Hi all, The question arises, with the rise of third party providers of Apache NetBeans convenience binaries, what the requirements are for those convenience binaries to be listed on the Apache NetBeans download page.
Some links as the basis of what follows: https://infra.apache.org/release-publishing.html https://www.apache.org/legal/release-policy.html#compiled-papackages <https://www.apache.org/legal/release-policy.html#compiled-packages> https://infra.apache.org/release-signing.html#automated-release-signing https://infra.apache.org/release-download-pages.html https://cwiki.apache.org/confluence/display/BUILDS/GitHub+Actions+Security >From reading the above, I conclude the following, which once we come to agreement we can publish and link on the download page: *Requirements for Convenience Binary Listing on the Apache NetBeans Download Page* *1. The Artifact Itself* 1.1 The installer version number must exactly match the official Apache NetBeans source release it was built from 1.2 The installer may only contain files that are the direct result of compiling that source release — nothing additional bundled in 1.3 The installer must include the LICENSE and NOTICE files from the source release, respecting all licensing and attribution requirements *2. Branding & Presentation* 2.1 The third party's own download page must clearly label the installers as convenience builds, not official ASF releases 2.2 The third party's pages must not link directly to dist.apache.org *3. Checksums* 3.1 The third party must provide SHA-256 and/or SHA-512 checksum files alongside each installer so users can verify integrity 3.2 GPG signing with an Apache committer key is not required — platform-native code signing (Windows Authenticode, macOS notarization) plus SHA checksums is sufficient 3.3 Document the decision not to GPG sign with an Apache key *4. On the Apache NetBeans Side* 4.1 The Apache NetBeans download page must continue to link to the official source distribution — this is mandatory regardless of whether the third party is listed 4.2 Any listing of the third party's installers must be clearly presented as third-party convenience packages, not ASF-signed artifacts 4.3 Links to ASF checksums and .asc signatures on the Apache page must reference https://downloads.apache.org/ — not the third party's hosting *5. Verification and voting* 5.1 For third-party convenience binaries, the policies are silent on whether a separate vote or verification step is required before the Apache NetBeans download page can list them. 5.2 What’s clear is: 5.2.1 The PMC vote covers the source release, not the third party's installers 5.2.2 The third party builds independently from that approved source after the vote passes 5.2.3 The distribution policy says third-party binaries “may be distributed alongside official source packages” provided they meet the content and licensing criteria, but sets no explicit voting or verification gate for the listing itself *6. Who Builds the Convenience Binary* 6.1 The policy documents don’t explicitly address who builds the third party convenience binary. 6.2 The closest the policy gets is this passage from the compiled packages section: “binary/bytecode packages MAY be distributed alongside official Apache releases… the binary/bytecode package MUST have the same version number as the source release and MUST only add binary/bytecode files that are the result of compiling that version of the source code release” This sets the requirements on the artifact, not on who produces it or what hardware or process they use. 6.3 The “must be built on hardware owned and controlled by the committer” requirement that appears in the release policy explicitly refers to the source release process, not convenience binaries. 6.4 So the same situation as the voting question — the policy is silent on: 6.4.1 Whether the third party build environment needs to be trusted or audited in any way 6.4.2 Whether a committer needs to be involved in or oversee the build 6.4.3 Whether the build process needs to be documented or reproducible 6.5 However, in practice, the Apache NetBeans project is implicitly vouching for the third party’s installers by listing them on the download page, which suggests the Apache NetBeans community should at minimum have some internal policy on what they require from the third party before agreeing to list them — even if the ASF policy doesn’t mandate it. Thanks, comments welcome, especially the concluding point 6.5. Gj
