Le lundi 7 janvier 2019, 03:57:53 CET Roman Shaposhnik a écrit : > On Sun, Jan 6, 2019 at 6:50 PM Alex Harui <[email protected]> wrote: > > OK, apparently Infra doesn't want to discuss this in a JIRA issue so I > > will try to continue it here and bug people with emails if the thread > > stagnates like it did last time. > > > > I'm unclear what questions and problems are of concern here specific to > > this ask. IMO: 1) ASF Release Policy currently allows artifacts to be > > packaged on other hardware. It just has to be verified on > > RM/PMC-controlled hardware 2) There is no packaging specific security > > risk. Rogue executions via Jenkins are either possible or not possible > > and there are plenty of other juicy targets for rogue executions besides > > release artifacts that are verifiable. > I don't have a strong opinion on the above, but I'm very concerned > about a requirement of a bot pushing to SCM repos. +1 adding that there are 2 levels of concerns for the scm repos: 1. the source repo (at least for tagging), which is either svn or git 2. the dist repo, which is svn, for release publication
in addition to this scm repos write access issues, there is also the gpg private key access, when signing the release last topic to me: releasing at Apache is a 2 phases process: 1. staging, that includes the real build, to open the 72h voting period 2. publishing once vote approved, where no build happens but management of release area and many other parts like issue tracker I don't get precisely which project requires to ease phase 1 or phase 2 In Maven project release procedure [1], phase 1 = staging is really simple and I would not see the value of putting a button on Jenkins vs the curent process on committer's machine This is phase 2 that is complex: but this phase is hard to automate, because the diversity of systems to update, little variations per sub-projects (Maven has near 100 different components to release [2]) I'm not clear which Apache project has which improvement in mind. What I know is that staging requirements are quite different from publishing ones, and probably we're not all aligned on what each project is trying to improve Regards, Hervé [1] https://maven.apache.org/developers/release/maven-project-release-procedure.html [2] https://maven.apache.org/scm.html#Maven_Sources_Overview > > Thanks, > Roman.
