Hi Andy, -----Original Message-----
From: Andy Konwinski <[email protected]> Reply-To: "[email protected]" <[email protected]> Date: Thursday, September 26, 2013 7:59 PM To: "[email protected]" <[email protected]> Subject: Re: Spark 0.8.0: bits need to come from ASF infrastructure >Thanks Roman and Chris, > >I see here http://www.apache.org/dev/release.html#mirroring that "Project >download pages must link to the mirrors" but I don't see anything about >ordering. Technically we ought to promote Apache's mirroring system as the Project Endorsed home for the project. As an Apache member and someone who values what the Foundation does for its projects and communities I don't think that's much to ask. If you guys feel strongly about the ordering of the Cloud Front first I'm open to it, I would just appreciate seeing some existing data showing that you guys have users who have tried the mirroring system from the ASF and it hasn't performed as well as the Amazon one. > >I'm definitely +1 for including a link to the apache mirrors as required >and providing the Cloudfront link first since this seems to satisfy the >apache requirements and provide a better experience for users. > >Patrick. Thanks again for all your hard work on this release and for >pushing back on parts of the Apache process as you go. That's how >do-ocracies stay healthy and evolve. Here here. This project doesn't have a "boss" and it's not me :) I'm just trying to spread my Apache knowledge and help you guys wear your Apache hats too since the project lives at the ASF now. I think you'll find the benefits of wearing those hats are many :) Cheers, Chris >On Sep 26, 2013 7:23 PM, "Mattmann, Chris A (398J)" < >[email protected]> wrote: > >> Hi Patrick will reply in more detail later but please know that linking >>to >> the apache download page is not a request it's a requirement. I will >> explain more in a bit. >> >> Cheers, >> Chris >> >> Sent from my iPhone >> >> On Sep 26, 2013, at 8:09 PM, "Patrick Wendell" <[email protected]> >>wrote: >> >> > Chris et al, >> > >> > I'm -1 on this because it has many negative consequences for our >> existing users: >> > >> > 1. Users who do automated downloads based on our posted URL's (of >> > which we get many thousands each release) will no longer work. Now if >> > they do "wget XXX" with our posted link, it will fail in a weird way >> > to due to the redirect page. Is there a version of the closer.cgi >> > script which just performs 302 redirects instead of asking me to click >> > on a link? >> > >> > 2. All other users have to click through an additional page to >> > download the software. >> > >> > 3. Amazon Cloudfront is, as a whole, much more reliable and higher >> > bandwidth than the mirror network. >> > >> > These are my concerns, that basically we're causing our users to have >> > a much worse experience. I've identified these concerns with moving to >> > the apache mirror, but perhaps I've overlooked some benefits that >> > would counteract these. Are there benefits? >> > >> > I completely agree that we need to send users to the signatures and >> > hashes at the Apache release site (to verify the release). So I did >> > add the link to this directly adjacent to the download. >> > >> > - Patrick >> > >> > On Thu, Sep 26, 2013 at 3:50 PM, Chris Mattmann <[email protected]> >> wrote: >> >> Hey Guys, >> >> >> >> Yep the link should by the dyn/closer.cgi link on the website and +1 >> >> to Roman's comment about auditing spark-project.org links to be >> replaced >> >> with ASF counterparts. >> >> >> >> Cheers, >> >> Chris >> >> >> >> >> >> >> >> -----Original Message----- >> >> From: Patrick Wendell <[email protected]> >> >> Reply-To: "[email protected]" < >> [email protected]> >> >> Date: Wednesday, September 25, 2013 4:08 PM >> >> To: "[email protected]" <[email protected]> >> >> Subject: Re: Spark 0.8.0: bits need to come from ASF infrastructure >> >> >> >>> Yep, we definitely need to just directly point people the location >>at >> >>> apache.org where they can find the hashes. I just updated the >>release >> >>> notes and downloads page to point to that site. >> >>> >> >>> I just wanted to point out that mirroring these through a CDN seems >> >>> philosophically the same as mirroring through Apache, since in >>neither >> >>> case do we expect the users to trust the artifact they download. We >> >>> just need to be more explicit that we are, indeed, mirroring and >> >>> explain that the trusted root is at apache.org >> >>> >> >>> - Patrick >> >>> >> >>> On Wed, Sep 25, 2013 at 3:56 PM, Roman Shaposhnik <[email protected]> >> wrote: >> >>>> On Wed, Sep 25, 2013 at 3:48 PM, Patrick Wendell >><[email protected]> >> >>>> wrote: >> >>>>> Hey we've actually distributed our artifacts through amazon >> cloudfront >> >>>>> in the past (and that is where the website links redirect to). >> >>>>> >> >>>>> Since the apache mirrors don't distribute signatures anyways, >> >>>> >> >>>> True, but apache dist does. IOW, it is not uncommon for those >> >>>> having an automated build/fetching systems to get bits from >> >>>> one of the mirrors and then get the hashes directly from dist. >> >>>> >> >>>> In your current case, I don't think I know of a way to do that. >> >>>> >> >>>> Now, you may say that the current CDN you guys are you using >> >>>> is functioning like a mirror -- well, I'd say that it needs to be >> >>>> called out like one then. >> >>>> >> >>>> Otherwise, as a naive user I *really* have to guess where >> >>>> to get the hashes. >> >>>> >> >>>>> what is the difference between linking to an apache mirror vs >>using a >> >>>>> more >> >>>>> robust CDN? If people want to verify the downloads they need to >>go to >> >>>>> the apache root in either case. >> >>>>> >> >>>>> Is this just a cultural thing or is there some security reason? >> >>>> >> >>>> A bit of both I guess. >> >>>> >> >>>> Thanks, >> >>>> Roman. >> >> >> >> >>
