I think it is fine to have github releases and convenience binaries served from there, with a couple constraints based on not undermining the important ASF policies that provide for verifiable software supply chain.
If the github releases and artifacts correspond to official Apache releases, then: 1) they have to be identical bit-for-bit to those provided from ASF and maven central. 2) both we and our users have to be able to readily verify that this is the case (same file names, same hashes, easy to find links to the official ASF locations that store the hashes, have the signer keys to verify against, etc.) If these github-based "releases" are intermediate/snapshot kinds of things, then I think the only requirement is that it's clear that's what they are, (distinct file names, etc. ) so they're not able to be confused with any official release. I think experimentation to see what works well for the debugger/IDE is very sensible. ________________________________ From: John Wass <jwa...@gmail.com> Sent: Wednesday, June 9, 2021 2:35 PM To: dev@daffodil.apache.org <dev@daffodil.apache.org> Subject: Re: Use GitHub Releases > GitHub does automatically create "Releases when we create a new tag. The UI rolls them together, but they are two separate things in the API. Daffodil has no releases according to the API. https://api.github.com/repos/apache/daffodil/tags https://api.github.com/repos/apache/daffodil/releases https://docs.github.com/en/rest/reference/repos#list-releases > Is there some API that's not available unless we manually create releases? We can't attach assets to a tag, only a release. > Are you looking to have convenience binaries also published to these release? Yes, asset fetching along with version lookup was the point of the post, I should have mentioned that ;) Do all Daffodil artifacts need to be published, no, there is Maven Central for the jars, but what about publishing the applications as assets, that would be the CLI and in the future a debugger backend. > What kinds of information are you looking to query from the releases? At first the available releases and their assets, but there is additional metadata in a release object that might be interesting at some point. > That has some basic version and release date information. And as I mentioned before, it requires that projects keep it up to date. The GitHub Release API does provide a nice single entrypoint for query and fetch of assets (and metadata for future use). Looking at these Apache references, it doesn't appear to be as robust. On Wed, Jun 9, 2021 at 12:54 PM Steve Lawrence <slawre...@apache.org> wrote: > GitHub does automatically create "Releases when we create a new tag. > > https://github.com/apache/daffodil/releases > > Is there some API that's not available unless we manually create > releases? Are you looking to have convenience binaries also published to > these release? > > What kinds of information are you looking to query from the releases? > > I know some projects (including Daffodil) keep an updated "Description > Of A Project" (doap) file, which is parsed by Apache to fill out project > information that can be queried here: > > https://projects.apache.org/project.html > > This is our doap file: > > https://daffodil.apache.org/doap.rdf > > And this is the project page that is generated from that file: > > https://projects.apache.org/project.html?daffodil > > That has some basic version and release date information. And as I > mentioned before, it requires that projects keep it up to date. I'm not > sure how many do if you're interested about other projects. > > > On 6/9/21 12:36 PM, John Wass wrote: > >> the simplest is to ask > > > > Well the simplest for __me__ is to ask, this will add some overhead to > the > > release process for someone. It looks like some Apache projects do > GitHub > > releases, most don't. > > > > Also looking for an Apache API to query releases and their artifacts. > > > > > > On Wed, Jun 9, 2021 at 12:13 PM John Wass <jwa...@gmail.com> wrote: > > > >> We have been using the GitHub API to collect (representative) releases > of > >> Daffodil during some prototype work. However when looking at the main > >> Daffodil repo I see there are no releases published there. > >> > >> There are probably some other ways to work around this, but the simplest > >> is to ask if publishing releases to GitHub is something that can be done > >> going forward? > >> > >> > > > >
