For the platforms npm, PyPI, crates.io, and NuGet, the situation is somewhat different: We deliver libraries instead binaries.
Users should run `npm install xxx`, `pip install xxx`, or `cargo add xxx` to include our library in their dependency list. Users should write code in their own libraries or applications using statements such as `use xxx` or `import xxx`. Adding the prefixes `apache-` or `asf-` could significantly increase the workload for the entire community. In severe cases, users may halt library updates to prevent having to replace `xxx` throughout their code. The good news is that all of these platforms offer comprehensive metadata, such as README files, Homepage, repositories, and signatures, which help determine whether the artifacts are ASF products. On Wed, Dec 27, 2023, at 19:31, tison wrote: > Hi, > > The Distribution Guidelines[1] in ASF Incubator website wrote: > > * Artifacts show up on https://www.npmjs.com/package/apache-<project>; > version page. > * Artifacts need to be placed in > https://pypi.org/project/apache-<project>;. To comply with ASF release > and distributions please ensure the following: > > Both require an "apache-" prefix, perhaps due to emphasize the Apache > branding. But it may introduce a longy artifact name that goes against > a conventional artifact name on that platform. > > I will start a discussion on these three topics: > > 1. A brief introduction for the frequent platforms ASF podlings and > TLPs release to. > 2. How do current podlings and TLPs do? > 3. From a branding perspective, how do we protect the Apache brand? > > ## Platforms > > 1.1 DockerHub - We have the apache org; some project like Pulsar > registers the apachepulsar org. > 1.2 Maven - We host the org.apache domain name and have a nexus > repository for releasing. > 1.3 GitHub - We have the apache org. > 1.4 NPM - We don't have an official account and this platform support > org scope[2]. > 1.5 Pypi - We don't have an official account and this platform uses a > flattened view for packages. > 1.6 Crates.io - We don't have an official account and this platform > uses a flattened view for packages. The Rust/Cargo community discusses > about the flavor [3]. > 1.7 NuGet - We don't have an official account and this platform > support org account[4]. > > ## Let's go into point 2 with these platforms in details. > > For 1.1~1.3, since the ASF has official place to hold distributions, > there is few issue. > > For 1.4, below are some examples: > > * https://www.npmjs.com/package/apache-arrow > * https://www.npmjs.com/package/apache-dubbo > * https://www.npmjs.com/package/echarts > * https://www.npmjs.com/package/openwhisk > * https://www.npmjs.com/package/@apachedubbo/dubbo > * https://www.npmjs.com/package/@apachedubbo/dubbo-node > * https://www.npmjs.com/package/thrift > * https://www.npmjs.com/package/opendal > * https://www.npmjs.com/package/skywalking-client-js > * https://www.npmjs.com/package/skywalking-backend-js > > Notably, these packages with "apache-" prefix and seems related are > unofficial: > > * https://www.npmjs.com/package/apache-spark-node > * https://www.npmjs.com/package/apache-log2 > > For 1.5, below are some examples: > > * https://pypi.org/project/apache-flink/ > * https://pypi.org/project/apache-airflow-providers-apache-flink/ > * https://pypi.org/project/apache-beam/ > * https://pypi.org/project/apache-libcloud/ > * https://pypi.org/project/apache-skywalking/ > * https://pypi.org/project/apache-tvm/ > * https://pypi.org/project/avro/ > * https://pypi.org/project/datafusion/ > * https://pypi.org/project/pyarrow/ > * https://pypi.org/project/pyspark/ > > Notably, these packages with "apache-" prefix and seems related are > unofficial: > > * https://pypi.org/project/apache-analyser/ > * https://pypi.org/project/apache-manager/ > * https://pypi.org/project/apache-server/ > > For 1.6, below are some examples: > > * https://crates.io/crates/apache-avro > * https://crates.io/crates/arrow > * https://crates.io/crates/parquet > * https://crates.io/crates/skywalking > * https://crates.io/crates/opendal > > Notably, these packages with "apache-" prefix and seems related are > unofficial: > > * https://crates.io/crates/apache-rs > * https://crates.io/crates/apache_age > * https://crates.io/crates/apache-nimble-sys > > For 1.7, below are some examples: > > * https://www.nuget.org/packages/ApacheThrift > * https://www.nuget.org/packages/Apache.Avro > * https://www.nuget.org/packages/Apache.NMS > * https://www.nuget.org/packages/Apache.Arrow > * https://www.nuget.org/packages/Apache.Ignite > * https://www.nuget.org/packages/Lucene.Net > * https://www.nuget.org/packages/DotPulsar/ > > Notably, these packages with "Apache" prefix and seems related are unofficial: > > * https://www.nuget.org/packages/Apache.Thrift > > ## Now, for point 3, > > For 1.1~1.3, it's well-known and even can be verified with the > platform that only ASF project member with permission can upload > artifacts. > > For 1.4 and 1.7, if we have an official account and make it > well-known, perhaps we can get the result as 1.1~1.3. > > For 1.5 and 1.6, the platforms are against categorizing packages with > org, while for 1.6 (Crates.io), it supports add a GitHub team as a > crate owner that can be "@apache/foo-committers". > > For 1.4~1.7, there are projects with "apache" prefix but not endorsed > by an ASF project (P)PMC, the platform doesn't provide method to > forbit them. And multiple projects were published without Apache in > artifact name but have Apache brand in the metadata and README. > > Take a project Foo released to pypi as an example. Before donated to > the ASF, by no reason it would include "apache" in name or even it's a > brand occupancy issue itself. > > Now, the SGA is signed, so legally the name Foo is donated to the ASF. > As time goes on, the truth that Foo is an ASF project spread. > > Back to the technical part, if the PMC now tells its user that the > widely used name must be renamed to apache-foo, it's an extra burden > to suffer. Given that the foo brand is transferred to the ASF with > SGA, there is even no conflict to avoid. > > ## Proposal > > So, I propose to change the sentences referred above in Distribution > Guidelines[1] from a requirement tongue into a recommendation tongue. > Specificly, > > * Artifacts show up on https://www.npmjs.com/package/apache-<project>; > version page. > * Artifacts need to be placed in > https://pypi.org/project/apache-<project>;. To comply with ASF release > and distributions please ensure the following: > > Other sentences remain the same. Modifying metadata and README is cheap. > > Of course, the fact that they are "guidelines" already shows their > recommendation property. But we run the Incubator and even the ASF by > consensus. So here is the discussion for sharing thoughts. > > For 1.4 (NPM) and 1.7 (NuGet), if we later have an official > scope/account with INFRA's help, we can encourage existing projects to > migrate and gradually advocate its formality - why Maven releases > don't have such friction for its audience? Because > <group>org.apache.foo</group> is well-known and a self-claimed ASF > project outside such group is doubtable. If we do care about the > organization category, we should provide the necessary INFRA support > first. > > For 1.5 (Pypi) and 1.6 (Crates.io), their culture is anti-organization > and from some extra metadata and the README, it's not hard to figure > out if the artifacts is an ASF product. > > Looking forward to your feedback. > > Best, > tison. > > [1] https://incubator.apache.org/guides/distribution.html > [2] https://docs.npmjs.com/creating-and-publishing-scoped-public-packages > [3] https://github.com/rust-lang/cargo/issues/975 > [4] > https://learn.microsoft.com/en-us/nuget/nuget-org/organizations-on-nuget-org > > --------------------------------------------------------------------- > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > For additional commands, e-mail: general-h...@incubator.apache.org -- Xuanwo --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
