Hey Christian, >>>> Please note, this push can't be considered a release in the Apache way. I am aware this is how lots of open source projects work to day, but it's not how the ASF does releases. In fact, the ASF has quite a bunch of requirements to release. These requirements need to be met because they protect us before legal issues, and also our users. >>>>
Indeed! I do apologize. Like before, I am more so pushing it voluntarily (outside ASF) to get it out there and used- which seems OK (given your reply about NPM). I hope I don't come off as ignoring anything that you have mentioned!!! :-) For me though: This is how I (personally) prefer to work in open source (without restriction), so such ASF requirements (compared to merging PRs and getting code out) are on the lowest of my list (if at all)- but that is *certainly* not an excuse. :-s Not sure what others think of being fully on GitHub- I was not quite sure if that was an option, vs going into Cordova. Not sure who would own the code, etc? In the meantime, I will try my best to get into those ASF requirements (images, for one), while we figure out what to do with the project in general. Cheers, On Fri, Jun 27, 2014 at 10:33 AM, Raymond Camden <[email protected]> wrote: > I suppose so. Thanks. > > > On Thu, Jun 26, 2014 at 4:11 PM, Christian Grobmeier <[email protected]> > wrote: > > > On 26 Jun 2014, at 20:19, Raymond Camden wrote: > > > > So to be clear, an Apache project can't use npm? Or it can't *only* use > >> npm? > >> > > > > Not quite. An Apache project releases artifacts which can be downloaded > > from Apache hardware. These artifacts are signed and voted upon. > > That aside, if there are volunteers wanting to maintain something like > npm > > its perfectly fine. projects can also say they maintain it: but I would > > give guarantees on services which are controlled by the ASF. > > > > In other words: "these npm artifacts are uploaded by members of the > ripple > > projects, but if you need to make sure about them, go to the canonical > > project and download from apache.org/dist which is the official channel > > to get it." > > > > See how we did it on Log4php: > > http://logging.apache.org/log4php/download.html > > (packagist the npm for php people) > > > > We provide the source packages as requested and added an alternate > > distribution channel. Whoever needs to check the sigs, can still use our > > own package. > > > > Makes sense? > > > > Cheers > > > > > > > > > >> > >> On Thu, Jun 26, 2014 at 12:29 PM, Christian Grobmeier < > >> [email protected]> > >> wrote: > >> > >> Hey guys, > >>> > >>> glad you have found some time working on Ripple. > >>> > >>> Please note, this push can't be considered a release in the Apache > way. I > >>> am aware this is how lots of open source projects work to day, but it's > >>> not > >>> how the ASF does releases. In fact, the ASF has quite a bunch of > >>> requirements to release. These requirements need to be met because they > >>> protect us before legal issues, and also our users. > >>> > >>> Here is a document about that: > >>> http://apache.org/dev/release.html#what-must-every-release-contain > >>> > >>> A few important requirements: > >>> > >>> a release must be available in source format and from apache.org as a > >>> download as well. > >>> It must get 3 +1 votes from PMC members, in the incubator it must also > >>> get > >>> 3 +1 votes > >>> from Incubator members. > >>> > >>> A release must have LICENSE file, NOTICE file etc and must contain only > >>> AL > >>> 2.0 files > >>> or files compatible to the license (in example BSD, but not GPL). > >>> > >>> Also the release artifact must be signed cryptograhpically. > >>> > >>> This is what currently doesn't seem to work with npm. It doesn't > support > >>> key signing. > >>> > >>> That being said, npmjs can't be considered an official source of > Ripple, > >>> as we can't > >>> tell people they actually get what we promise (no signing). > >>> Also we miss the +1 of the project team which in fact means that > >>> releasing > >>> this > >>> would make the release manager responsible personally for the artifact. > >>> Knowing > >>> that there are images in the package of which do not own the rights, > this > >>> is a problem. > >>> > >>> I absolutely do know that the ASF requirements are tough, but I think > >>> they > >>> are worth it. > >>> If the team thinks they are not of use, then we need to move out to > >>> GitHub. > >>> If the team thinks they are good - in example some enterprise customers > >>> are having tough > >>> requirements of what they can use and what not too - then we need to > work > >>> towards a first, > >>> official release. > >>> > >>> > >>> > >>>>>>> > >> -- > >> ============================================================ > >> =============== > >> Raymond Camden, Web Developer for Adobe > >> > >> Email : [email protected] > >> Blog : www.raymondcamden.com > >> Twitter: raymondcamden > >> > > > > > > --- > > http://www.grobmeier.de > > The Zen Programmer: http://bit.ly/12lC6DL > > @grobmeier > > GPG: 0xA5CC90DB > > > > > > -- > =========================================================================== > Raymond Camden, Web Developer for Adobe > > Email : [email protected] > Blog : www.raymondcamden.com > Twitter: raymondcamden > -- Brent Lintner
