[
https://issues.apache.org/jira/browse/GROOVY-9458?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17072734#comment-17072734
]
Paul King edited comment on GROOVY-9458 at 4/1/20, 1:14 PM:
------------------------------------------------------------
Well, it wouldn't be those pages. They are about releases. There are no
"packages" you refer to, just a link to a third-party site. Do you know which
document prohibits links to third-party artifacts? It would be the owner of
that document I would need to see or perhaps branding?
All I can find is [1] which seems to allow it:
bq. The public may also obtain Apache software from any number of downstream
channels (rpm, deb, homebrew, etc.) which redistribute our releases in either
original or derived form. The vast majority of such downstream channels operate
independently of Apache.
So, what I am looking for is a document which prohibits us from having a link
to a downstream channel. I haven't find anything yet. Branding wise, my
understanding is we should not be promoting third-party companies that might
have their own distribution channel/distributions but in this case it is open
source. My understanding is also that such artifacts must be clearly marked as
"community artifacts" which is the case here.
[1] https://infra.apache.org/release-distribution
was (Author: paulk):
Well, it wouldn't be those pages. They are about releases. There are no
"packages" you refer to, just a link to a third-party site. Do you know which
document prohibits links to third-party artifacts? It would be the owner of
that document I would need to see or perhaps branding?
All I can find is which seems to allow it[1]:
bq. The public may also obtain Apache software from any number of downstream
channels (rpm, deb, homebrew, etc.) which redistribute our releases in either
original or derived form. The vast majority of such downstream channels operate
independently of Apache.
So, what I am looking for is a document which prohibits us from having a link
to a downstream channel. I haven't find anything yet. Branding wise, my
understanding is we should not be promoting third-party companies that might
have their own distribution channel/distributions but in this case it is open
source. My understanding is also that such artifacts must be clearly marked as
"community artifacts" which is the case here.
[1] https://infra.apache.org/release-distribution
> Missing sigs and hashes on download page
> ----------------------------------------
>
> Key: GROOVY-9458
> URL: https://issues.apache.org/jira/browse/GROOVY-9458
> Project: Groovy
> Issue Type: Bug
> Reporter: Sebb
> Priority: Major
>
> The public download page includes links to several Windows installer
> executables.
> These have neither signatures nor hashes.
> However as per [1]
> "All supplied packages MUST be cryptographically signed by the Release
> Manager with a detached signature"
> And as per [2]
> "For every artifact distributed to the public through Apache channels, the
> PMC ... MUST supply at least one checksum file"
> Please either remove the links or provide the required sigs and hashes.
> Thanks.
> [1] http://www.apache.org/legal/release-policy.html#release-signing
> [2] https://www.apache.org/dev/release-distribution#sigs-and-sums
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
