Hi,
> It always also bothers me when you say "things should never happen" but
> fail to take action to ensure it does not happen and ask people to fix it.
> That sounds a bit like "I have strong opinion, but I know it does and I
> can't do anything about - so Iit am closing a blind eye on it”,
The Release MCP I’m working on now checks for this.
An example question:
Check Burr releases for compliance with ASF guidelines and policy
The final output:
Burr Compliance Check
I checked Burr live against Apache dist/archive, GitHub releases, and Docker
Hub, using the ASF Incubator distribution guidelines.
Overall: Burr has ASF release artifacts in the Apache release system with
signatures and SHA-512 checksums, which is good. There are a few follow-up
compliance concerns around GitHub release pages and convenience artifacts.
Looks OK
• dist.apache.org is available:
https://dist.apache.org/repos/dist/release/incubator/burr/
• archive.apache.org is available:
https://archive.apache.org/dist/incubator/burr/
• Latest observed Apache release date: 2026-01-11
• Source-ish artifacts include incubating in their filenames:
• apache-burr-0.41.0-incubating.tar.gz
• apache-burr-0.41.0-incubating-sdist.tar.gz
• Each observed artifact has detached .asc signatures and .sha512 checksums.
• KEYS is present.
Needs Review
• GitHub has 30 releases at https://github.com/apache/burr/releases, and
the tool found no visible incubation disclaimer text in those release bodies.
The Incubator guide says GitHub releases need to include the incubation
disclaimer.
• Docker Hub default ASF locations were not found:
• apache/burr returned 404
• apacheburr/burr returned 404
That is fine if Burr does not publish Docker images, but if it does, the image
location may need a custom check.
• The Apache dist/archive listing includes a Python wheel:
apache_burr-0.41.0-py3-none-any.whl. As a convenience binary, it should be made
from an IPMC-approved ASF release, follow licensing policy, and have
signatures/hashes. It does have .asc and .sha512, but its filename does not
include incubating, so I’d manually review whether the distribution surface
clearly displays the incubating disclaimer.
• Remote source archive contents were not inspected, so I could not confirm
DISCLAIMER files inside the source archives.
Verdict
No hard failure from the basic ASF release-system evidence: Burr has release
artifacts, signatures, checksums, archive presence, and incubating names for
the source archives.
The main compliance gap to fix or verify is GitHub release metadata: add the
incubation disclaimer to the GitHub release descriptions, especially because
the guide explicitly calls that out. The wheel/convenience binary also deserves
a manual check against ASF binary distribution policy.
Kind Regards,
Justin
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
