On 26 June 2013 09:47, sebb <seb...@gmail.com> wrote: > I could not find any download links for Maven source packages. > > As the ASF primary purpose is to release source, and that must be > released via the mirror system, there ought to be download pages with > links to the source package, sigs, hashes and KEYS file. > > Yes, there are source packages for some Maven plugins, but that is not > the same as providing download pages. > > AFAIK every single other ASF project has download pages.
As a PMC member, I welcome scrutiny that we are following the designated procedures. Apologies for the length, I had to do some digging around to actually remind myself of what we are meant to do. According to http://www.apache.org/dev/release.html http://www.apache.org/dev/release.html#where-do-releases-go "Where do releases go? A release isn't 'released' until the contents are in the project's distribution directory, which is a subdirectory of www.apache.org/dist/. In addition to the distribution directory, project that use Maven or a related build tool sometimes place their releases on repository.apache.org beside some convenience binaries. The distribution directory is required, while the repository system is an optional convenience." And http://www.apache.org/dev/release.html#what-must-every-release-contain "What Must Every ASF Release Contain? Every ASF release must contain a source package, which must be sufficient for a user to build and test the release provided they have access to the appropriate platform and tools. The source package must be cryptographically signed by the Release Manager with a detached signature; and that package together with its signature must be tested prior to voting +1 for release. Folks who vote +1 for release may offer their own cryptographic signature to be concatenated with the detached signature file (at the Release Manager's discretion) prior to release. Note that the PMC is responsible for all artifacts in their distribution directory, which is a subdirectory of www.apache.org/dist/ ; and all artifacts placed in their directory must be signed by a committer, preferably by a PMC member. It is also necessary for the PMC to ensure that the source package is sufficient to build any binary artifacts associated with the release. Every ASF release must comply with ASF licensing policy. This requirement is of utmost importance and an audit should be performed before any full release is created. In particular, every artifact distributed must contain only appropriately licensed code. More information can be found in the foundation website and in the release licensing FAQ." And http://www.apache.org/dev/release.html#release-announcements "How Should Releases Be Announced? Please ensure that you wait at least 24 hours after uploading a new release before updating the project download page and sending the announcement email(s). This is so that mirrors have sufficient time to catch up. (For time-critical security releases, the download pages script supports bypassing this requirement.)" As far as I can tell there is no official policy requiring projects to provide a download page. It is just a convenience to end users to give them a direct download link. The ASF documentation clearly defines where distributions must be placed. Since you want people to use your project it makes sense to create a download page to make it easy for them. For Maven itself there are clearly defined download links from the main entry point http://maven.apache.org. For plugins I dont think it makes any sense to provide direct download links to sources. I checked http://www.apache.org/dev/release.html#maven-artifacts, which links to http://www.apache.org/dev/publishing-maven-artifacts.html doesn't provide any more guidance here either. So why doesn't it make sense to provide direct download links? Because it is Maven that is the consumer of artifacts rather than the end users. And an end user is not likely to be building a plugin from source and then installing it into their local Maven cache, it is much easier to get Maven to download the binaries and use them that way. The only reason I can think of a user wanting access to the source is so they can make modifications, and if they dont know about the ASF distribution pages, we give them the source repository link, e.g. http://maven.apache.org/plugins/maven-compiler-plugin/source-repository.html, on the automatically generated web pages. To me this is better as they can then create patches. Does that make sense? --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org