Re: OpenSource.com and promoting Apache
Hi Rich: I’d like to write an article on behalf of Apache River. Probably not this month, but sometime in the future. Cheers, Greg Trasuk > On Sep 17, 2015, at 2:22 PM, Rich Bowen wrote: > > At the risk of repeating myself ... > > I recently posted this to the committers list: > > === > > Several months ago I mentioned that OpenSource.com is looking for content for > a monthly series on the ASF's projects. With 166 TLPs, it seems that we'd be > able to produce content for at least ten years of articles. > > Please let me know if you're interested in running an article on your > project, and I'll get you on the list. You can, if you like, write the > article yourself, or, if you prefer, I'd be willing to do a feathercast-style > interview with you (see http://feathercast.apache.org/ if you're not familiar > with Feathercast) about your project, something exciting in your community, > or some interesting use that your project has been put to. > > > > I wonder if I could get a few volunteers here to do interviews about: > > * What the heck is your project? > * What's exciting in version whatever.next of your project? > * What cool things is InterestingCompany doing with your project? > > I would be glad to do the editing/transcript/writeup of these topics and put > together these articles. I figure if I pace myself at 1 a month, I can keep > up. > > Anybody? > > > -- > Rich Bowen - rbo...@rcbowen.com - @rbowen > http://apachecon.com/ - @apachecon
Re: SHA512 by default for GPG sigs
Hi Christopher: Thanks for your involvement. Apache Maven is one of many projects at the Apache Software Foundation. Each project has its own mailing lists. So your discussion should probably go to d...@maven.apache.org, which I’ve cc’d on this response. If you’re not subscribed to that list, you probably should do that as well - check the Apache Maven web site (http://maven.apache.org) for more info. Thanks again, Greg Trasuk > On May 18, 2016, at 1:45 PM, Christopher wrote: > > Hi all, > > I'm not sure a better list to get feedback on, but I wanted to bring > attention to the proposal here: > https://issues.apache.org/jira/browse/MPOM-118 > > Essentially this is a suggestion to configure the maven-gpg-plugin to sign > using SHA512 as its digest algorithm in the ASF Parent POM, used by many > Maven/Java-based projects within ASF. This configuration takes affect > during software releases when this plugin is activated (typically prior to > a release candidate vote, and staging a release in Nexus for distribution > to Maven Central). > > This would only affect the hash algorithm used to generate GPG signatures > for releases, and not any separate SHA/MD hashes published separately by > any project, which can be weaker (SHA1, MD5) for convenience, and don't > convey the strong authenticity statement that digital signatures provide. > > For background, gpg uses SHA1 by default, unless the signing key or gpg > configuration has a preference to use another algorithm (as described on > https://www.apache.org/dev/openpgp). > > This proposed configuration change wouldn't force the use of SHA512 (it > could still be overridden by a project), but it would make it the default, > which helps improve the security of releases in the case where release > managers have failed to keep their configuration up-to-date with the best > recommendations for using gpg. > > Thoughts? +1s? Discuss here or on the JIRA please. > > Thank you.
Re: SHA512 by default for GPG sigs
Whoops. Sorry about that. Greg > On May 18, 2016, at 2:50 PM, Benson Margulies wrote: > > Greg, the proposal is for the _Default ASF POM_ to be set up so that > _all_ projects would use SHA-512. This is not a question for the Maven > PMC. > > On Wed, May 18, 2016 at 1:58 PM, Greg Trasuk wrote: >> >> Hi Christopher: >> >> Thanks for your involvement. Apache Maven is one of many projects at the >> Apache Software Foundation. Each project has its own mailing lists. So >> your discussion should probably go to d...@maven.apache.org, which I’ve cc’d >> on this response. If you’re not subscribed to that list, you probably >> should do that as well - check the Apache Maven web site >> (http://maven.apache.org) for more info. >> >> Thanks again, >> >> Greg Trasuk >> >>> On May 18, 2016, at 1:45 PM, Christopher wrote: >>> >>> Hi all, >>> >>> I'm not sure a better list to get feedback on, but I wanted to bring >>> attention to the proposal here: >>> https://issues.apache.org/jira/browse/MPOM-118 >>> >>> Essentially this is a suggestion to configure the maven-gpg-plugin to sign >>> using SHA512 as its digest algorithm in the ASF Parent POM, used by many >>> Maven/Java-based projects within ASF. This configuration takes affect >>> during software releases when this plugin is activated (typically prior to >>> a release candidate vote, and staging a release in Nexus for distribution >>> to Maven Central). >>> >>> This would only affect the hash algorithm used to generate GPG signatures >>> for releases, and not any separate SHA/MD hashes published separately by >>> any project, which can be weaker (SHA1, MD5) for convenience, and don't >>> convey the strong authenticity statement that digital signatures provide. >>> >>> For background, gpg uses SHA1 by default, unless the signing key or gpg >>> configuration has a preference to use another algorithm (as described on >>> https://www.apache.org/dev/openpgp). >>> >>> This proposed configuration change wouldn't force the use of SHA512 (it >>> could still be overridden by a project), but it would make it the default, >>> which helps improve the security of releases in the case where release >>> managers have failed to keep their configuration up-to-date with the best >>> recommendations for using gpg. >>> >>> Thoughts? +1s? Discuss here or on the JIRA please. >>> >>> Thank you. >> >> >> - >> To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org >> For additional commands, e-mail: dev-h...@maven.apache.org >> > > - > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > For additional commands, e-mail: dev-h...@maven.apache.org >
Unsubscribe instructions - was: Re: Hipchat Room for Apache Women?
