Hi all, TL;DR: Should we sign Python artifacts and vote for them too?
The artifacts built from a commit SHA are to be signed[1] and voted on for distribution via official release channels[2] downloads.apache.org, docker[3]. Some projects choose their policy for specific platforms (pypi.org), such as Apache Spark publishes pypi package[4] with Infrastructure's knowledge. This said, we have released our build artifacts produced by maven via `mvn deploy -P'distribution,rat'` for 2.0 release[5] which does not include our python API. Previously SystemML had released[6] the python distribution, along with other src, bin files. Note: Pypi releases, github tags and docker images are convenience packages and are not needed to go through formal voting. [1] https://www.apache.org/legal/release-policy.html#release-signing [2] https://infra.apache.org/release-distribution.html#unreleased [3] https://hub.docker.com/u/apache [4] https://pypi.org/project/pyspark/ [5] https://downloads.apache.org/systemds/2.0.0/ [6] https://downloads.apache.org/systemds/1.2.0/ Thanks and regards, Janardhan
