From 96486e3bc8a1dddd1453a8b00b3924c4290ef2f4 Mon Sep 17 00:00:00 2001 From: Elijah Ben Izzy Date: Sat, 9 May 2026 21:36:12 -0700 Subject: [PATCH 1/2] website: add Downloads page per ASF release policy Adds a /downloads route covering the 0.42.0-incubating and 0.41.0-incubating releases with mirror-selection links for tarballs, direct HTTPS links for signatures and checksums, GPG/SHA-512 verification instructions, and the standard incubator disclaimer. Adds a "Download" entry to the navbar. Addresses the IPMC vote feedback that burr.apache.org needs a public download page per https://www.apache.org/legal/release-policy.html#publication. The repo-root .gitignore has a `downloads/` rule (Python packaging), which shadows the new Next.js app-router directory; a negation rule is added in website/.gitignore to re-include it. --- website/.gitignore | 4 + website/src/app/downloads/page.tsx | 416 +++++++++++++++++++++++++++++ website/src/lib/constants.ts | 7 +- 3 files changed, 424 insertions(+), 3 deletions(-) create mode 100644 website/src/app/downloads/page.tsx diff --git a/website/.gitignore b/website/.gitignore index a047376c..ae5e03fe 100644 --- a/website/.gitignore +++ b/website/.gitignore @@ -4,3 +4,7 @@ out/ *.tsbuildinfo next-env.d.ts public/docs/ + +# The repo-root .gitignore has `downloads/` (Python packaging convention), +# which would otherwise hide the Next.js /downloads app route. Re-include it. +!src/app/downloads/ diff --git a/website/src/app/downloads/page.tsx b/website/src/app/downloads/page.tsx new file mode 100644 index 00000000..94c25009 --- /dev/null +++ b/website/src/app/downloads/page.tsx @@ -0,0 +1,416 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +import type { Metadata } from "next"; +import Navbar from "@/components/Navbar"; +import Footer from "@/components/Footer"; + +export const metadata: Metadata = { + title: "Downloads — Apache Burr (Incubating)", + description: + "Download Apache Burr (Incubating) source releases, signatures, and checksums. Includes verification instructions per ASF release policy.", +}; + +// Apache mirror selection URL prefix (closer.lua) for tarball downloads. +// Per ASF release policy, signatures (.asc), checksums (.sha512), and the +// KEYS file MUST be served directly over HTTPS from downloads.apache.org +// rather than via mirrors. +const MIRROR_BASE = "https://www.apache.org/dyn/closer.lua/incubator/burr"; +const DIST_BASE = "https://downloads.apache.org/incubator/burr"; +const KEYS_URL = `${DIST_BASE}/KEYS`; +const ARCHIVE_URL = "https://archive.apache.org/dist/incubator/burr/"; +const VERIFY_DOC_URL = "https://www.apache.org/info/verification.html"; +const RELEASE_POLICY_URL = + "https://www.apache.org/legal/release-policy.html#publication"; + +type Artifact = { + filename: string; + label: string; + description: string; +}; + +type Release = { + version: string; // e.g. "0.42.0" + date: string; // human-readable + artifacts: Artifact[]; +}; + +const RELEASES: Release[] = [ + { + version: "0.42.0", + date: "May 9, 2026", + artifacts: [ + { + filename: "apache-burr-0.42.0-incubating-src.tar.gz", + label: "Source release", + description: + "The official source release. This is the artifact voted on by the IPMC.", + }, + { + filename: "apache-burr-0.42.0-incubating-sdist.tar.gz", + label: "Python sdist", + description: + "Python source distribution used by flit to build the wheel. Convenience artifact.", + }, + { + filename: "apache_burr-0.42.0-py3-none-any.whl", + label: "Python wheel", + description: + "Pre-built Python wheel. Convenience binary, also published on PyPI as apache-burr 0.42.0.", + }, + ], + }, + { + version: "0.41.0", + date: "January 2026", + artifacts: [ + { + filename: "apache-burr-0.41.0-incubating-src.tar.gz", + label: "Source release", + description: "The official source release.", + }, + { + filename: "apache-burr-0.41.0-incubating-sdist.tar.gz", + label: "Python sdist", + description: "Python source distribution used by flit to build the wheel.", + }, + { + filename: "apache_burr-0.41.0-py3-none-any.whl", + label: "Python wheel", + description: + "Pre-built Python wheel. Convenience binary, also published on PyPI as apache-burr 0.41.0.", + }, + ], + }, +]; + +const LATEST = RELEASES[0]; + +function mirrorUrl(version: string, filename: string): string { + return `${MIRROR_BASE}/${version}/${filename}?action=download`; +} + +function directUrl(version: string, filename: string, ext: string): string { + return `${DIST_BASE}/${version}/${filename}.${ext}`; +} + +function ReleaseSection({ + release, + isLatest, +}: { + release: Release; + isLatest: boolean; +}) { + const headingId = `release-${release.version}`; + return ( +
+
+

