Apache Logo
The Apache Way Contribute ASF Sponsors

Release Distribution Policy

This policy governs how Apache software releases are distributed through the technical channels maintained by Apache Infrastructure. It complements the formal Apache Release Policy, defining what must be in a software release, and the Release Process which describes the steps for a PMC member to create releases.


Release Distribution Channels

The Apache Software Foundation's official channel for distribution of current Apache software releases to the general public is www.apache.org/dist.
This directory is automatically sync'd out to the ASF mirror network, and most users actually download releases from one of the ASF mirrors.

The public may also obtain Apache software from any number of downstream channels which redistribute our releases in either original or derived form (rpm, deb, homebrew, etc.). The vast majority of such downstream channels operate independently of Apache.

Apache Infrastructure maintains a number of developer-only channels which facilitate distribution of unreleased software to consenting members of a development community.

Finally, all historic Apache releases may be obtained from archive.apache.org.

Release Distribution Directory

Every top-level project at Apache has its own public distribution directory, which is a subdirectory of www.apache.org/dist. The PMC is responsible for all artifacts within their distribution directory.

Apache Incubator podlings are not official ASF releases; see the Incubator documentation for the differences.

Release Content

The content of official Apache releases and the process by which valid releases are created is governed by Apache Release Policy.

Release Policy specifies that binary packages provided by third parties which meet certain criteria may be distributed alongside official source packages. Such packages are sometimes referred to as "convenience binaries" to distinguish them from other binary packages.

Public Distribution

All official releases MUST be uploaded to the official distribution channel, www.apache.org/dist.

Content suitable for the official distribution channel includes:

If an Apache PMC wishes to publish additional materials through the official distribution channel and there is any question about the suitability of said materials, the PMC MUST consult with the Board.

Distribution of Unreleased Materials

Unreleased materials, in original or derived form...

Notify Infra Before Uploading Large (>1GB) Artifacts

Releases of more than 1GB of artifacts MUST be coordinated with Infrastructure in advance, in order to mitigate strain on mirroring and download resources.

Cryptographic Signatures and Checksums Requirements

Every artifact distributed to the public through Apache channels MUST be accompanied by one file containing an OpenPGP compatible ASCII armored detached signature and another file containing an MD5 checksum. The names of these files MUST be formed by adding to the name of the artifact the following suffixes:

An SHA checksum SHOULD also be created and MUST be suffixed .sha. The checksum SHOULD be generated using SHA512.

Projects MUST publish a "KEYS" file in their distribution directory which contains all public keys used to sign artifacts.

Signing keys used at Apache MUST be published in the KEYS file and SHOULD be made available through the global public keyserver network. Signing keys SHOULD be linked into a strong web of trust.

Keys used to sign new artifacts MUST be RSA and at least 2048 bit. Any new keys SHOULD be 4096 bit RSA.

Private keys MUST NOT be stored on any ASF machine. Likewise, signatures for releases MUST NOT be created on ASF machines.

Compromised signing keys MUST be revoked and replaced immediately.

The website documentation for any Apache product MUST provide public download links where current official source releases and accompanying cryptographic files may be obtained.

All links to mirrored distribution artifacts MUST NOT reference the main Apache web site. They SHOULD use the standard mechanisms to distribute the load between the mirrors. There are technical FAQs about how mirrors work.

All links to checksums, detached signatures and public keys MUST reference the main Apache web site and SHOULD use https:// (SSL).

Old releases SHOULD be archived and MAY be linked from public download pages.

Releases Must Be Archived

All releases MUST be archived on archive.apache.org. This generally happens via an automated process which adds releases to the archive about a day after they first appear on www.apache.org/dist.

Each project's distribution directory SHOULD contain the latest release in each branch that is currently under development. When development ceases on a version branch, releases of that branch SHOULD be removed.

Using Maven For Releases

Infrastructure operates an Apache Maven repository manager at repository.apache.org. Projects MAY use the repository system as a downstream channel to redistribute released materials, and MAY use it to distribute SNAPSHOTs containing unreleased materials to consenting members of a project development community.

Policy Administration

This policy is required for all Apache projects; changes to this Release Distribution Policy MUST be approved by the V.P. of Apache Infrastructure.

Release Distribution FAQ