ApacheCon is Coming 9-12 Sept. 2019 - Las Vegas The Apache Software Foundation
Apache 20th Anniversary Logo

Celebrating 20 years of community-led development "The Apache Way"

Apache Support Logo

Release Distribution Policy

This policy governs how Apache software releases are distributed through the technical channels maintained by Apache Infrastructure. It complements the formal Apache Release Policy, defining what must be in a software release, and the Release Process which describes the steps for a PMC member to create releases.


Release Distribution Channels

The Apache Software Foundation's official channel for distribution of current Apache software releases to the general public is www.apache.org/dist.
This directory is automatically sync'd out to the ASF mirror network, and most users actually download releases from one of the ASF mirrors.

The public may also obtain Apache software from any number of downstream channels which redistribute our releases in either original or derived form (rpm, deb, homebrew, etc.). The vast majority of such downstream channels operate independently of Apache.

Apache Infrastructure maintains a number of developer-only channels which facilitate distribution of unreleased software to consenting members of a development community.

Finally, all historic Apache releases may be obtained from archive.apache.org.

Release Distribution Directory

Every top-level project at Apache has its own public distribution directory, which is a subdirectory of www.apache.org/dist. The PMC is responsible for all artifacts within their distribution directory.

Apache Incubator podlings are not official ASF releases; see the Incubator documentation for the differences.

Release Content

The content of official Apache releases and the process by which valid releases are created is governed by Apache Release Policy.

Release Policy specifies that binary packages provided by third parties which meet certain criteria may be distributed alongside official source packages. Such packages are sometimes referred to as "convenience binaries" to distinguish them from other binary packages.

Public Distribution

All official releases MUST be uploaded to the official distribution channel, www.apache.org/dist.

Content suitable for the official distribution channel includes:

If an Apache PMC wishes to publish additional materials through the official distribution channel and there is any question about the suitability of said materials, the PMC MUST consult with the Board.

Distribution of Unreleased Materials

Unreleased materials, in original or derived form...

Notify Infra Before Uploading Large (>1GB) Artifacts

Releases of more than 1GB of artifacts MUST be coordinated with Infrastructure in advance, in order to mitigate strain on mirroring and download resources.

Cryptographic Signatures and Checksums Requirements

RFC 2119 describes how MUST, SHOULD, SHOULD NOT etc are to be interpreted.

For every artifact distributed to the public through Apache channels, the PMC

For new releases, PMCs MUST supply SHA-256 and/or SHA-512; and SHOULD NOT supply MD5 or SHA-1. Existing releases do not need to be changed.

The names of signature and checksum files MUST be formed by adding to the name of the artifact the following suffixes:

Regarding signature and checksum files :

Projects MUST publish a KEYS file in their distribution directory which contains all public keys used to sign artifacts.

Signing keys used at Apache MUST be published in the KEYS file and SHOULD be made available through the global public keyserver network. Signing keys SHOULD be linked into a strong web of trust.

Signing keys for new artifacts MUST be RSA and at least 2048 bit. New keys SHOULD be 4096 bit RSA. Signatures SHOULD be cryptographically strong.

Private keys MUST NOT be stored on any ASF machine. Likewise, signatures for releases MUST NOT be created on ASF machines.

Compromised signing keys MUST be revoked and replaced immediately.

The website documentation for any Apache product MUST provide public download links where current official source releases and accompanying cryptographic files may be obtained.

All links to mirrored distribution artifacts MUST NOT reference the main Apache web site. They SHOULD use the standard mechanisms to distribute the load between the mirrors. There are technical FAQs about how mirrors work.

All links to checksums, detached signatures and public keys MUST reference www.apache.org/dist/ using https:// (TLS).

Old releases SHOULD be archived and MAY be linked from public download pages.

Releases Must Be Archived

All releases MUST be archived on archive.apache.org. This generally happens via an automated process which adds releases to the archive about a day after they first appear on www.apache.org/dist.

Each project's distribution directory SHOULD contain the latest release in each branch that is currently under development. When development ceases on a version branch, releases of that branch SHOULD be removed.

Using Maven For Releases

Infrastructure operates an Apache Maven repository manager at repository.apache.org. Projects MAY use the repository system as a downstream channel to redistribute released materials via Maven Central, and MAY use it to distribute SNAPSHOTs containing unreleased materials directly to consenting members of a project development community. Projects MUST NOT point or refer to repository.apache.org directly in download pages or release announcements or emails. Instead, any public download links for those releases SHOULD point to Maven Central.

Policy Administration

This policy is required for all Apache projects; changes to this Release Distribution Policy MUST be approved by the V.P. of Apache Infrastructure.

Release Distribution FAQ