Hi, On Mon, Sep 7, 2020 at 10:24 AM Bertrand Delacretaz <bdelacre...@apache.org> wrote: ... > ...* https://issues.apache.org/jira/browse/ASFP-23 (accessible to ASF > Members) has links to related discussions...
For the benefit of people who don't have access to that ticket, here's a list of links that are public and can help inform this discussion. - https://cwiki.apache.org/confluence/display/INCUBATOR/Distribution+Guidelines mentions Maven, GitHub, Docker and other similar distribution channels. The topic was discussed several times in the Incubator, including https://lists.apache.org/thread.html/f614a20f82b010d152ce3871165841810c0db6c4de9d8a27e78b71d6@%3Clegal-discuss.apache.org%3E - LEGAL- tickets, https://issues.apache.org/jira/browse/LEGAL-270 , https://issues.apache.org/jira/browse/LEGAL-427 , https://issues.apache.org/jira/browse/LEGAL-323 (linked to a number of others), more? - Reproducible builds (https://reproducible-builds.org/ , http://maven.apache.org/guides/mini/guide-reproducible-builds.html ) are also a way to improve trust in binaries. I also made a proposal a while ago about how we might handle these things: *** DRAFT TENTATIVE PROPOSAL ON HOW WE MIGHT EXPLAIN DISTRIBUTIONS **** -ASF Releases consist of source code only -As a convenience, our PMCs often distribute binary packages along with these releases, as attachments which are not considered part of the release -We recommend that people build their own binaries from released code, but it's a reality that many of them use the binaries that we distribute -The only things we state about these binaries are that the PMC which creates them believes they are the correct ones (with no guarantees) and that the digests that we distribute are correct -Those digests are mentioned in the PMC approval votes for these binaries, to allow people to look them up if desired -We strongly encourage our PMCs to produce reproducible builds as per https://reproducible-builds.org/ *** DRAFT TENTATIVE PROPOSAL ON HOW WE MIGHT EXPLAIN DISTRIBUTIONS **** I haven't found time to pursue it so far, and it might not be implementable as is but hopefully it helps this discussion. If a draft policy is created based on that and/or Jarek's current proposal, legal review will be needed before the ASF can activate it. -Bertrand --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@community.apache.org For additional commands, e-mail: dev-h...@community.apache.org
