On 26 June 2013 02:14, Barrie Treloar <[email protected]> wrote: > On 26 June 2013 09:47, sebb <[email protected]> wrote: >> I could not find any download links for Maven source packages. >> >> As the ASF primary purpose is to release source, and that must be >> released via the mirror system, there ought to be download pages with >> links to the source package, sigs, hashes and KEYS file. >> >> Yes, there are source packages for some Maven plugins, but that is not >> the same as providing download pages. >> >> AFAIK every single other ASF project has download pages. > > > As a PMC member, I welcome scrutiny that we are following the > designated procedures. > > Apologies for the length, I had to do some digging around to actually > remind myself of what we are meant to do. > > According to http://www.apache.org/dev/release.html > > http://www.apache.org/dev/release.html#where-do-releases-go > > "Where do releases go? > > A release isn't 'released' until the contents are in the project's > distribution directory, which is a subdirectory of > www.apache.org/dist/. In addition to the distribution directory, > project that use Maven or a related build tool sometimes place their > releases on repository.apache.org beside some convenience binaries. > The distribution directory is required, while the repository system is > an optional convenience." > > And http://www.apache.org/dev/release.html#what-must-every-release-contain > > "What Must Every ASF Release Contain? > > Every ASF release must contain a source package, which must be > sufficient for a user to build and test the release provided they have > access to the appropriate platform and tools. The source package must > be cryptographically signed by the Release Manager with a detached > signature; and that package together with its signature must be tested > prior to voting +1 for release. Folks who vote +1 for release may > offer their own cryptographic signature to be concatenated with the > detached signature file (at the Release Manager's discretion) prior to > release. > > Note that the PMC is responsible for all artifacts in their > distribution directory, which is a subdirectory of > www.apache.org/dist/ ; and all artifacts placed in their directory > must be signed by a committer, preferably by a PMC member. It is also > necessary for the PMC to ensure that the source package is sufficient > to build any binary artifacts associated with the release. > > Every ASF release must comply with ASF licensing policy. This > requirement is of utmost importance and an audit should be performed > before any full release is created. In particular, every artifact > distributed must contain only appropriately licensed code. More > information can be found in the foundation website and in the release > licensing FAQ." > > And http://www.apache.org/dev/release.html#release-announcements > > "How Should Releases Be Announced? > > Please ensure that you wait at least 24 hours after uploading a new > release before updating the project download page and sending the > announcement email(s). This is so that mirrors have sufficient time to > catch up. (For time-critical security releases, the download pages > script supports bypassing this requirement.)" > > As far as I can tell there is no official policy requiring projects to > provide a download page. > It is just a convenience to end users to give them a direct download link. > The ASF documentation clearly defines where distributions must be placed. > Since you want people to use your project it makes sense to create a > download page to make it easy for them. > > For Maven itself there are clearly defined download links from the > main entry point http://maven.apache.org. > > For plugins I dont think it makes any sense to provide direct download > links to sources. > I checked http://www.apache.org/dev/release.html#maven-artifacts, > which links to http://www.apache.org/dev/publishing-maven-artifacts.html > doesn't provide any more guidance here either. > > So why doesn't it make sense to provide direct download links? > Because it is Maven that is the consumer of artifacts rather than the end > users. > And an end user is not likely to be building a plugin from source and > then installing it into their local Maven cache, it is much easier to > get Maven to download the binaries and use them that way. > > The only reason I can think of a user wanting access to the source is > so they can make modifications, and if they dont know about the ASF > distribution pages, we give them the source repository link, e.g. > http://maven.apache.org/plugins/maven-compiler-plugin/source-repository.html, > on the automatically generated web pages. To me this is better as they > can then create patches. > > Does that make sense?
The point is that the ASF release source, and it must be provided for download via the ASF mirrors. See: http://www.apache.org/dev/release.html#host-GA If you don't point users to the source, I don't see how you can claim it has been properly released. > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
