Hi, The reason for this policy is that ASF releases are source releases, approved by the project community through the ASF release process. That process gives users a clear, auditable artifact: the source release, its checksums, signatures, LICENSE, NOTICE, and, for podlings, the incubating disclaimer.
Docker images are different. They are built artifacts, often containing operating system packages, language runtimes, base images, and other dependencies that are not present in the ASF source release. That makes them useful but also harder to audit and unsuitable as an ASF release artifact. So the policy is not saying projects cannot publish Docker images. It is saying that, when they do, the images need to be clearly presented as convenience artifacts derived from an approved source release. Users should not be left with the impression that docker pull apache/foo is the official ASF release. This also matters for incubating projects because the incubating disclaimer needs to follow the project’s artifacts and user-facing distribution points. Users should be able to tell that the project is still in incubation and that the image is not the official ASF release artifact. In short, the policy protects users, projects, and the Foundation by keeping the release process clear, reproducible, and auditable, while still allowing convenient container images where projects choose to provide them. Kind Regards, Justin --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
