Celebrating 20 years of community-led development "The Apache Way"
This policy governs how Apache software releases are distributed through the technical channels maintained by Apache Infrastructure. It complements the formal Apache Release Policy, defining what must be in a software release, and the Release Process which describes the steps for a PMC member to create releases.
The Apache Software Foundation's official channel for distribution of current
Apache software releases to the general public is
This directory is automatically sync'd out to the ASF mirror network, and most users actually download releases from one of the ASF mirrors.
The public may also obtain Apache software from any number of downstream channels which redistribute our releases in either original or derived form (rpm, deb, homebrew, etc.). The vast majority of such downstream channels operate independently of Apache.
Apache Infrastructure maintains a number of developer-only channels which facilitate distribution of unreleased software to consenting members of a development community.
Finally, all historic Apache releases may be obtained from
Every top-level project at Apache has its own public distribution directory,
which is a subdirectory of
www.apache.org/dist. The PMC is responsible for
all artifacts within their distribution directory.
Apache Incubator podlings are not official ASF releases; see the Incubator documentation for the differences.
The content of official Apache releases and the process by which valid releases are created is governed by Apache Release Policy.
Release Policy specifies that binary packages provided by third parties which meet certain criteria may be distributed alongside official source packages. Such packages are sometimes referred to as "convenience binaries" to distinguish them from other binary packages.
All official releases MUST be uploaded to the official distribution channel,
Content suitable for the official distribution channel includes:
CHANGESand similar documents describing distributed content
If an Apache PMC wishes to publish additional materials through the official distribution channel and there is any question about the suitability of said materials, the PMC MUST consult with the Board.
Unreleased materials, in original or derived form...
Releases of more than 1GB of artifacts MUST be coordinated with Infrastructure in advance, in order to mitigate strain on mirroring and download resources.
→ RFC 2119 describes how MUST, SHOULD, SHOULD NOT etc are to be interpreted.
For every artifact distributed to the public through Apache channels, the PMC
For new releases, PMCs MUST supply SHA-256 and/or SHA-512; and SHOULD NOT supply MD5 or SHA-1. Existing releases do not need to be changed.
The names of signature and checksum files MUST be formed by adding to the name of the artifact the following suffixes:
.ascfor a (ASCII-armored) PGP signature
.md5for a MD5 checksum
.sha1for a SHA-1 checksum
.sha256for a SHA-256 checksum
.sha512for a SHA-512 checksum
Regarding signature and checksum files :
.shaSHOULD NOT be used ;
.shafiles SHOULD NOT be provided.
.sigfiles MUST NOT be provided.
.mdsfiles (containing checksums) MAY be provided
Projects MUST publish a KEYS file in their distribution directory which contains all public keys used to sign artifacts.
Signing keys for new artifacts MUST be RSA and at least 2048 bit. New keys SHOULD be 4096 bit RSA. Signatures SHOULD be cryptographically strong.
Private keys MUST NOT be stored on any ASF machine. Likewise, signatures for releases MUST NOT be created on ASF machines.
Compromised signing keys MUST be revoked and replaced immediately.
The website documentation for any Apache product MUST provide public download links where current official source releases and accompanying cryptographic files may be obtained.
All links to mirrored distribution artifacts MUST NOT reference the main Apache web site. They SHOULD use the standard mechanisms to distribute the load between the mirrors. There are technical FAQs about how mirrors work.
All links to checksums, detached signatures and public keys MUST
Old releases SHOULD be archived and MAY be linked from public download pages.
All releases MUST be archived on
archive.apache.org. This generally happens
via an automated process which adds releases to the archive about a day after
they first appear on
Each project's distribution directory SHOULD contain the latest release in each branch that is currently under development. When development ceases on a version branch, releases of that branch SHOULD be removed.
Infrastructure operates an Apache Maven repository manager at repository.apache.org. Projects MAY use the repository system as a downstream channel to redistribute released materials via Maven Central, and MAY use it to distribute SNAPSHOTs containing unreleased materials directly to consenting members of a project development community. Projects MUST NOT point or refer to repository.apache.org directly in download pages or release announcements or emails. Instead, any public download links for those releases SHOULD point to Maven Central.
This policy is required for all Apache projects; changes to this Release Distribution Policy MUST be approved by the V.P. of Apache Infrastructure.