> On Apr 28, 2024, at 9:58 AM, tison <wander4...@gmail.com> wrote:
>
> Thank you!
>
> I found there is no rationale for these links, and thus, it's quite a bit
> challenging in memory.
>
> IIRC the closer.lua script is for selecting the most proper CDN for
> source/binary bundles in use. They can, technically, work for SHASUM and
> signatures also. Why do we use https://downloads.apache.org for the latter
> two?
Historically we had a mirror network and closer.lua picked out a mirror near
you. In order to be sure that the download source or binary on the mirror was
not altered on (or on its way to or from) the mirror, the detached signature
and checksums must be served from ASF controlled resources.
Whether or not this still makes sense is a discussion for Infra since they are
charged with enforcing and supporting the release distribution policy.
Best,
Dave
>
> Best,
> tison.
>
>
> sebb <seb...@gmail.com> 于2024年4月29日周一 00:34写道:
>
>> On Sun, 28 Apr 2024 at 15:38, tison <wander4...@gmail.com> wrote:
>>>
>>> Yeah. I support that we always need to release sources on our platform.
>>>
>>> Given the links to downloads.apache.org, archive.apache.org,
>>> https://www.apache.org/dyn/closer.lua, can be unintuitive for users, I
>>> agree that we can have a simple Download page for such library-only
>>> projects.
>>
>> The download page can also be used for links to release notes, and to
>> provide other support information.
>>
>>> Here is a patch to cover a minimal download page [1], which is derived
>> from
>>> OpenDAL's download page [2]. Welcome to leave comments if you find any
>>> issues or things we can improve on.
>>>
>>> [1] https://github.com/apache/datafusion/pull/10271
>>
>> The closer.lua script is only intended for the source and binary bundles.
>>
>> The sigs and hashes (and KEYS) should link directly to
>> https://downloads.apache.org/datafusion/...
>>
>>> [2] https://opendal.apache.org/download
>>>
>>> Best,
>>> tison.
>>>
>>>
>>> Justin Mclean <jus...@classsoftware.com> 于2024年4月28日周日 10:02写道:
>>>
>>>> Hi,
>>>>
>>>> Projects need to make source releases on ASF infrastructure and have a
>>>> download page for good reasons. Some users need a place to verify and
>>>> download a trusted release. Having it hosted on ASF infrastructure
>> means
>>>> people can 100% trust it, unlike 3rd party providers. 3rd party
>> providers
>>>> have gone rogue in the past (e.g . Source Forge), disappeared (e.g.
>> Google
>>>> Code), or had multiple serious issues (e.g. NPM). Also by placing a
>> release
>>>> in the ASF distribution area / a project download page gives confidence
>>>> that the ASF release process has been followed and that it is not a
>> release
>>>> by a 3rd party or an unofficial release of some sort. IMO, all
>> projects
>>>> need to have a download page, even if it may not be used by the
>> majority of
>>>> users.
>>>>
>>>> Kind Regards,
>>>> Justin
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
>>>> For additional commands, e-mail: general-h...@incubator.apache.org
>>>>
>>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
>> For additional commands, e-mail: general-h...@incubator.apache.org
>>
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org
