Looking into it... On Wed, Mar 25, 2015 at 2:55 AM, Branko Čibej <[email protected]> wrote:
> On 25.03.2015 09:35, Dmitriy Setrakyan wrote: > > The first official Apache Ignite release (albeit release candidate) was > > uploaded and the download page is updated: > > > > https://ignite.incubator.apache.org/download.html > > > Well, I have to say I'm confused and just a bit unhappy. > > We voted on a source package named > > incubator-ignite-1.0.0-rc3.zip > > with hash > > 68f74cff64dabf43e8f41bc478e814102a749cce > > and now here I'm offered to download > > ignite-fabric-1.0.0-RC3-src.zip > > with a different size and hash > > 46e932dc4e05ce757ce156f0e30d0ea98920eea8 > > This is clearly not the source package we voted on, so it is not what > was released by the Incubator PMC. Please fix this ASAP and let's not > make this sort of mistake again. You have to publish the exact same > package that was voted for release, not something else, even if the > differences are trivial. > > > Next, the package name: I'm not aware of an Apache project or podling > called "Ignite fabric". The "incubator-ignite-x.y.z" name was fine, I > don't understand why you renamed it. Once the podling graduates, I'd > expect the package to be called 'apache-ignite-x.y.x' or just > 'ignite-x.y.x'. > > > Next, it would be nice if the download page stated explicitly that the > binary package is there for convenience and is not an official ASF > release. My suggestion would be to split the page into three sections: > > * Downloads of official ASF released sources > * Instructions for building from source (either the unpacked package > or from git, or both) > * Link to convenience binaries built from the released sources > > > And last, I believe I mentioned at some point that posting download > links to the ASF dist server is frowned upon. The thing to do is to post > a link to a mirror; for example: > > > http://www.apache.org/dyn/closer.cgi?path=incubator/ignite/source/ignite-fabric-1.0.0-RC3-src.zip > > this will return a link to the geographically closest mirror. Be aware > that it can take up to 24 hours for mirrors to synchronize once the > package is on the dist server, so it's a good idea to wait that long > before posting the download link and announcing the release. > > There are ways, with a bit of scripting on the site, to get direct > download links instead of bouncing people through the mirrors page; > here's an example: > > http://httpd.apache.org/download.cgi > > Note that this page keeps the PGP/hash links pointing to our dist server > so that a malicious hacker would have to hack into both your mirror and > the master server to fake hashes and signatures on a hacked package. > > > -- Brane >
