On Sat, Jun 20, 2015 at 1:58 AM, Roman Shaposhnik <r...@apache.org> wrote: > On Fri, Jun 19, 2015 at 9:56 PM, Sean Busbey <bus...@cloudera.com> wrote: > > Reading through the ASF policy on releases[3], this looks to me like a > > violation of the policy of only making releases available outside of the > > development community. > > A version of this question was raised when I was asking how soon ASF > can have its own Docker registry (the discussion was on infra@) > Basically it boils down to the fact that as a developer and tester on > the project > having a Docker image that I can simply docker run to test/etc. has become > part of my daily routine. This is as useful as having a -NIGHTLY snapshot in > the Maven repo. > >
It's problematic to reference non-public lists that other folks can't go follow along with. I re-read that thread on infrastructure@, and I don't see anyone bring up the matter of nightly builds. All the support is around publishing docker images that contain released software. AFAIK, the current policy would apply equally to SNAPSHOTs put in the Maven repo. That is, those SNAPSHOT artifacts are for the development community *only* and they must not be pointed to for downstream users. The current policy makes it clear that it if a non-released artifact is getting used outside of the development community that is not okay and needs to be addressed. That would similarly go for SNAPSHOT maven artifacts. Your point in that private list about Maven Central and Docker Hub is very relevant; I agree they are essentially the same kind of publish-to-the-public access point. While we have SNAPSHOT artifacts posted to the ASF maven repo, that repo is not mirrored into Maven Central because it would be against foundation policy. I imagine that once the ASF wide registry provided by Infra goes live, it will similarly have a non-mirrored space for within-project use and an area that is mirrored out to Docker Hub for public facing distribution. What the Geode PMC is currently doing is the equivalent to a project publishing the SNAPSHOT artifacts to Maven Central. I hope we are all in agreement that that would be inappropriate. > > 1) The short version of the ASF policy is that a project must not encourage > > end users to use anything other than releases that have been voted on by a > > PMC (and for incubating projects the IPMC). > > Sure. I'd agree with you that this is the question of labeling. How to clearly > label Docker artifacts not intended for downstream consumption the same > way we do with -SNAPSHOT Maven artifacts would be a good discussion > to be had on general@incubator > > > 2) The Docker Hub is external to the foundation, generally accessible to > > those outside of the development community, and expressly geared towards > > pushing to downstream users. > > I don't agree with the last statement. In fact, 50% of what I use Docker > images within ASF projects is build automation. This has nothing to do > with using the software as a downstream user. > I have also seen lots of folks successfully use Docker images to do build automation. That's not related to the matter at hand, which is publishing to the Docker Hub. Nothing other than Geode showed up in a superficial search for nightly builds from ASF projects. The tweet from the Geode PMC, the blog post, and a quick search of twitter for additional references makes discussion of possible uses of docker and the hub irrelevant. The docker image on Docker Hub is of non released software and is being used outside of the development community. It needs to be removed. > > Docker Hub can also be limited to distributing images just within a > > development team, however you appear to be pointing those outside of the > > dev@geode list at the image. > > That is a good point. > > > 3) You have a wiki page that details making use of the image on Docker > > Hub[4]. > > > > That page is a subpage of a wiki section entitled "Develop", so it might be > > intended for dev@geode use, but it is not obvious from the page. > > Additionally, your public facing twitter account posted a link to said > > page[5]. > > > > 4) You have a public facing blog post that points folks to both the Docker > > Hub image and a direct download of a nightly build tarball[6]. > > > > ---- > > > > Please clean all of this up. > > Some of it will be cleaned up and updated, some of it requires further > discussion > on general@ I'll bring the discussion there on Mon or so. > > Thanks for bringing this to our attention. > > > > I can empathize with the desire for a faster > > feedback cycle with end users. As many at the ASF, I'm a proponent of tight > > feedback cycles; but the apparent conflict between foundation policy and > > this kind of publishing means I have to push eager communities (like > > yourselves and the NiFi community) to constrain themselves to properly PMC > > blessed releases. > > Personally, I see these cases as an opportunity to make sure that our policy > is in support of of the foundation goals AND the goals of the software > communities > we serve. I wish NiFi concerns were brought up to the attention of IPMC. > I encourage more discussion of this on general@incubator (though the release policy would have to go to legal-discuss), but the publishing of non-released software is a foundation policy with a basis in how we meet our legal obligations. It is not an area where "better to ask forgiveness" works. The first step of the discussion to change the policy is to comply with it. -- Sean
