://ignite.incubator.apache.org/download.html >> >> Well, I have to say I'm confused and just a bit unhappy. >> >> We voted on a source package named >> >> incubator-ignite-1.0.0-rc3.zip >> >> with hash >> >> 68f74cff64dabf43e8f41bc478e814102a749cce >> >> and now here I'm offered to download >> >> ignite-fabric-1.0.0-RC3-src.zip >> >> with a different size and hash >> >> 46e932dc4e05ce757ce156f0e30d0ea98920eea8 >> >> This is clearly not the source package we voted on, so it is not what >> was released by the Incubator PMC. Please fix this ASAP and let's not >> make this sort of mistake again. You have to publish the exact same >> package that was voted for release, not something else, even if the >> differences are trivial. >> >> >> Next, the package name: I'm not aware of an Apache project or podling >> called "Ignite fabric". The "incubator-ignite-x.y.z" name was fine, I >> don't understand why you renamed it. Once the podling graduates, I'd >> expect the package to be called 'apache-ignite-x.y.x' or just >> 'ignite-x.y.x'. >> >> >> Next, it would be nice if the download page stated explicitly that the >> binary package is there for convenience and is not an official ASF >> release. My suggestion would be to split the page into three sections: >> >> * Downloads of official ASF released sources >> * Instructions for building from source (either the unpacked package >> or from git, or both) >> * Link to convenience binaries built from the released sources >> >> >> And last, I believe I mentioned at some point that posting download >> links to the ASF dist server is frowned upon. The thing to do is to post >> a link to a mirror; for example: >> >> >> http://www.apache.org/dyn/closer.cgi?path=incubator/ignite/source/ignite-fabric-1.0.0-RC3-src.zip >> >> this will return a link to the geographically closest mirror. Be aware >> that it can take up to 24 hours for mirrors to synchronize once the >> package is on the dist server, so it's a good idea to wait that long >> before posting the download link and announcing the release. >> >> There are ways, with a bit of scripting on the site, to get direct >> download links instead of bouncing people through the mirrors page; >> here's an example: >> >> http://httpd.apache.org/download.cgi >> >> Note that this page keeps the PGP/hash links pointing to our dist server >> so that a malicious hacker would have to hack into both your mirror and >> the master server to fake hashes and signatures on a hacked package. >> >> >> -- Brane >>
