diff --git a/docs/source/download.md b/docs/source/download.md new file mode 100644 index 000000000000..0c279dd033f2 --- /dev/null +++ b/docs/source/download.md @@ -0,0 +1,69 @@ + + +# Download + +While DataFusion is also distributed via the Rust [crates.io] package manager as a convenience, the +official Apache DataFusion releases are provided as source artifacts. + +[crates.io]: https://crates.io/crates/datafusion + +## Releases + +The latest source release is [37.0.0][source-link] ([asc][asc-link], +[sha512][sha512-link]). + +[source-link]: https://www.apache.org/dyn/closer.lua/arrow/arrow-datafusion-37.0.0/apache-arrow-datafusion-37.0.0.tar.gz?action=download +[asc-link]: https://downloads.apache.org/arrow/arrow-datafusion-37.0.0/apache-arrow-datafusion-37.0.0.tar.gz.asc +[sha512-link]: https://downloads.apache.org/arrow/arrow-datafusion-37.0.0/apache-arrow-datafusion-37.0.0.tar.gz.sha512 + +For previous releases, please check the [archive](https://archive.apache.org/dist/datafusion/). + +For releases earlier than 37.0.0, please check [Arrow's archive](https://archive.apache.org/dist/arrow/). + +## Notes + +- When downloading a release, please verify the OpenPGP compatible signature (or failing that, check the SHA-512); these should be fetched from the main Apache site. +- The KEYS file contains the public keys used for signing release. It is recommended that (when possible) a web of trust is used to confirm the identity of these keys. +- Please download the [KEYS](https://downloads.apache.org/datafusion/KEYS) as well as the .asc signature files. + +### To verify the signature of the release artifact + +You will need to download both the release artifact and the .asc signature file for that artifact. Then verify the signature by: + +- Download the KEYS file and the .asc signature files for the relevant release artifacts. +- Import the KEYS file to your GPG keyring: + + ```shell + gpg --import KEYS + ``` + +- Verify the signature of the release artifact using the following command: + + ```shell + gpg --verify .asc + ``` + +### To verify the checksum of the release artifact + +You will need to download both the release artifact and the .sha512 checksum file for that artifact. Then verify the checksum by: + +```shell +shasum -a 512 -c .sha512 +``` diff --git a/docs/source/index.rst b/docs/source/index.rst index 84d920bd66c9..50c22d50587b 100644 --- a/docs/source/index.rst +++ b/docs/source/index.rst @@ -66,10 +66,11 @@ Please see the `developer’s guide`_ for contributing and `communication`_ for :maxdepth: 1 :caption: Links - Github and Issue Tracker + GitHub and Issue Tracker crates.io API Docs Code of conduct + Download .. _toc.guide: .. toctree:: diff --git a/docs/source/user-guide/example-usage.md b/docs/source/user-guide/example-usage.md index 2fb4e55d698d..ae45c98d7483 100644 --- a/docs/source/user-guide/example-usage.md +++ b/docs/source/user-guide/example-usage.md @@ -36,7 +36,7 @@ tokio = "1.0" ## Add latest non published DataFusion dependency DataFusion changes are published to `crates.io` according to [release schedule](https://github.com/apache/datafusion/blob/main/dev/release/README.md#release-process) -In case if it is required to test out DataFusion changes which are merged but yet to be published, Cargo supports adding dependency directly to Github branch +In case if it is required to test out DataFusion changes which are merged but yet to be published, Cargo supports adding dependency directly to GitHub branch ```toml datafusion = { git = "https://github.com/apache/datafusion", branch = "main"}