Changing the release jobs, beyond the available parameters, right now depends on Josh arisen as there are some scripts which generate the jobs which aren't public. I've done temporary fixes in the past with the Python packaging but my understanding is that in the medium term it requires access to the scripts.
So +CC Josh. On Fri, Sep 15, 2017 at 4:38 PM Ryan Blue <rb...@netflix.com> wrote: > I think this needs to be fixed. It's true that there are barriers to > publication, but the signature is what we use to authenticate Apache > releases. > > If Patrick's key is available on Jenkins for any Spark committer to use, > then the chance of a compromise are much higher than for a normal RM key. > > rb > > On Fri, Sep 15, 2017 at 12:34 PM, Sean Owen <so...@cloudera.com> wrote: > >> Yeah I had meant to ask about that in the past. While I presume Patrick >> consents to this and all that, it does mean that anyone with access to said >> Jenkins scripts can create a signed Spark release, regardless of who they >> are. >> >> I haven't thought through whether that's a theoretical issue we can >> ignore or something we need to fix up. For example you can't get a release >> on the ASF mirrors without more authentication. >> >> How hard would it be to make the script take in a key? it sort of looks >> like the script already takes GPG_KEY, but don't know how to modify the >> jobs. I suppose it would be ideal, in any event, for the actual release >> manager to sign. >> >> On Fri, Sep 15, 2017 at 8:28 PM Holden Karau <hol...@pigscanfly.ca> >> wrote: >> >>> That's a good question, I built the release candidate however the >>> Jenkins scripts don't take a parameter for configuring who signs them >>> rather it always signs them with Patrick's key. You can see this from >>> previous releases which were managed by other folks but still signed by >>> Patrick. >>> >>> On Fri, Sep 15, 2017 at 12:16 PM, Ryan Blue <rb...@netflix.com> wrote: >>> >>>> The signature is valid, but why was the release signed with Patrick >>>> Wendell's private key? Did Patrick build the release candidate? >>>> >>> > > > -- > Ryan Blue > Software Engineer > Netflix > -- Twitter: https://twitter.com/holdenkarau