Hi James: I’m not an administrator on this list, so I can’t do it directly for you, but… You should be able to unsubscribe yourself from this list by sending an email to dev-unsubscr...@community.apache.com Sorry for the inconvenience. Cheers, Greg Trasuk > On Jun 13, 2016, at 9:52 AM, james pruett wrote: > > please remove me from these emails. > I have been receiving them for years and you have no unsubscribe button in > the email. > > > > On Mon, Jun 13, 2016 at 6:45 AM, Sharan Foga wrote: > >> Hi Everyone >> >> I discovered Hipchat last week (well I knew Infra were using it!) but >> found it to be quite a nice informal online environment. >> >> I was wondering whether this could be a good way to bring together our >> existing community of women so that they can get to know each other and >> generally just hangout. The rooms can be public or private, plus there is >> one to one chat. >> >> What do people think? >> >> Thanks >> Sharan >>
The Apache Brand [was: Re: Joining the Apache Foundation]
> On Jan 19, 2017, at 9:50 AM, Bertrand Delacretaz > wrote: > > Hi, > > On Thu, Jan 19, 2017 at 2:33 PM, wrote: >> ...There is actually a drawback from joining the community: all code >> becomes licensed to the Apache Foundation under the Apache License... > > This is actually a huge benefit for some types of projects and users, > especially when it's about projects which are strategic to one's > business. > > Our projects and their names belong to the Foundation, which is > neutral and doesn't belong to any company, government or other > organization. > > The risk with projects which belong to individuals or companies is > that those can change their minds, disappear or sometimes become crazy > or evil. And you're then in dire straits with such a project - there > are many "interesting" examples of such failures. > > The neutrality of the ASF is a guarantee that our projects will be > available forever (*) under the same permissive terms. We also have a > clear mechanism at http://attic.apache.org/ for retiring projects > while allowing anyone to fork them as needed. > When you think of an Apache project, you associate a few attributes with that project - this is what marketing folks would call “the brand promise”. - The project is serious. It’s not just one guy in Mom and Dad’s basement. - The project has a license that I can use in business. I don’t need to worry about being forced to publish my source code if I don’t want to. I know that the license can’t be revoked arbitrarily, and it isn’t contingent on renewing a support contract. - The project isn’t driven by a single company who might abandon it or go bankrupt. It’s driven by a community that independent and diverse, so I know that some other company’s failure won’t leave me hanging or searching for a new system. That means I can integrate the product into my business with minimal risk. - The “open-source” version of the project is complete and useful - it isn’t just a teaser for the commercial version (of course there might be product support that I can pay for if I need it). - Training and support can be provided by more than one company, so I have choices in where I buy those follow-on products. - The development is open and public - I can see and participate in the decision-making around features and architecture. - Development is driven by a diverse project community, not just one company’s marketing plan. So again, we have diversity and the project has a life beyond a single company or person. - The project is probably decent quality and It has a formal release process. - The software is “owned” by a trusted and neutral charitable entity, the Apache Software Foundation. - The Apache Software Foundation will support my right to continue using and developing the software under the Apache license. This brand promise makes it much much more likely that serious users will adopt the project’s software, and that the project has a continued life, independent of any one developer or company. In return for the right to put “Apache” in front of your project name, your project community essentially agrees to support the Apache brand promise, by contributing your code under the Apache license, adopting apache’s procedures and philosophy, and by protecting the trademarks that your project establishes. Cheers, Greg Trasuk > -Bertrand > > (*) the current thinking is "at least for the next 50 years" which > should be sufficient ;-) > > - > To unsubscribe, e-mail: dev-unsubscr...@community.apache.org > For additional commands, e-mail: dev-h...@community.apache.org > - To unsubscribe, e-mail: dev-unsubscr...@community.apache.org For additional commands, e-mail: dev-h...@community.apache.org