On Wed, Mar 25, 2015 at 07:55PM, Branko Čibej wrote: > On 25.03.2015 19:07, Dmitriy Setrakyan wrote: > > Brane, > > > > The wrong download checksum issue has been addressed (I think). Please > > double check me. The reason it happened was that I had two identical > > folders with different names sitting next to each other and grabbed the > > wrong one. The only difference was the name of the archive. (I should > > really stop working after midnight :) > > Should be publishing exactly what was voted on, not even re-zipping, > IMO. This is one of the reasons why it's a good idea to have the whole > release process scripted; no manual archiving, copying, etc. anywhere.
Ideally, you'd just copy the artifacts from the voting area to the dist's SVN. That's what we instruct to do in Bigtop releases. Minimizes the room for mistakes quite a bit. > > As far as keeping the binary bits in the "dist.apache.org", I looked around > > and many projects are doing it, e.g. Cassandra (TLP), Aurora (Incubating). > > The binaries must be on dist.apache.org; that's mandatory. Any change on > that site is mirrored to a zillion places around the world. > > > I believe it only poses an issue when you have massive amount of downloads, > > like Apache HTTP server for example, which is not the case for us. If it is > > OK, I would prefer to leave it as is for now, or ask the community to > > address it later. > > I'd consider it a service to users to provide links to mirrors whenever > possible. It's not something that needs addressing right now, but it > would be nice to get it done soon-ish. As I said, I can help here; I > know how the direct-download links to mirrors are set up for Subversion > and APR, so it shouldn't be too hard get a similar solution working for > Ignite. Agree - while you put the files into dist, they are better get mirrored via mirroring gate that will pickup a mirror closest to you. Cos > > On Wed, Mar 25, 2015 at 2:55 AM, Branko Čibej <br...@apache.org> wrote: > > > >> On 25.03.2015 09:35, Dmitriy Setrakyan wrote: > >>> The first official Apache Ignite release (albeit release candidate) was > >>> uploaded and the download page is updated: > >>> > >>> https://ignite.incubator.apache.org/download.html > >> > >> Well, I have to say I'm confused and just a bit unhappy. > >> > >> We voted on a source package named > >> > >> incubator-ignite-1.0.0-rc3.zip > >> > >> with hash > >> > >> 68f74cff64dabf43e8f41bc478e814102a749cce > >> > >> and now here I'm offered to download > >> > >> ignite-fabric-1.0.0-RC3-src.zip > >> > >> with a different size and hash > >> > >> 46e932dc4e05ce757ce156f0e30d0ea98920eea8 > >> > >> This is clearly not the source package we voted on, so it is not what > >> was released by the Incubator PMC. Please fix this ASAP and let's not > >> make this sort of mistake again. You have to publish the exact same > >> package that was voted for release, not something else, even if the > >> differences are trivial. > >> > >> > >> Next, the package name: I'm not aware of an Apache project or podling > >> called "Ignite fabric". The "incubator-ignite-x.y.z" name was fine, I > >> don't understand why you renamed it. Once the podling graduates, I'd > >> expect the package to be called 'apache-ignite-x.y.x' or just > >> 'ignite-x.y.x'. > >> > >> > >> Next, it would be nice if the download page stated explicitly that the > >> binary package is there for convenience and is not an official ASF > >> release. My suggestion would be to split the page into three sections: > >> > >> * Downloads of official ASF released sources > >> * Instructions for building from source (either the unpacked package > >> or from git, or both) > >> * Link to convenience binaries built from the released sources > >> > >> > >> And last, I believe I mentioned at some point that posting download > >> links to the ASF dist server is frowned upon. The thing to do is to post > >> a link to a mirror; for example: > >> > >> > >> http://www.apache.org/dyn/closer.cgi?path=incubator/ignite/source/ignite-fabric-1.0.0-RC3-src.zip > >> > >> this will return a link to the geographically closest mirror. Be aware > >> that it can take up to 24 hours for mirrors to synchronize once the > >> package is on the dist server, so it's a good idea to wait that long > >> before posting the download link and announcing the release. > >> > >> There are ways, with a bit of scripting on the site, to get direct > >> download links instead of bouncing people through the mirrors page; > >> here's an example: > >> > >> http://httpd.apache.org/download.cgi > >> > >> Note that this page keeps the PGP/hash links pointing to our dist server > >> so that a malicious hacker would have to hack into both your mirror and > >> the master server to fake hashes and signatures on a hacked package. > >> > >> > >> -- Brane > >> >