+ {release.version}-incubating +

+ {isLatest && ( + + Latest + + )} + + Released {release.date} + +
+ +
+ + + + + + + + + + + {release.artifacts.map((a) => ( + + + + + + + ))} + +
ArtifactDownloadSignatureChecksum
+
{a.label}
+
+ {a.description} +
+ 		+ + {a.filename} + + + + .asc + + + + .sha512 + +
+
+ +

+ Tarball links use the{" "} + + ASF mirror selection service + {" "} + to find the closest mirror. Signatures and checksums are served directly + from downloads.apache.org over HTTPS. +

+
+ ); +} + +export default function DownloadsPage() { + return ( + <> + +
+
+ {/* Header */} +
+

+ Downloads +

+

+ Apache Burr (Incubating) — official source releases, signatures, + and checksums. +

+

+ Apache Burr is currently undergoing incubation at the Apache + Software Foundation. The source release is the official artifact; + binary downloads are provided for convenience. Please see the{" "} + + ASF release policy + {" "} + and the{" "} + + incubator disclaimer + {" "} + below. +

+
+ + {/* Quick install */} +
+

Quick install

+

+ The fastest way to get started is via PyPI. The convenience wheel + published there matches the wheel artifact in the source release. +

+ 
+              {`pip install apache-burr==${LATEST.version}`}
+
+

+ For projects that require building from source, download the + source release tarball below and verify it before use. +

+
+ + {/* Latest release */} +
+

+ Latest release +

+ +
+ + {/* Previous releases */} + {RELEASES.length > 1 && ( +
+

+ Previous releases +

+
+ {RELEASES.slice(1).map((r) => ( + + ))} +
+

+ Older releases are kept in the{" "} + + ASF archive + + . +

+
+ )} + + {/* Verifying releases */} +
+

Verifying releases

+

+ You should verify + the integrity of any downloaded release before using it. The PGP + signature ( + .asc) proves the + release was signed by an Apache Burr release manager; the SHA-512 + checksum ( + .sha512) detects + transmission corruption. +

+ +

1. Download the KEYS file

+

+ The KEYS file contains the public PGP keys of all Apache Burr + release managers. It is served directly from{" "} + downloads.apache.org{" "} + over HTTPS: +

+

+ + {KEYS_URL} + +

+ 
+              {`curl -O ${KEYS_URL}
+gpg --import KEYS`}
+
+ +

2. Verify the signature

+

+ Download the artifact and its{" "} + .asc signature, then: +

+ 
+              {`gpg --verify apache-burr-${LATEST.version}-incubating-src.tar.gz.asc \\
+            apache-burr-${LATEST.version}-incubating-src.tar.gz`}
+
+

+ Look for "Good signature from ..." in the output. A + warning about the key not being certified by a trusted signature + is expected unless you have set up your trust web; what matters is + the key fingerprint matches one in KEYS. +

+ +

3. Verify the checksum

+ 
+              {`sha512sum -c apache-burr-${LATEST.version}-incubating-src.tar.gz.sha512`}
+
+

+ On macOS, use{" "} + shasum -a 512 -c{" "} + instead of sha512sum -c + . +

+ +

+ For more detail on verifying ASF releases, see the{" "} + + official ASF verification guide + + . +

+
+ + {/* License & disclaimer */} +
+

License & disclaimer

+

+ Apache Burr is released under the{" "} + + Apache License, Version 2.0 + + . The full LICENSE and{" "} + NOTICE files are + included in every source release tarball. +

+

+ Apache Burr (Incubating) is an effort undergoing incubation at The + Apache Software Foundation (ASF), sponsored by the Apache + Incubator. Incubation is required of all newly accepted projects + until a further review indicates that the infrastructure, + communications, and decision making process have stabilized in a + manner consistent with other successful ASF projects. While + incubation status is not necessarily a reflection of the + completeness or stability of the code, it does indicate that the + project has yet to be fully endorsed by the ASF. +

+
+
+
+