On 26 Jun 2014, at 20:19, Raymond Camden wrote:
So to be clear, an Apache project can't use npm? Or it can't *only*
use npm?
Not quite. An Apache project releases artifacts which can be downloaded
from Apache hardware. These artifacts are signed and voted upon.
That aside, if there are volunteers wanting to maintain something like
npm its perfectly fine. projects can also say they maintain it: but I
would give guarantees on services which are controlled by the ASF.
In other words: "these npm artifacts are uploaded by members of the
ripple projects, but if you need to make sure about them, go to the
canonical project and download from apache.org/dist which is the
official channel to get it."
See how we did it on Log4php:
http://logging.apache.org/log4php/download.html
(packagist the npm for php people)
We provide the source packages as requested and added an alternate
distribution channel. Whoever needs to check the sigs, can still use our
own package.
Makes sense?
Cheers
On Thu, Jun 26, 2014 at 12:29 PM, Christian Grobmeier
<[email protected]>
wrote:
Hey guys,
glad you have found some time working on Ripple.
Please note, this push can't be considered a release in the Apache
way. I
am aware this is how lots of open source projects work to day, but
it's not
how the ASF does releases. In fact, the ASF has quite a bunch of
requirements to release. These requirements need to be met because
they
protect us before legal issues, and also our users.
Here is a document about that:
http://apache.org/dev/release.html#what-must-every-release-contain
A few important requirements:
a release must be available in source format and from apache.org as a
download as well.
It must get 3 +1 votes from PMC members, in the incubator it must
also get
3 +1 votes
from Incubator members.
A release must have LICENSE file, NOTICE file etc and must contain
only AL
2.0 files
or files compatible to the license (in example BSD, but not GPL).
Also the release artifact must be signed cryptograhpically.
This is what currently doesn't seem to work with npm. It doesn't
support
key signing.
That being said, npmjs can't be considered an official source of
Ripple,
as we can't
tell people they actually get what we promise (no signing).
Also we miss the +1 of the project team which in fact means that
releasing
this
would make the release manager responsible personally for the
artifact.
Knowing
that there are images in the package of which do not own the rights,
this
is a problem.
I absolutely do know that the ASF requirements are tough, but I think
they
are worth it.
If the team thinks they are not of use, then we need to move out to
GitHub.
If the team thinks they are good - in example some enterprise
customers
are having tough
requirements of what they can use and what not too - then we need to
work
towards a first,
official release.
--
===========================================================================
Raymond Camden, Web Developer for Adobe
Email : [email protected]
Blog : www.raymondcamden.com
Twitter: raymondcamden
---
http://www.grobmeier.de
The Zen Programmer: http://bit.ly/12lC6DL
@grobmeier
GPG: 0xA5CC90DB
