PS: Oops. Disregard my GitHub comment. I realized GitHub was mentioned in another thread talking about what to do with Ripple (catching up).
On Wed, Jul 2, 2014 at 5:17 PM, Brent Lintner <[email protected]> wrote: > Hey Christian, > > >>>> > Please note, this push can't be considered a release in the Apache way. I > am aware this is how lots of open source projects work to day, but it's not > how the ASF does releases. In fact, the ASF has quite a bunch of > requirements to release. These requirements need to be met because they > protect us before legal issues, and also our users. > >>>> > > Indeed! I do apologize. Like before, I am more so pushing it voluntarily > (outside ASF) to get it out there and used- which seems OK (given your > reply about NPM). I hope I don't come off as ignoring anything that you > have mentioned!!! :-) > > For me though: This is how I (personally) prefer to work in open source > (without restriction), so such ASF requirements (compared to merging PRs > and getting code out) are on the lowest of my list (if at all)- but that is > *certainly* not an excuse. :-s > > Not sure what others think of being fully on GitHub- I was not quite sure > if that was an option, vs going into Cordova. Not sure who would own the > code, etc? > > In the meantime, I will try my best to get into those ASF requirements > (images, for one), while we figure out what to do with the project in > general. > > Cheers, > > > On Fri, Jun 27, 2014 at 10:33 AM, Raymond Camden <[email protected]> > wrote: > >> I suppose so. Thanks. >> >> >> On Thu, Jun 26, 2014 at 4:11 PM, Christian Grobmeier <[email protected] >> > >> wrote: >> >> > On 26 Jun 2014, at 20:19, Raymond Camden wrote: >> > >> > So to be clear, an Apache project can't use npm? Or it can't *only* use >> >> npm? >> >> >> > >> > Not quite. An Apache project releases artifacts which can be downloaded >> > from Apache hardware. These artifacts are signed and voted upon. >> > That aside, if there are volunteers wanting to maintain something like >> npm >> > its perfectly fine. projects can also say they maintain it: but I would >> > give guarantees on services which are controlled by the ASF. >> > >> > In other words: "these npm artifacts are uploaded by members of the >> ripple >> > projects, but if you need to make sure about them, go to the canonical >> > project and download from apache.org/dist which is the official channel >> > to get it." >> > >> > See how we did it on Log4php: >> > http://logging.apache.org/log4php/download.html >> > (packagist the npm for php people) >> > >> > We provide the source packages as requested and added an alternate >> > distribution channel. Whoever needs to check the sigs, can still use our >> > own package. >> > >> > Makes sense? >> > >> > Cheers >> > >> > >> > >> > >> >> >> >> On Thu, Jun 26, 2014 at 12:29 PM, Christian Grobmeier < >> >> [email protected]> >> >> wrote: >> >> >> >> Hey guys, >> >>> >> >>> glad you have found some time working on Ripple. >> >>> >> >>> Please note, this push can't be considered a release in the Apache >> way. I >> >>> am aware this is how lots of open source projects work to day, but >> it's >> >>> not >> >>> how the ASF does releases. In fact, the ASF has quite a bunch of >> >>> requirements to release. These requirements need to be met because >> they >> >>> protect us before legal issues, and also our users. >> >>> >> >>> Here is a document about that: >> >>> http://apache.org/dev/release.html#what-must-every-release-contain >> >>> >> >>> A few important requirements: >> >>> >> >>> a release must be available in source format and from apache.org as a >> >>> download as well. >> >>> It must get 3 +1 votes from PMC members, in the incubator it must also >> >>> get >> >>> 3 +1 votes >> >>> from Incubator members. >> >>> >> >>> A release must have LICENSE file, NOTICE file etc and must contain >> only >> >>> AL >> >>> 2.0 files >> >>> or files compatible to the license (in example BSD, but not GPL). >> >>> >> >>> Also the release artifact must be signed cryptograhpically. >> >>> >> >>> This is what currently doesn't seem to work with npm. It doesn't >> support >> >>> key signing. >> >>> >> >>> That being said, npmjs can't be considered an official source of >> Ripple, >> >>> as we can't >> >>> tell people they actually get what we promise (no signing). >> >>> Also we miss the +1 of the project team which in fact means that >> >>> releasing >> >>> this >> >>> would make the release manager responsible personally for the >> artifact. >> >>> Knowing >> >>> that there are images in the package of which do not own the rights, >> this >> >>> is a problem. >> >>> >> >>> I absolutely do know that the ASF requirements are tough, but I think >> >>> they >> >>> are worth it. >> >>> If the team thinks they are not of use, then we need to move out to >> >>> GitHub. >> >>> If the team thinks they are good - in example some enterprise >> customers >> >>> are having tough >> >>> requirements of what they can use and what not too - then we need to >> work >> >>> towards a first, >> >>> official release. >> >>> >> >>> >> >>> >> >>>>>>> >> >> -- >> >> ============================================================ >> >> =============== >> >> Raymond Camden, Web Developer for Adobe >> >> >> >> Email : [email protected] >> >> Blog : www.raymondcamden.com >> >> Twitter: raymondcamden >> >> >> > >> > >> > --- >> > http://www.grobmeier.de >> > The Zen Programmer: http://bit.ly/12lC6DL >> > @grobmeier >> > GPG: 0xA5CC90DB >> > >> >> >> >> -- >> >> =========================================================================== >> Raymond Camden, Web Developer for Adobe >> >> Email : [email protected] >> Blog : www.raymondcamden.com >> Twitter: raymondcamden >> > > > > -- > Brent Lintner > -- Brent Lintner
