I suppose so. Thanks.
On Thu, Jun 26, 2014 at 4:11 PM, Christian Grobmeier <[email protected]> wrote: > On 26 Jun 2014, at 20:19, Raymond Camden wrote: > > So to be clear, an Apache project can't use npm? Or it can't *only* use >> npm? >> > > Not quite. An Apache project releases artifacts which can be downloaded > from Apache hardware. These artifacts are signed and voted upon. > That aside, if there are volunteers wanting to maintain something like npm > its perfectly fine. projects can also say they maintain it: but I would > give guarantees on services which are controlled by the ASF. > > In other words: "these npm artifacts are uploaded by members of the ripple > projects, but if you need to make sure about them, go to the canonical > project and download from apache.org/dist which is the official channel > to get it." > > See how we did it on Log4php: > http://logging.apache.org/log4php/download.html > (packagist the npm for php people) > > We provide the source packages as requested and added an alternate > distribution channel. Whoever needs to check the sigs, can still use our > own package. > > Makes sense? > > Cheers > > > > >> >> On Thu, Jun 26, 2014 at 12:29 PM, Christian Grobmeier < >> [email protected]> >> wrote: >> >> Hey guys, >>> >>> glad you have found some time working on Ripple. >>> >>> Please note, this push can't be considered a release in the Apache way. I >>> am aware this is how lots of open source projects work to day, but it's >>> not >>> how the ASF does releases. In fact, the ASF has quite a bunch of >>> requirements to release. These requirements need to be met because they >>> protect us before legal issues, and also our users. >>> >>> Here is a document about that: >>> http://apache.org/dev/release.html#what-must-every-release-contain >>> >>> A few important requirements: >>> >>> a release must be available in source format and from apache.org as a >>> download as well. >>> It must get 3 +1 votes from PMC members, in the incubator it must also >>> get >>> 3 +1 votes >>> from Incubator members. >>> >>> A release must have LICENSE file, NOTICE file etc and must contain only >>> AL >>> 2.0 files >>> or files compatible to the license (in example BSD, but not GPL). >>> >>> Also the release artifact must be signed cryptograhpically. >>> >>> This is what currently doesn't seem to work with npm. It doesn't support >>> key signing. >>> >>> That being said, npmjs can't be considered an official source of Ripple, >>> as we can't >>> tell people they actually get what we promise (no signing). >>> Also we miss the +1 of the project team which in fact means that >>> releasing >>> this >>> would make the release manager responsible personally for the artifact. >>> Knowing >>> that there are images in the package of which do not own the rights, this >>> is a problem. >>> >>> I absolutely do know that the ASF requirements are tough, but I think >>> they >>> are worth it. >>> If the team thinks they are not of use, then we need to move out to >>> GitHub. >>> If the team thinks they are good - in example some enterprise customers >>> are having tough >>> requirements of what they can use and what not too - then we need to work >>> towards a first, >>> official release. >>> >>> >>> >>>>>>> >> -- >> ============================================================ >> =============== >> Raymond Camden, Web Developer for Adobe >> >> Email : [email protected] >> Blog : www.raymondcamden.com >> Twitter: raymondcamden >> > > > --- > http://www.grobmeier.de > The Zen Programmer: http://bit.ly/12lC6DL > @grobmeier > GPG: 0xA5CC90DB > -- =========================================================================== Raymond Camden, Web Developer for Adobe Email : [email protected] Blog : www.raymondcamden.com Twitter: raymondcamden
