Thanks Roman and Chris, I see here http://www.apache.org/dev/release.html#mirroring that "Project download pages must link to the mirrors" but I don't see anything about ordering.
I'm definitely +1 for including a link to the apache mirrors as required and providing the Cloudfront link first since this seems to satisfy the apache requirements and provide a better experience for users. Patrick. Thanks again for all your hard work on this release and for pushing back on parts of the Apache process as you go. That's how do-ocracies stay healthy and evolve. On Sep 26, 2013 7:23 PM, "Mattmann, Chris A (398J)" < chris.a.mattm...@jpl.nasa.gov> wrote: > Hi Patrick will reply in more detail later but please know that linking to > the apache download page is not a request it's a requirement. I will > explain more in a bit. > > Cheers, > Chris > > Sent from my iPhone > > On Sep 26, 2013, at 8:09 PM, "Patrick Wendell" <pwend...@gmail.com> wrote: > > > Chris et al, > > > > I'm -1 on this because it has many negative consequences for our > existing users: > > > > 1. Users who do automated downloads based on our posted URL's (of > > which we get many thousands each release) will no longer work. Now if > > they do "wget XXX" with our posted link, it will fail in a weird way > > to due to the redirect page. Is there a version of the closer.cgi > > script which just performs 302 redirects instead of asking me to click > > on a link? > > > > 2. All other users have to click through an additional page to > > download the software. > > > > 3. Amazon Cloudfront is, as a whole, much more reliable and higher > > bandwidth than the mirror network. > > > > These are my concerns, that basically we're causing our users to have > > a much worse experience. I've identified these concerns with moving to > > the apache mirror, but perhaps I've overlooked some benefits that > > would counteract these. Are there benefits? > > > > I completely agree that we need to send users to the signatures and > > hashes at the Apache release site (to verify the release). So I did > > add the link to this directly adjacent to the download. > > > > - Patrick > > > > On Thu, Sep 26, 2013 at 3:50 PM, Chris Mattmann <mattm...@apache.org> > wrote: > >> Hey Guys, > >> > >> Yep the link should by the dyn/closer.cgi link on the website and +1 > >> to Roman's comment about auditing spark-project.org links to be > replaced > >> with ASF counterparts. > >> > >> Cheers, > >> Chris > >> > >> > >> > >> -----Original Message----- > >> From: Patrick Wendell <pwend...@gmail.com> > >> Reply-To: "dev@spark.incubator.apache.org" < > dev@spark.incubator.apache.org> > >> Date: Wednesday, September 25, 2013 4:08 PM > >> To: "dev@spark.incubator.apache.org" <dev@spark.incubator.apache.org> > >> Subject: Re: Spark 0.8.0: bits need to come from ASF infrastructure > >> > >>> Yep, we definitely need to just directly point people the location at > >>> apache.org where they can find the hashes. I just updated the release > >>> notes and downloads page to point to that site. > >>> > >>> I just wanted to point out that mirroring these through a CDN seems > >>> philosophically the same as mirroring through Apache, since in neither > >>> case do we expect the users to trust the artifact they download. We > >>> just need to be more explicit that we are, indeed, mirroring and > >>> explain that the trusted root is at apache.org > >>> > >>> - Patrick > >>> > >>> On Wed, Sep 25, 2013 at 3:56 PM, Roman Shaposhnik <r...@apache.org> > wrote: > >>>> On Wed, Sep 25, 2013 at 3:48 PM, Patrick Wendell <pwend...@gmail.com> > >>>> wrote: > >>>>> Hey we've actually distributed our artifacts through amazon > cloudfront > >>>>> in the past (and that is where the website links redirect to). > >>>>> > >>>>> Since the apache mirrors don't distribute signatures anyways, > >>>> > >>>> True, but apache dist does. IOW, it is not uncommon for those > >>>> having an automated build/fetching systems to get bits from > >>>> one of the mirrors and then get the hashes directly from dist. > >>>> > >>>> In your current case, I don't think I know of a way to do that. > >>>> > >>>> Now, you may say that the current CDN you guys are you using > >>>> is functioning like a mirror -- well, I'd say that it needs to be > >>>> called out like one then. > >>>> > >>>> Otherwise, as a naive user I *really* have to guess where > >>>> to get the hashes. > >>>> > >>>>> what is the difference between linking to an apache mirror vs using a > >>>>> more > >>>>> robust CDN? If people want to verify the downloads they need to go to > >>>>> the apache root in either case. > >>>>> > >>>>> Is this just a cultural thing or is there some security reason? > >>>> > >>>> A bit of both I guess. > >>>> > >>>> Thanks, > >>>> Roman. > >> > >> >
