On Sun, Jan 6, 2019 at 7:38 PM Alex Harui <[email protected]> wrote: > > > > On 1/6/19, 6:58 PM, "Roman Shaposhnik" <[email protected]> wrote: > > On Sun, Jan 6, 2019 at 6:50 PM Alex Harui <[email protected]> > wrote: > > > > OK, apparently Infra doesn't want to discuss this in a JIRA issue so I > will try to continue it here and bug people with emails if the thread > stagnates like it did last time. > > > > I'm unclear what questions and problems are of concern here specific to > this ask. IMO: > > 1) ASF Release Policy currently allows artifacts to be packaged on > other hardware. It just has to be verified on RM/PMC-controlled hardware > > 2) There is no packaging specific security risk. Rogue executions via > Jenkins are either possible or not possible and there are plenty of other > juicy targets for rogue executions besides release artifacts that are > verifiable. > > I don't have a strong opinion on the above, but I'm very concerned > about a requirement of a bot pushing to SCM repos. > > Please explain your concern.
ASF lives and dies by how well it can track IP provenance in what we release. That's why any non-committer interactions around SCM will give me pause. > A bot is already allowed to commit to the website repos, AIUI. Two things: 1. can you give me real-world examples of that? 2. website repos are much lower on my list of priorities than code repos (see above for reasoning) Thanks, Roman.
