On 25.03.2015 09:35, Dmitriy Setrakyan wrote:
> The first official Apache Ignite release (albeit release candidate) was
> uploaded and the download page is updated:
>
> https://ignite.incubator.apache.org/download.html
Well, I have to say I'm confused and just a bit unhappy.
We voted on a source package named
incubator-ignite-1.0.0-rc3.zip
with hash
68f74cff64dabf43e8f41bc478e814102a749cce
and now here I'm offered to download
ignite-fabric-1.0.0-RC3-src.zip
with a different size and hash
46e932dc4e05ce757ce156f0e30d0ea98920eea8
This is clearly not the source package we voted on, so it is not what
was released by the Incubator PMC. Please fix this ASAP and let's not
make this sort of mistake again. You have to publish the exact same
package that was voted for release, not something else, even if the
differences are trivial.
Next, the package name: I'm not aware of an Apache project or podling
called "Ignite fabric". The "incubator-ignite-x.y.z" name was fine, I
don't understand why you renamed it. Once the podling graduates, I'd
expect the package to be called 'apache-ignite-x.y.x' or just
'ignite-x.y.x'.
Next, it would be nice if the download page stated explicitly that the
binary package is there for convenience and is not an official ASF
release. My suggestion would be to split the page into three sections:
* Downloads of official ASF released sources
* Instructions for building from source (either the unpacked package
or from git, or both)
* Link to convenience binaries built from the released sources
And last, I believe I mentioned at some point that posting download
links to the ASF dist server is frowned upon. The thing to do is to post
a link to a mirror; for example:
http://www.apache.org/dyn/closer.cgi?path=incubator/ignite/source/ignite-fabric-1.0.0-RC3-src.zip
this will return a link to the geographically closest mirror. Be aware
that it can take up to 24 hours for mirrors to synchronize once the
package is on the dist server, so it's a good idea to wait that long
before posting the download link and announcing the release.
There are ways, with a bit of scripting on the site, to get direct
download links instead of bouncing people through the mirrors page;
here's an example:
http://httpd.apache.org/download.cgi
Note that this page keeps the PGP/hash links pointing to our dist server
so that a malicious hacker would have to hack into both your mirror and
the master server to fake hashes and signatures on a hacked package.
-- Brane
