Re: Use GitHub Releases

2021-06-09 Thread Beckerle, Mike 
I think it is fine to have github releases and convenience binaries served from 
there, with a couple constraints based on not undermining the important ASF 
policies that provide for verifiable software supply chain.

If the github releases and artifacts correspond to official Apache releases, 
then:

1) they have to be identical bit-for-bit to those provided from ASF and maven 
central.

2) both we and our users have to be able to readily verify that this is the 
case (same file names, same hashes, easy to find links to the official ASF 
locations that store the hashes, have the signer keys to verify against, etc.)

If these github-based "releases" are intermediate/snapshot kinds of things, 
then I think the only requirement is that it's clear that's what they are, 
(distinct file names, etc. ) so they're not able to be confused with any 
official release.

I think experimentation to see what works well for the debugger/IDE is very 
sensible.


From: John Wass 
Sent: Wednesday, June 9, 2021 2:35 PM
To: dev@daffodil.apache.org 
Subject: Re: Use GitHub Releases

> GitHub does automatically create "Releases when we create a new tag.

The UI rolls them together, but they are two separate things in the API.
Daffodil has no releases according to the API.

https://api.github.com/repos/apache/daffodil/tags
https://api.github.com/repos/apache/daffodil/releases
https://docs.github.com/en/rest/reference/repos#list-releases


> Is there some API that's not available unless we manually create releases?

We can't attach assets to a tag, only a release.


> Are you looking to have convenience binaries also published to these
release?

Yes, asset fetching along with version lookup was the point of the post, I
should have mentioned that ;)

Do all Daffodil artifacts need to be published, no, there is Maven Central
for the jars, but what about publishing the applications as assets, that
would be the CLI and in the future a debugger backend.


> What kinds of information are you looking to query from the releases?

At first the available releases and their assets, but there is additional
metadata in a release object that might be interesting at some point.


> That has some basic version and release date information. And as I
mentioned before, it requires that projects keep it up to date.

The GitHub Release API does provide a nice single entrypoint for query and
fetch of assets (and metadata for future use).  Looking at these Apache
references, it doesn't appear to be as robust.




On Wed, Jun 9, 2021 at 12:54 PM Steve Lawrence  wrote:

> GitHub does automatically create "Releases when we create a new tag.
>
>   https://github.com/apache/daffodil/releases
>
> Is there some API that's not available unless we manually create
> releases? Are you looking to have convenience binaries also published to
> these release?
>
> What kinds of information are you looking to query from the releases?
>
> I know some projects (including Daffodil) keep an updated "Description
> Of A Project" (doap) file, which is parsed by Apache to fill out project
> information that can be queried here:
>
>   https://projects.apache.org/project.html
>
> This is our doap file:
>
>   https://daffodil.apache.org/doap.rdf
>
> And this is the project page that is generated from that file:
>
>   https://projects.apache.org/project.html?daffodil
>
> That has some basic version and release date information. And as I
> mentioned before, it requires that projects keep it up to date. I'm not
> sure how many do if you're interested about other projects.
>
>
> On 6/9/21 12:36 PM, John Wass wrote:
> >> the simplest is to ask
> >
> > Well the simplest for __me__ is to ask, this will add some overhead to
> the
> > release process for someone.  It looks like some Apache projects do
> GitHub
> > releases, most don't.
> >
> > Also looking for an Apache API to query releases and their artifacts.
> >
> >
> > On Wed, Jun 9, 2021 at 12:13 PM John Wass  wrote:
> >
> >> We have been using the GitHub API to collect (representative) releases
> of
> >> Daffodil during some prototype work.  However when looking at the main
> >> Daffodil repo I see there are no releases published there.
> >>
> >> There are probably some other ways to work around this, but the simplest
> >> is to ask if publishing releases to GitHub is something that can be done
> >> going forward?
> >>
> >>
> >
>
>

VSCode License - we're good

2021-06-09 Thread Beckerle, Mike 
So I think our debugger work won't involve direct linking to VSCode, but anyway 
I checked on the licenses.

The source code license for VSCode is the MIT License, which is Category A.  So 
if we found we need to, for example, embed a captive custom version of VSCode, 
we could embed this source. I don't forsee any need for that, but it's nice to 
know it's possible.

The binary license for VSCode is the standard Microsoft Software License, which 
makes it off limits for inclusion. It is not an open-source license.  But...

But, given that VSCode is OSS, there is https://vscodium.com/ which is the pure 
OSS version of VSCode under the MIT License. This also doesn't have the 
microsoft-specific telemetry and branding that regular VSCode binary has.

So we're fine with building things for VSCode/Codium as we have ample freedoms 
here.


Mike Beckerle | Principal Engineer

[cid:96d5a7af-cc2e-4ba0-9467-b7b012b6ef79]

mbecke...@owlcyberdefense.com

P +1-781-330-0412

Re: Use GitHub Releases

2021-06-09 Thread John Wass 
> GitHub does automatically create "Releases when we create a new tag.

The UI rolls them together, but they are two separate things in the API.
Daffodil has no releases according to the API.

https://api.github.com/repos/apache/daffodil/tags
https://api.github.com/repos/apache/daffodil/releases
https://docs.github.com/en/rest/reference/repos#list-releases


> Is there some API that's not available unless we manually create releases?

