Hi, The Distribution Guidelines[1] in ASF Incubator website wrote:
* Artifacts show up on https://www.npmjs.com/package/apache-<project>; version page. * Artifacts need to be placed in https://pypi.org/project/apache-<project>;. To comply with ASF release and distributions please ensure the following: Both require an "apache-" prefix, perhaps due to emphasize the Apache branding. But it may introduce a longy artifact name that goes against a conventional artifact name on that platform. I will start a discussion on these three topics: 1. A brief introduction for the frequent platforms ASF podlings and TLPs release to. 2. How do current podlings and TLPs do? 3. From a branding perspective, how do we protect the Apache brand? ## Platforms 1.1 DockerHub - We have the apache org; some project like Pulsar registers the apachepulsar org. 1.2 Maven - We host the org.apache domain name and have a nexus repository for releasing. 1.3 GitHub - We have the apache org. 1.4 NPM - We don't have an official account and this platform support org scope[2]. 1.5 Pypi - We don't have an official account and this platform uses a flattened view for packages. 1.6 Crates.io - We don't have an official account and this platform uses a flattened view for packages. The Rust/Cargo community discusses about the flavor [3]. 1.7 NuGet - We don't have an official account and this platform support org account[4]. ## Let's go into point 2 with these platforms in details. For 1.1~1.3, since the ASF has official place to hold distributions, there is few issue. For 1.4, below are some examples: * https://www.npmjs.com/package/apache-arrow * https://www.npmjs.com/package/apache-dubbo * https://www.npmjs.com/package/echarts * https://www.npmjs.com/package/openwhisk * https://www.npmjs.com/package/@apachedubbo/dubbo * https://www.npmjs.com/package/@apachedubbo/dubbo-node * https://www.npmjs.com/package/thrift * https://www.npmjs.com/package/opendal * https://www.npmjs.com/package/skywalking-client-js * https://www.npmjs.com/package/skywalking-backend-js Notably, these packages with "apache-" prefix and seems related are unofficial: * https://www.npmjs.com/package/apache-spark-node * https://www.npmjs.com/package/apache-log2 For 1.5, below are some examples: * https://pypi.org/project/apache-flink/ * https://pypi.org/project/apache-airflow-providers-apache-flink/ * https://pypi.org/project/apache-beam/ * https://pypi.org/project/apache-libcloud/ * https://pypi.org/project/apache-skywalking/ * https://pypi.org/project/apache-tvm/ * https://pypi.org/project/avro/ * https://pypi.org/project/datafusion/ * https://pypi.org/project/pyarrow/ * https://pypi.org/project/pyspark/ Notably, these packages with "apache-" prefix and seems related are unofficial: * https://pypi.org/project/apache-analyser/ * https://pypi.org/project/apache-manager/ * https://pypi.org/project/apache-server/ For 1.6, below are some examples: * https://crates.io/crates/apache-avro * https://crates.io/crates/arrow * https://crates.io/crates/parquet * https://crates.io/crates/skywalking * https://crates.io/crates/opendal Notably, these packages with "apache-" prefix and seems related are unofficial: * https://crates.io/crates/apache-rs * https://crates.io/crates/apache_age * https://crates.io/crates/apache-nimble-sys For 1.7, below are some examples: * https://www.nuget.org/packages/ApacheThrift * https://www.nuget.org/packages/Apache.Avro * https://www.nuget.org/packages/Apache.NMS * https://www.nuget.org/packages/Apache.Arrow * https://www.nuget.org/packages/Apache.Ignite * https://www.nuget.org/packages/Lucene.Net * https://www.nuget.org/packages/DotPulsar/ Notably, these packages with "Apache" prefix and seems related are unofficial: * https://www.nuget.org/packages/Apache.Thrift ## Now, for point 3, For 1.1~1.3, it's well-known and even can be verified with the platform that only ASF project member with permission can upload artifacts. For 1.4 and 1.7, if we have an official account and make it well-known, perhaps we can get the result as 1.1~1.3. For 1.5 and 1.6, the platforms are against categorizing packages with org, while for 1.6 (Crates.io), it supports add a GitHub team as a crate owner that can be "@apache/foo-committers". For 1.4~1.7, there are projects with "apache" prefix but not endorsed by an ASF project (P)PMC, the platform doesn't provide method to forbit them. And multiple projects were published without Apache in artifact name but have Apache brand in the metadata and README. Take a project Foo released to pypi as an example. Before donated to the ASF, by no reason it would include "apache" in name or even it's a brand occupancy issue itself. Now, the SGA is signed, so legally the name Foo is donated to the ASF. As time goes on, the truth that Foo is an ASF project spread. Back to the technical part, if the PMC now tells its user that the widely used name must be renamed to apache-foo, it's an extra burden to suffer. Given that the foo brand is transferred to the ASF with SGA, there is even no conflict to avoid. ## Proposal So, I propose to change the sentences referred above in Distribution Guidelines[1] from a requirement tongue into a recommendation tongue. Specificly, * Artifacts show up on https://www.npmjs.com/package/apache-<project>; version page. * Artifacts need to be placed in https://pypi.org/project/apache-<project>;. To comply with ASF release and distributions please ensure the following: Other sentences remain the same. Modifying metadata and README is cheap. Of course, the fact that they are "guidelines" already shows their recommendation property. But we run the Incubator and even the ASF by consensus. So here is the discussion for sharing thoughts. For 1.4 (NPM) and 1.7 (NuGet), if we later have an official scope/account with INFRA's help, we can encourage existing projects to migrate and gradually advocate its formality - why Maven releases don't have such friction for its audience? Because <group>org.apache.foo</group> is well-known and a self-claimed ASF project outside such group is doubtable. If we do care about the organization category, we should provide the necessary INFRA support first. For 1.5 (Pypi) and 1.6 (Crates.io), their culture is anti-organization and from some extra metadata and the README, it's not hard to figure out if the artifacts is an ASF product. Looking forward to your feedback. Best, tison. [1] https://incubator.apache.org/guides/distribution.html [2] https://docs.npmjs.com/creating-and-publishing-scoped-public-packages [3] https://github.com/rust-lang/cargo/issues/975 [4] https://learn.microsoft.com/en-us/nuget/nuget-org/organizations-on-nuget-org --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
