Recapping/expanding the conversation from today's hangout.
The mindset to put yourself in is we want to create "informative download pages." There are some things we can require and there are some things we don't, but you should really do anyway.
The goal of the "informative download page" (public tck results summary linked in your certification request) is to make your certification/compliance clear and something the user can kind of dig into a little bit so they don't have to just take your word for it. In your "informative download page" you should have all the standard stuff you'd expect from a download page:
- The name version of your implementation and link to download (requirement)
- Good branding (not our place to require that, but you should do it)
Since you being compliant is a first-class citizen on this download page you should have information on exactly what you are compliant with and some basic proof/evidence:
- Specification Name, Version
- TCK used
- Total number of tests ran and passed
- Java or other runtimes on which you've passed those tests
- OS used
We haven't formally identified the above, but this is something we can nail down together. We could add more things to the list, tweak the list, discuss how we want to communicate them to users, etc. Lots of discussion we can have here. We might decide there are additional requirements that make sense for specific apis. For example, maybe we might want people to test MP JWT impls against a real JWT provider, or MP Metrics impls to test against an actual store. If we did require that in the future, we'd probably want the name/version of the API Gateway or Metrics store you used to certify.
The bottom line is we're trying to create more transparency for / educate users so we can create an industry that understands, values and demands being compliant. It should empower users to call BS on a potential bad player who claims it falsely. It should not be done in a way that is "trust us, the right people approved our certification, you don't need to know those details", but "here's our proof to you the user."
We don't want to make the requirements too cumbersome, but it'd be super fantastic if we as implementors even allowed people to see what optional tests we pass or skip. For example, MP JWT has several optional aspects around integration with various Jakarta EE APIs like EJB and Enterprise Security. There's currently zero public record of who is actually running and passing those tests. This kind of information is ideally at users' fingertips. It's definitely a gap we should address someday. For now we just need to start small.
The actual certification request really could just be an issue with a link to the "informative download page", or Public TCK Results Summary as we named it on the Jakarta side. If we do a good job with them collectively, we really don't need to be duplicating all that in the actual certification request github issue.
Since this is all about backing up our claims to the public, one of the things I called out in the last round of votes is that several of the certification requests claimed "passes on java 8 and 11", but then had one set of test results. Which test run did those results come from, 8 or 11? There'd logically be two runs, but you're just showing me data from one run. You should disclose the results from all the runs claimed in your request. The spirit isn't "trust me" the spirit is "show me."
Similarly if people start running on multiple operation systems we should be presenting users with results from all of those runs. That can certainly be a lot of test results to put on one page, so definitely we can explore allowing those to be links as long as people don't have to dig terribly deep.
These "informative download pages" also need to be permanent, like any download page would be. If you release version 1.2.3 of your software and put all this data on it you really should supply a link in your certification request for that *exact* version and that page should live forever. Don't supply a generic page like "
https://our.suff/downloads.html" that will obviously get overwritten with newer releases. Similarly, don't supply a link like "
https://our.suff/microprofile-5-certification.html"... unless of course you never ever intend to release any updates to your software that can pass the MP 5 TCK, for example. New certified release == new page.
As these pages need to be user-friendly and consumable by the average person, like a download page, that also means using a link to a CI job is not a great fit. Aside from the fact they don't last forever, you'd never point a user at the CI job that released your software and say, "it's in there to download if you dig enough, go have fun. I'm sure you can figure it out." Would you use a CI job to generate a nice page or publish your binaries to a more consumable place? Definitely. Same applies here.
Additionally, snapshots or other non-final builds do not work for certification requests. What you're certifying needs to be something that is permanent and not going to be deleted. What you certify should actually be something you're ok with people downloading and using. If you're the first implementation to be certified and are therefore used in the specification's release ballot, we need that build to be reproducible from source. When someone says, "I challenge this test and don't see how anyone could have passed it!" we'll need to be able to see how you passed it; not using similar source from that day, but the actual source from that build. This also means that compatible implementations used in a ballot to release a spec must be open source. The open source definition requires there "must be a well-publicized means of obtaining the source code" for that exact build and binary. Snapshots and a link to the master/main branch of your github repo doesn't cut and are not legally compliant with the open source definition. Date stamps don't cut it either; try scheduling a meeting at "4pm on Tuesday" with your friends in Australia, Canada and London and see who shows up. Compatible implementations that come after ballot can be closed source proprietary software. Knowing that this is possible means it's all the more important for us to set a good example. We definitely do not want the potential for closed source impls, poorly disclosing their certification results in very hard to consume ways, such that no one is really looking or can really call BS on if they truly pass. We want as many eyes as possible on those test results. More eyes keeps everyone honest. Very important as we have no other means to correct dishonesty other than public pressure. We need to create that pressure.
In short, aim for something that is like a well-branded download page (it can actually be your download page) that has information on your certification presented in a way the average user can appreciate/consume and (hopefully) will read.
--
David Blevins
http://twitter.com/dblevins
http://www.tomitribe.com