We can't attach assets to a tag, only a release.


> Are you looking to have convenience binaries also published to these
release?

Yes, asset fetching along with version lookup was the point of the post, I
should have mentioned that ;)

Do all Daffodil artifacts need to be published, no, there is Maven Central
for the jars, but what about publishing the applications as assets, that
would be the CLI and in the future a debugger backend.


> What kinds of information are you looking to query from the releases?

At first the available releases and their assets, but there is additional
metadata in a release object that might be interesting at some point.


> That has some basic version and release date information. And as I
mentioned before, it requires that projects keep it up to date.

The GitHub Release API does provide a nice single entrypoint for query and
fetch of assets (and metadata for future use).  Looking at these Apache
references, it doesn't appear to be as robust.




On Wed, Jun 9, 2021 at 12:54 PM Steve Lawrence  wrote:

> GitHub does automatically create "Releases when we create a new tag.
>
>   https://github.com/apache/daffodil/releases
>
> Is there some API that's not available unless we manually create
> releases? Are you looking to have convenience binaries also published to
> these release?
>
> What kinds of information are you looking to query from the releases?
>
> I know some projects (including Daffodil) keep an updated "Description
> Of A Project" (doap) file, which is parsed by Apache to fill out project
> information that can be queried here:
>
>   https://projects.apache.org/project.html
>
> This is our doap file:
>
>   https://daffodil.apache.org/doap.rdf
>
> And this is the project page that is generated from that file:
>
>   https://projects.apache.org/project.html?daffodil
>
> That has some basic version and release date information. And as I
> mentioned before, it requires that projects keep it up to date. I'm not
> sure how many do if you're interested about other projects.
>
>
> On 6/9/21 12:36 PM, John Wass wrote:
> >> the simplest is to ask
> >
> > Well the simplest for __me__ is to ask, this will add some overhead to
> the
> > release process for someone.  It looks like some Apache projects do
> GitHub
> > releases, most don't.
> >
> > Also looking for an Apache API to query releases and their artifacts.
> >
> >
> > On Wed, Jun 9, 2021 at 12:13 PM John Wass  wrote:
> >
> >> We have been using the GitHub API to collect (representative) releases
> of
> >> Daffodil during some prototype work.  However when looking at the main
> >> Daffodil repo I see there are no releases published there.
> >>
> >> There are probably some other ways to work around this, but the simplest
> >> is to ask if publishing releases to GitHub is something that can be done
> >> going forward?
> >>
> >>
> >
>
>

Re: Use GitHub Releases

2021-06-09 Thread Steve Lawrence 
GitHub does automatically create "Releases when we create a new tag.

  https://github.com/apache/daffodil/releases

Is there some API that's not available unless we manually create
releases? Are you looking to have convenience binaries also published to
these release?

What kinds of information are you looking to query from the releases?

I know some projects (including Daffodil) keep an updated "Description
Of A Project" (doap) file, which is parsed by Apache to fill out project
information that can be queried here:

  https://projects.apache.org/project.html

This is our doap file:

  https://daffodil.apache.org/doap.rdf

And this is the project page that is generated from that file:

  https://projects.apache.org/project.html?daffodil

That has some basic version and release date information. And as I
mentioned before, it requires that projects keep it up to date. I'm not
sure how many do if you're interested about other projects.


On 6/9/21 12:36 PM, John Wass wrote:
>> the simplest is to ask
> 
> Well the simplest for __me__ is to ask, this will add some overhead to the
> release process for someone.  It looks like some Apache projects do GitHub
> releases, most don't.
> 
> Also looking for an Apache API to query releases and their artifacts.
> 
> 
> On Wed, Jun 9, 2021 at 12:13 PM John Wass  wrote:
> 
>> We have been using the GitHub API to collect (representative) releases of
>> Daffodil during some prototype work.  However when looking at the main
>> Daffodil repo I see there are no releases published there.
>>
>> There are probably some other ways to work around this, but the simplest
>> is to ask if publishing releases to GitHub is something that can be done
>> going forward?
>>
>>
>

Re: Use GitHub Releases

2021-06-09 Thread John Wass 
> the simplest is to ask

Well the simplest for __me__ is to ask, this will add some overhead to the
release process for someone.  It looks like some Apache projects do GitHub
releases, most don't.

Also looking for an Apache API to query releases and their artifacts.


On Wed, Jun 9, 2021 at 12:13 PM John Wass  wrote:

> We have been using the GitHub API to collect (representative) releases of
> Daffodil during some prototype work.  However when looking at the main
> Daffodil repo I see there are no releases published there.
>
> There are probably some other ways to work around this, but the simplest
> is to ask if publishing releases to GitHub is something that can be done
> going forward?
>
>

Use GitHub Releases

2021-06-09 Thread John Wass 
We have been using the GitHub API to collect (representative) releases of
Daffodil during some prototype work.  However when looking at the main
Daffodil repo I see there are no releases published there.

There are probably some other ways to work around this, but the simplest is
to ask if publishing releases to GitHub is something that can be done going
forward?