Title: Release Distribution Policy
This policy governs how Apache software releases are distributed through the technical channels that Infra maintains and other distribution platforms. It complements the formal Apache Release Policy, which defines what must be in a software release, and the Release Creation Process page, which describes the steps for a PMC to create a release.
downloads.apache.org/
. This directory is automatically sync’d out to the ASF mirror network, and most users download releases from one of the ASF mirrors.archive.apache.org
.Every top-level project at Apache has its own public distribution directory, which is a subdirectory of downloads.apache.org/
. Each PMC is responsible for all artifacts within their project's distribution directory.
Apache Incubator podlings cannot create official ASF releases; see the Incubator documentation for details and discussion.
The Apache Release Policy governs the content of official Apache releases and the process by which projects create valid releases.
The Policy specifies that binary packages provided by the project or third parties which meet certain criteria may be distributed alongside official source packages. Such packages are sometimes referred to as “convenience binaries” or PMC-approved artifacts to distinguish them from other binary packages.
Projects must upload all official releases to the official distribution channel, downloads.apache.org/
. Content suitable for the official distribution channel includes:
If an Apache PMC wishes to publish additional materials through the official distribution channel and there is any question about the suitability of said materials, the PMC must consult with the ASF Board before publishing.
Unreleased materials, in original or derived form,
www.apache.org/dist
or downloads.apache.org
Projects must coordinate with Infra in advance about releases of larger than 1GB of artifacts to mitigate strain on mirroring and download resources.
For more information, see the release signing page.
Note: RFC 2119 describes how must, should, should not and similar terms are to be interpreted.
For every artifact distributed to the public through Apache channels, the PMC
For new releases, PMCs must supply SHA-256 and/or SHA-512 and should not supply MD5 or SHA-1. Existing releases do not need to be changed.
The names of individual signature and checksum files must be formed by adding to the name of the artifact the appropriate suffix:
.asc
for a (ASCII-armored) PGP signature.sha256
for an SHA-256 checksum.sha512
for an SHA-512 checksumNoted for completeness that this specification also applies to deprecated file types:
.md5
for an MD5 checksum.sha1
for an SHA-1 checksumRegarding signature and checksum files:
.sha
should not be be used and .sha
files should not be provided..sig
files must not be provided..mds
files (containing multiple checksums) may be provided for individual files as long as the included checksums comply with the above requirements.Regarding KEYS files:
downloads.apache.org/
using https://
(TLS).archive.apache.org
. This generally happens via an automated process which adds releases to the archive about a day after they first appear on downloads.apache.org/
.Infra operates an Apache Maven repository manager at repository.apache.org
. Projects may use the repository system as a downstream channel to redistribute released materials via Maven Central, and may use it to distribute snapshots containing unreleased materials directly to consenting members of a project development community.
Projects must not point or refer to repository.apache.org
directly in download pages, release announcements or emails. Instead, any public download links for those releases should point to Maven Central.
Read more about Maven releases for Apache projects.
The ASF manages a number of distribution platforms that projects are welcome to use. Projects can distribute PMC-approved artifacts on ASF managed distribution platforms and other distribution platforms as long as those binaries comply with ASF release, licensing, branding and trademark policies. Currently ASF managed platforms include github and docker.
This policy is required for all Apache projects. The V.P. of Apache Infrastructure must approve changes to this policy.